Hi there,
Im kinda confused right now about it. I have a OpenBSD 6.1 running a
simple httpd.conf with a definition for a http server and a https server
so far so good, I figured I need to have a http server so acme-client
can talk to let's encrypt an issue certificate requests also no big
problem but now it get confusing. I tried to automate the certificate
renew and as far as I understand the docs httpd.conf get evaluated to to
bottom with first matching rule found. So this would mean a definition like:
$ext_addr ="*" # its just one nic with one external ip on that vm
server "mydomain.tld" {
listen on $ext_addr port http
location "/.well-known/acme-challenge/*" {
root "/acme"
root strip 2
directory no auto index
}
block return 302 "https://$HTTP_HOST$REQUEST_URI"
}
should enable acme-client to renew certificates but redirect other
traffic to the https server. Well it doesn't ! So I need to comment out
the block request to renew the certificate. That's a thing I could live
with and just invent some script that loads a different conf file just
for the renew and when the certificate is obtained just load the normal
httpd.conf and restart httpd. I was playing arround and stumbled over
the fact that acme-client suddenly can renew certificates even without
running httpd in the first place o.O Thats just wrong since there isn't
support that does dns-01 challenges right? I stoped httpd to checked the
site wasn't reachable and did a
acme-client -vvF mydomain.tld
it gave me a new certificate from let's encrypt ...
anyway can someone who has the insight please tell me whats goin on here
and maybe post a config example that works for a basic https redirect?
Or is it really the case that I need to load a config that hasn't a blok
return statement in the http server definition?
One last note, I did a syspatch today and don't know if this changed
something in the behaviour of the components involved.
regards
--
Markus Rosjat fon: +49 351 8107223 mail: ros...@ghweb.de
G+H Webservice GbR Gorzolla, Herrmann
Königsbrücker Str. 70, 01099 Dresden
http://www.ghweb.de
fon: +49 351 8107220 fax: +49 351 8107227
Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before
you print it, think about your responsibility and commitment to the
ENVIRONMENT