Hello !
I configured relayd months ago and did not have my config here.
The keypair option works as it should (name.tld) and requires no symlinks
(tested with public IPs) but the paths to the certs are hardcoded as described
in the acme config file in /etc/examples. IIRC the path must be /etc/acme/ or
so.
Regards,
Christoph
> Am 27.02.2021 um 09:25 schrieb jrmu <j...@ircnow.org>:
>
> PS: I am running OpenBSD 6.8 stable on amd64.
>
>> On Sat, Feb 27, 2021 at 03:48:04PM +0800, j...@ircnow.org wrote:
>> I was trying to configure relayd for TLS acceleration when I noticed an
>> unusual
>> error.
>>
>> Here is my /etc/relayd.conf (with actual IPs and domains replaced):
>>
>> ip4="192.0.2.1"
>> ip6="2001:db8::"
>> table <www> { 127.0.0.1 }
>> table <bnc> { 127.0.0.1 }
>>
>> log connection
>>
>> http protocol https {
>> match request header append "X-Forwarded-For" value "$REMOTE_ADDR"
>> match request header append "X-Forwarded-By" \
>> value "$SERVER_ADDR:$SERVER_PORT"
>> match request header set "Connection" value "close"
>>
>> # Various TCP options
>> tcp { sack, backlog 128 }
>>
>> tls { keypair example.com }
>> match request header "Host" value "www.example.com" forward to <www>
>> }
>>
>> relay wwwtls {
>> listen on $ip4 port 443 tls
>> listen on $ip6 port 443 tls
>> protocol https
>> forward to <www> port 8001 check icmp
>> }
>>
>> I set up symlinks for the SSL certs as follows:
>>
>> $ doas ln -s /etc/ssl/example.com.fullchain.pem /etc/ssl/example.com:443.crt
>> $ doas ln -s /etc/ssl/private/example.com.key
>> /etc/ssl/private/example.com:443.key
>>
>> I then start relayd:
>>
>> $ doas relayd -dvv
>>
>> and get the following errors:
>>
>> relay_load_certfiles: using certificate /etc/ssl/example.com:443.crt
>> relay_load_certfiles: using private key /etc/ssl/private/example.com:443.key
>> /etc/relayd.conf:26: cannot load certificates for relay wwwtls2:443
>>
>> I discovered that if I comment out the below line, line 23, relayd works:
>>
>> listen on $ip6 port 443 tls
>>
>> So if I uncomment out the IPv6 listener, relayd works just fine.
>>
>> If I include the IPv6 listener but create symlinks with IPv6 addresses like
>> follows:
>>
>> $ doas ln -s /etc/ssl/example.com.fullchain.pem /etc/ssl/2001:db8:::443.crt
>> $ doas ln -s /etc/ssl/private/example.com.key
>> /etc/ssl/private/2001:db8:::443.key
>>
>> Then it seems relayd also works. So I suspect relayd is ignoring
>> the tls keypair directive for IPv6 addresses. In other words, when IPv6 is
>> enabled,
>> relayd appears to ignore:
>>
>> tls { keypair example.com }
>>
>> Can someone verify if this is correct behavior, if I misconfigured, or
>> if this is a bug?
>>
>> jrmu
>
