Adding two relay blocks does seem to fix the problem, thank you. jrmu
On Sat, Feb 27, 2021 at 02:50:11AM -0700, Anthony J. Bentley wrote: > Hi, > > j...@ircnow.org writes: > > Then it seems relayd also works. So I suspect relayd is ignoring > > the tls keypair directive for IPv6 addresses. In other words, when IPv6 is > > en > > abled, > > relayd appears to ignore: > > > > tls { keypair example.com } > > > > Can someone verify if this is correct behavior, if I misconfigured, or > > if this is a bug? > > You're making things a bit harder for yourself with your choice of > certificate filenames. For starters, on webservers I've never had > any use for a certificate without full chain. So I just create a > full chain certificate under the usual certificate filename in my > acme-client config. > > domain example.com { > domain key "/etc/ssl/private/example.com.key" > domain full chain certificate "/etc/ssl/example.com.crt" > sign with letsencrypt > } > > No symlinks necessary. > > Then in relayd I create two relays, listening to the same protocol > block. > > table <httpd> { 127.0.0.1 } > > log connection > > http protocol myremote { > tls keypair "example.com" > > return error > pass > } > > relay mysite4 { > listen on 127.0.0.1 port 443 tls > protocol myremote > forward to <httpd> check tcp port 80 > } > > relay mysite6 { > listen on ::1 port 443 tls > protocol myremote > forward to <httpd> check tcp port 80 > } > > The problem really is that you can't listen on IPv4 and IPv6 in the > same relay block. This might be a bug although I suppose it could be > intentional (I've never found relayd's configuration very intuitive). > > -- > Anthony J. Bentley
signature.asc
Description: PGP signature