relayd and letsencrypt certificates

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

relayd and letsencrypt certificates

Thuban
Hello,
I can't figure how to use letsencrypt certificates with relayd. I keep
getting this error :

    # relayd -vvv -n
    /etc/relayd.conf:33: cannot load certificates for relay tlsforward


My relayd.conf :

    # cat /etc/relayd.conf
    table <local> { 127.0.0.1 }
    ext_ip = 192.168.1.66

    http protocol "https" {
        tcp { nodelay, sack, socket buffer 65536, backlog 100 }
        match response header set "Cache-Control" value "max-age=1814400"
        return error
        pass
        tls { no client-renegotiation, cipher-server-preference }
        tls ca key "/etc/letsencrypt/certificates/privkey.pem" password ""
        tls ca cert "/etc/letsencrypt/certificates/cert.pem"
    }


    relay "tlsforward" {
        listen on $ext_ip port 443 tls
        protocol "https"
        forward to <local> port 8443 mode loadbalance check tcp
    }



Do you see any error or have any advice?

Regards.

thuban

Reply | Threaded
Open this post in threaded view
|

Re: relayd and letsencrypt certificates

trondd-2
On Fri, February 10, 2017 11:48 am, Thuban wrote:

> Hello,
> I can't figure how to use letsencrypt certificates with relayd. I keep
> getting this error :
>
>     # relayd -vvv -n
>     /etc/relayd.conf:33: cannot load certificates for relay tlsforward
>
>
> My relayd.conf :
>
>     # cat /etc/relayd.conf
>     table <local> { 127.0.0.1 }
>     ext_ip = 192.168.1.66
>
>     http protocol "https" {
>         tcp { nodelay, sack, socket buffer 65536, backlog 100 }
>         match response header set "Cache-Control" value "max-age=1814400"
>         return error
>         pass
>         tls { no client-renegotiation, cipher-server-preference }
>         tls ca key "/etc/letsencrypt/certificates/privkey.pem" password ""
>         tls ca cert "/etc/letsencrypt/certificates/cert.pem"
>     }
>
>
>     relay "tlsforward" {
>         listen on $ext_ip port 443 tls
>         protocol "https"
>         forward to <local> port 8443 mode loadbalance check tcp
>     }
>
>
>
> Do you see any error or have any advice?
>
> Regards.
>
> thuban
>

'ca key' and 'ca cert' is for MITM roll your own certs on the fly.

For server certs, like a web server would have, you don't specify them.
relayd looks for address:port.key and address:port.crt as per the 'listen
on' description in relayd.conf(5)

Reply | Threaded
Open this post in threaded view
|

Re: relayd and letsencrypt certificates

Thuban
* trondd <[hidden email]> le [10-02-2017 12:32:36 -0500]:

> On Fri, February 10, 2017 11:48 am, Thuban wrote:
> > Hello,
> > I can't figure how to use letsencrypt certificates with relayd. I keep
> > getting this error :
> >
> >     # relayd -vvv -n
> >     /etc/relayd.conf:33: cannot load certificates for relay tlsforward
> >
> >
> > My relayd.conf :
> >
> >     # cat /etc/relayd.conf
> >     table <local> { 127.0.0.1 }
> >     ext_ip = 192.168.1.66
> >
> >     http protocol "https" {
> >         tcp { nodelay, sack, socket buffer 65536, backlog 100 }
> >         match response header set "Cache-Control" value "max-age=1814400"
> >         return error
> >         pass
> >         tls { no client-renegotiation, cipher-server-preference }
> >         tls ca key "/etc/letsencrypt/certificates/privkey.pem" password
""

> >         tls ca cert "/etc/letsencrypt/certificates/cert.pem"
> >     }
> >
> >
> >     relay "tlsforward" {
> >         listen on $ext_ip port 443 tls
> >         protocol "https"
> >         forward to <local> port 8443 mode loadbalance check tcp
> >     }
> >
> >
> >
> > Do you see any error or have any advice?
> >
> > Regards.
> >
> > thuban
> >
>
> 'ca key' and 'ca cert' is for MITM roll your own certs on the fly.
>
> For server certs, like a web server would have, you don't specify them.
> relayd looks for address:port.key and address:port.crt as per the 'listen
> on' description in relayd.conf(5)

Ok, it works as expected now. I created symlinks to
/etc/ssl/private/address.key
and for address.crt.

Thank you.

[demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]