httpd, SNI, https, and acme-client(1)

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

httpd, SNI, https, and acme-client(1)

Nick Holland
First of all, I did set up an acme-client(1) ssl cert a few months ago
before the acme-client.conf(5) file days, and it was stupidly,
jaw-droppingly simple, and it's renewed successfully, so yay man pages!

Now, I'm doing it again on a (-current) system serving up a few domains
on one IP address, so having to do SNI.  Since it was so simple before,
why not https the thing?

Not so simple.
(I got it working, but I'm pretty sure I'm Doing It Wrong)

The man page for acme-client says "Before a certificate can be
requested, an account key needs to be created using the -A argument."

ok.  So ...
  # acme-client -A
  acme-client: cannot stat /etc/ssl/private/holland-consulting.net.key:
  No such file or directory

After much head-scratching, I found a commit message that indicated this
is the proper process:

  # acme-client -A -D holland-consulting.net

tada!  Worked!  Produces three files:
  /etc/ssl/private/holland-consulting.net.key
  /etc/ssl/holland-consulting.net.chain.pem
  /etc/ssl/holland-consulting.net.crt

(and going back and re-reading the man page again...I'm not seeing how I
was supposed to figure this out!)

So after much trial and error of what file goes where in httpd.conf, I
found this worked...almost:
server "holland-consulting.net" {
        alias "www.holland-consulting.net"
        listen on $ext_addr port 80
        listen on $ext_addr tls port 443
        tls certificate "/etc/ssl/holland-consulting.net.crt"
        tls key "/etc/ssl/private/holland-consulting.net.key"
        location "/.well-known/acme-challenge/*" {
                root "/acme"
                root strip 2
        }
        root "/hc.net"
}

httpd started, no errors logged, and the website came up with a valid
cert according to Chrome and Firefox on OpenBSD.  Almost.  A friend of
mine said he got a cert error, and after dismissing his machine or
browser as being horribly out of date, I pulled up my phone and saw the
same thing.  Oops.  A cert checker site confirmed that I was missing the
intermediate certificate.  (and that's when the profanity began, and if
you deal with certs, you know what I mean, this is why I thought my
first use of acme-client was so fantastic...it just worked!).

So I looked at my (far less -current) functioning site, and saw only TWO
files were being generated...and one (named "fullchain.pem") had
basically the contents of the TWO /etc/ssh/ files for the domain, but
now, acme-client is generating two separate files.

So more head-scratching later, I put the contents of
holland-consulting.net.chain.pem at the END of
holland-consulting.net.crt, and ta-da, everything worked.  (reversing
the order did NOT work).

# cat holland-consulting.net.chain.pem >>holland-consulting.net.crt

Almost happy!

EXCEPT ... when the cert is renewed, I'm pretty sure it will generate
separate files again, breaking the trust chain.  And I'm pretty sure
that's not the way it is supposed to work.

So -- is there a way to add the intermediate cert to httpd.conf other
than concatenating the files?  Am I doing something wrong?  Or do I just
need to add the concatenation step to my refresh script?

Thanks!

Nick.

Reply | Threaded
Open this post in threaded view
|

Re: httpd, SNI, https, and acme-client(1)

Nick Holland
Nothing like posting a question to misc@ to cause the fog to lift. :-/

see below...

On 03/15/17 22:37, Nick Holland wrote:

> First of all, I did set up an acme-client(1) ssl cert a few months ago
> before the acme-client.conf(5) file days, and it was stupidly,
> jaw-droppingly simple, and it's renewed successfully, so yay man pages!
>
> Now, I'm doing it again on a (-current) system serving up a few domains
> on one IP address, so having to do SNI.  Since it was so simple before,
> why not https the thing?
>
> Not so simple.
> (I got it working, but I'm pretty sure I'm Doing It Wrong)
>
> The man page for acme-client says "Before a certificate can be
> requested, an account key needs to be created using the -A argument."
>
> ok.  So ...
>   # acme-client -A
>   acme-client: cannot stat /etc/ssl/private/holland-consulting.net.key:
>   No such file or directory
>
> After much head-scratching, I found a commit message that indicated this
> is the proper process:
>
>   # acme-client -A -D holland-consulting.net
>
> tada!  Worked!  Produces three files:
>   /etc/ssl/private/holland-consulting.net.key
>   /etc/ssl/holland-consulting.net.chain.pem
>   /etc/ssl/holland-consulting.net.crt
>
> (and going back and re-reading the man page again...I'm not seeing how I
> was supposed to figure this out!)
>
> So after much trial and error of what file goes where in httpd.conf, I
> found this worked...almost:
> server "holland-consulting.net" {
>         alias "www.holland-consulting.net"
>         listen on $ext_addr port 80
>         listen on $ext_addr tls port 443
>         tls certificate "/etc/ssl/holland-consulting.net.crt"
>         tls key "/etc/ssl/private/holland-consulting.net.key"
>         location "/.well-known/acme-challenge/*" {
>                 root "/acme"
>                 root strip 2
>         }
>         root "/hc.net"
> }
>
> httpd started, no errors logged, and the website came up with a valid
> cert according to Chrome and Firefox on OpenBSD.  Almost.  A friend of
> mine said he got a cert error, and after dismissing his machine or
> browser as being horribly out of date, I pulled up my phone and saw the
> same thing.  Oops.  A cert checker site confirmed that I was missing the
> intermediate certificate.  (and that's when the profanity began, and if
> you deal with certs, you know what I mean, this is why I thought my
> first use of acme-client was so fantastic...it just worked!).
>
> So I looked at my (far less -current) functioning site, and saw only TWO
> files were being generated...and one (named "fullchain.pem") had
> basically the contents of the TWO /etc/ssh/ files for the domain, but
> now, acme-client is generating two separate files.
>
> So more head-scratching later, I put the contents of
> holland-consulting.net.chain.pem at the END of
> holland-consulting.net.crt, and ta-da, everything worked.  (reversing
> the order did NOT work).
>
> # cat holland-consulting.net.chain.pem >>holland-consulting.net.crt
>
> Almost happy!
>
> EXCEPT ... when the cert is renewed, I'm pretty sure it will generate
> separate files again, breaking the trust chain.  And I'm pretty sure
> that's not the way it is supposed to work.
>
> So -- is there a way to add the intermediate cert to httpd.conf other
> than concatenating the files?  Am I doing something wrong?  Or do I just
> need to add the concatenation step to my refresh script?

Doing Something Wrong, of course.

Followed the example a little too closely, didn't understand the
acme-client.conf(5) man page until the problem was solved.

This is the template in /etc/acme-client.conf:

#domain example.com {
#       alternative names { secure.example.com }
#       domain key "/etc/ssl/private/example.com.key"
#       domain certificate "/etc/ssl/example.com.crt"
#       domain chain certificate "/etc/ssl/example.com.chain.pem"
#       sign with letsencrypt
#}

A better config would be using the line,
    "domain full chain certificate" instead.
That creates the PEM file with both certificates in the right order for
httpd to chew on.

Still, I think there are some man page and sample file improvements that
could be made.  (will put diff together if no one beats me to it)

Nick.