httpd / acme-client confusion

Thu, 15 Mar 2018 03:52:58 -0700 

Hi there,
Im kinda confused right now about it. I have a OpenBSD 6.1 running a simple httpd.conf with a definition for a http server and a https server so far so good, I figured I need to have a http server so acme-client can talk to let's encrypt an issue certificate requests also no big problem but now it get confusing. I tried to automate the certificate renew and as far as I understand the docs httpd.conf get evaluated to to bottom with first matching rule found. So this would mean a definition like: 

$ext_addr ="*" # its just one nic with one external ip on that vm

server "mydomain.tld" {
        listen on $ext_addr port http

        location "/.well-known/acme-challenge/*" {
            root "/acme"
            root strip 2
            directory no auto index
        }

        block return 302 "https://$HTTP_HOST$REQUEST_URI";
}


should enable acme-client to renew certificates but redirect other 
traffic to the https server. Well it doesn't ! So I need to comment out 
the block request to renew the certificate. That's a thing I could live 
with and just invent some script that loads a different conf file just 
for the renew and when the certificate is obtained just load the normal 
httpd.conf and restart httpd. I was playing arround and stumbled over 
the fact that acme-client suddenly can renew certificates even without 
running httpd in the first place o.O Thats just wrong since there isn't 
support that does dns-01 challenges right? I stoped httpd to checked the 
site wasn't reachable and did a


acme-client -vvF mydomain.tld

it gave me a new certificate from let's encrypt ...



anyway can someone who has the insight please tell me whats goin on here 
and maybe post a config example that works for a basic https redirect? 
Or is it really the case that I need to load a config that hasn't a blok 
return statement in the http server definition?



One last note, I did a syspatch today and don't know if this changed 
something in the behaviour of the components involved.


regards

--
Markus Rosjat    fon: +49 351 8107223    mail: ros...@ghweb.de

G+H Webservice GbR Gorzolla, Herrmann
Königsbrücker Str. 70, 01099 Dresden

http://www.ghweb.de
fon: +49 351 8107220   fax: +49 351 8107227


Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before 
you print it, think about your responsibility and commitment to the 
ENVIRONMENT
























					Reply via email to