Let's Encrypt Error with cgit, httpd, acme-client

2018-08-21 Thread Parikh, Samir 
I am running cgit to host my git repositories on OpenBSD 6.3 and am
trying enable https using Let's Encrypt.  The URL of the cgit
repositories is a subdomain of my main domain (e.g. git.domain.com).  I
get the following error below whenever I try to provision a certificate
using acme-client.  I have specified my hosting provider's nameservers
to my domain registrar and have created an A record pointing the "git"
subdomain to my VM's IP address.  Relevant .conf files and
file/directory permissions are below as well.

Any help would be greatly appreciated.  Thanks in advance!
Samir

# acme-client -vAD git.domain.com
acme-client: /etc/ssl/private/git.domain.com.key: domain key exists (not
creating)
acme-client: /etc/acme/letsencrypt-privkey.pem: account key exists (not
creating)
acme-client: https://acme-v01.api.letsencrypt.org/directory: directories
acme-client: acme-v01.api.letsencrypt.org: DNS: 23.203.116.227
acme-client: https://acme-v01.api.letsencrypt.org/acme/new-authz:
req-auth: git.domain.com
acme-client: /var/www/acme/nWmGUBfLtIJuzuoNGfegToiMezdT6GaFes83Id2yctQ:
created
acme-client:
https://acme-v01.api.letsencrypt.org/acme/challenge/-kVwLPlPys451fI4-3TgDBcJRBQmvjO7yzUcifUW0AY/6175217714:
challenge
acme-client:
https://acme-v01.api.letsencrypt.org/acme/challenge/-kVwLPlPys451fI4-3TgDBcJRBQmvjO7yzUcifUW0AY/6175217714:
status
acme-client:
https://acme-v01.api.letsencrypt.org/acme/challenge/-kVwLPlPys451fI4-3TgDBcJRBQmvjO7yzUcifUW0AY/6175217714:
bad response
acme-client: transfer buffer: [{ "type": "http-01", "status": "invalid",
"error": { "type": "urn:acme:error:unauthorized", "detail": "Invalid
response from
http://git.domain.com/.well-known/acme-challenge/nWmGUBfLtIJuzuoNGfegToiMezdT6GaFes83Id2yctQ:
\"\u003c!DOCTYPE
html\u003e\n\u003chtml\u003e\n\u003chead\u003e\n\u003cmeta
http-equiv=\"Content-Type\" content=\"text/html;
charset=utf-8\"/\u003e\n\u003ctitle\u003e500 Internal Server Er\"",
"status": 403 }, "uri":
"https://acme-v01.api.letsencrypt.org/acme/challenge/-kVwLPlPys451fI4-3TgDBcJRBQmvjO7yzUcifUW0AY/6175217714";,
"token": "nWmGUBfLtIJuzuoNGfegToiMezdT6GaFes83Id2yctQ",
"keyAuthorization":
"nWmGUBfLtIJuzuoNGfegToiMezdT6GaFes83Id2yctQ.cbdgaka6s7Kv6R_a_Rhq_6VMDSKE2D4VdJyddLn65QI",
"validationRecord": [ { "url":
"http://git.domain.com/.well-known/acme-challenge/nWmGUBfLtIJuzuoNGfegToiMezdT6GaFes83Id2yctQ";,
"hostname": "git.domain.com", "port": "80", "addressesResolved": [
"ip.address" ], "addressUsed": "ip.address" } ] }] (1039 bytes)
acme-client: bad exit: netproc(21893): 1


/etc/httpd.conf:

ext_ip="0.0.0.0"
server "localhost" {
 listen on $ext_ip port 80

 # serve the cgit static files directly
 location "/cgit.*" {
 root "/cgit"
 no fastcgi
 }
 # cgit CGI
 root "/cgi-bin/cgit.cgi"
 fastcgi socket "/run/slowcgi.sock"
 location "/.well-known/acme-challenge/*" {
 root { "/acme", strip 2 }
 }
}


/etc/acme-client.conf:

authority letsencrypt {
 api url "https://acme-v01.api.letsencrypt.org/directory";
 account key "/etc/acme/letsencrypt-privkey.pem"
}

authority letsencrypt-staging {
 api url "https://acme-staging.api.letsencrypt.org/directory";
 account key "/etc/acme/letsencrypt-staging-privkey.pem"
}

domain git.domain.com {
 domain key "/etc/ssl/private/git.domain.com.key"
 domain certificate "/etc/ssl/git.domain.com.crt"
 domain full chain certificate
"/etc/ssl/git.domain.com.fullchain.pem"
 sign with letsencrypt
}


/var/www/conf/cgitrc
footer=/conf/cgit.footer

# Enable caching of up to 1000 output entries
cache-size=1000

cache-root=/cgit/cache

# Specify some default clone urls using macro expansion
clone-url=git://git.domain.com/$CGIT_REPO_URL

# Specify the css url
css=/cgit.css

# Show owner on index page
enable-index-owner=0

# Allow http transport git clone
enable-http-clone=0

# Show extra links for each repository on the index page
enable-index-links=0

# Enable ASCII art commit history graph on the log pages
enable-commit-graph=1

# Show number of affected files per commit on the log pages
enable-log-filecount=1

# Show number of added/removed lines per commit on the log pages
enable-log-linecount=1

# Sort branches by date
branch-sort=age

# Add a cgit favicon
favicon=/favicon.ico

# Enable statistics per week, month and quarter
max-stats=quarter

# Set the title and heading of the repository index page
root-title=HotBSD Code Repositories

# Set a subheading for the repository index page
root-desc=

# Allow download of tar.gz, tar.bz2 and zip-files
snapshots=tar.gz

## List of common mimetypes
mimetype.gif=image/gif
mimetype.html=text/html
mimetype.jpg=image/jpeg
mimetype.jpeg=image/jpeg
mimetype.pdf=application/pdf
mimetype.png=image/png
mimetype.svg=image/svg+xml

## Search for these files in the root of the default branch of repositories
## for coming up with the about page:
readme=:README

virtual-root=/

#scan-path=/htdocs/src
scan-path=/repos

# Di

Re: Let's Encrypt Error with cgit, httpd, acme-client

2018-08-21 Thread flipchan 
Try removing all keys in the ssl directory aswell as 
/etc/acme/letsencrypt-privkey.pem

On August 21, 2018 7:46:24 PM UTC, "Parikh, Samir" 
 wrote:
>I am running cgit to host my git repositories on OpenBSD 6.3 and am
>trying enable https using Let's Encrypt.  The URL of the cgit
>repositories is a subdomain of my main domain (e.g. git.domain.com).  I
>get the following error below whenever I try to provision a certificate
>using acme-client.  I have specified my hosting provider's nameservers
>to my domain registrar and have created an A record pointing the "git"
>subdomain to my VM's IP address.  Relevant .conf files and
>file/directory permissions are below as well.
>
>Any help would be greatly appreciated.  Thanks in advance!
>Samir
>
># acme-client -vAD git.domain.com
>acme-client: /etc/ssl/private/git.domain.com.key: domain key exists
>(not
>creating)
>acme-client: /etc/acme/letsencrypt-privkey.pem: account key exists (not
>creating)
>acme-client: https://acme-v01.api.letsencrypt.org/directory:
>directories
>acme-client: acme-v01.api.letsencrypt.org: DNS: 23.203.116.227
>acme-client: https://acme-v01.api.letsencrypt.org/acme/new-authz:
>req-auth: git.domain.com
>acme-client: /var/www/acme/nWmGUBfLtIJuzuoNGfegToiMezdT6GaFes83Id2yctQ:
>created
>acme-client:
>https://acme-v01.api.letsencrypt.org/acme/challenge/-kVwLPlPys451fI4-3TgDBcJRBQmvjO7yzUcifUW0AY/6175217714:
>challenge
>acme-client:
>https://acme-v01.api.letsencrypt.org/acme/challenge/-kVwLPlPys451fI4-3TgDBcJRBQmvjO7yzUcifUW0AY/6175217714:
>status
>acme-client:
>https://acme-v01.api.letsencrypt.org/acme/challenge/-kVwLPlPys451fI4-3TgDBcJRBQmvjO7yzUcifUW0AY/6175217714:
>bad response
>acme-client: transfer buffer: [{ "type": "http-01", "status":
>"invalid",
>"error": { "type": "urn:acme:error:unauthorized", "detail": "Invalid
>response from
>http://git.domain.com/.well-known/acme-challenge/nWmGUBfLtIJuzuoNGfegToiMezdT6GaFes83Id2yctQ:
>\"\u003c!DOCTYPE
>html\u003e\n\u003chtml\u003e\n\u003chead\u003e\n\u003cmeta
>http-equiv=\"Content-Type\" content=\"text/html;
>charset=utf-8\"/\u003e\n\u003ctitle\u003e500 Internal Server Er\"",
>"status": 403 }, "uri":
>"https://acme-v01.api.letsencrypt.org/acme/challenge/-kVwLPlPys451fI4-3TgDBcJRBQmvjO7yzUcifUW0AY/6175217714";,
>"token": "nWmGUBfLtIJuzuoNGfegToiMezdT6GaFes83Id2yctQ",
>"keyAuthorization":
>"nWmGUBfLtIJuzuoNGfegToiMezdT6GaFes83Id2yctQ.cbdgaka6s7Kv6R_a_Rhq_6VMDSKE2D4VdJyddLn65QI",
>"validationRecord": [ { "url":
>"http://git.domain.com/.well-known/acme-challenge/nWmGUBfLtIJuzuoNGfegToiMezdT6GaFes83Id2yctQ";,
>"hostname": "git.domain.com", "port": "80", "addressesResolved": [
>"ip.address" ], "addressUsed": "ip.address" } ] }] (1039 bytes)
>acme-client: bad exit: netproc(21893): 1
>
>
>/etc/httpd.conf:
>
>ext_ip="0.0.0.0"
>server "localhost" {
> listen on $ext_ip port 80
>
> # serve the cgit static files directly
> location "/cgit.*" {
> root "/cgit"
> no fastcgi
> }
> # cgit CGI
> root "/cgi-bin/cgit.cgi"
> fastcgi socket "/run/slowcgi.sock"
> location "/.well-known/acme-challenge/*" {
> root { "/acme", strip 2 }
> }
>}
>
>
>/etc/acme-client.conf:
>
>authority letsencrypt {
> api url "https://acme-v01.api.letsencrypt.org/directory";
> account key "/etc/acme/letsencrypt-privkey.pem"
>}
>
>authority letsencrypt-staging {
> api url "https://acme-staging.api.letsencrypt.org/directory";
> account key "/etc/acme/letsencrypt-staging-privkey.pem"
>}
>
>domain git.domain.com {
> domain key "/etc/ssl/private/git.domain.com.key"
> domain certificate "/etc/ssl/git.domain.com.crt"
> domain full chain certificate
>"/etc/ssl/git.domain.com.fullchain.pem"
> sign with letsencrypt
>}
>
>
>/var/www/conf/cgitrc
>footer=/conf/cgit.footer
>
># Enable caching of up to 1000 output entries
>cache-size=1000
>
>cache-root=/cgit/cache
>
># Specify some default clone urls using macro expansion
>clone-url=git://git.domain.com/$CGIT_REPO_URL
>
># Specify the css url
>css=/cgit.css
>
># Show owner on index page
>enable-index-owner=0
>
># Allow http transport git clone
>enable-http-clone=0
>
># Show extra links for each repository on the index page
>enable-index-links=0
>
># Enable ASCII art commit history graph on the log pages
>enable-commit-graph=1
>
># Show number of affected files per commit on the log pages
>enable-log-filecount=1
>
># Show number of added/removed lines per commit on the log pages
>enable-log-linecount=1
>
># Sort branches by date
>branch-sort=age
>
># Add a cgit favicon
>favicon=/favicon.ico
>
># Enable statistics per week, month and quarter
>max-stats=quarter
>
># Set the title and heading of the repository index page
>root-title=HotBSD Code Repositories
>
># Set a subheading for the repository index page
>root-desc=
>
># Allow download of tar.gz, tar.bz2 and zip-files
>snapshots=tar.gz
>
>## List of common mimetypes
>mimetype.gif=image/gif
>mimetype.html=text/html
>mimetype.jpg=image/jp

Re: Let's Encrypt Error with cgit, httpd, acme-client

2018-08-21 Thread he...@ezaquarii.com 

On 21/08/2018 20:46, Parikh, Samir wrote:>   # cgit CGI

  root "/cgi-bin/cgit.cgi"
  fastcgi socket "/run/slowcgi.sock"
  location "/.well-known/acme-challenge/*" {
  root { "/acme", strip 2 }
  }
}


Do you have /var/www/cgi-bin/cgit.cgi/.well-known/acme-challenge/ directory?

Because this is where the httpd server will look for it.

I usually set a separate virtual host for ACME and serve
it from default path /var/www/acme.

Re: Let's Encrypt Error with cgit, httpd, acme-client

2018-08-21 Thread Anthony J. Bentley 
Hi Samir,

Parikh, Samir writes:
> I am running cgit to host my git repositories on OpenBSD 6.3 and am
> trying enable https using Let's Encrypt.

I run cgit as well (with the same httpd.conf, acme-client.conf, file
permissions, etc), and have no trouble creating and renewing certs.

Do you see anything in /var/www/logs/access.log? Here's what I see:

example.com 66.133.109.36 - - [21/Aug/2018:23:03:35 -0600] "GET
/.well-known/acme-challenge/YXRuZWJ1c2FvdGV1Ym5hc290ZGFvZXNudGh1YW9lc25
HTTP/1.1" 200 87

Re: Let's Encrypt Error with cgit, httpd, acme-client

2018-08-21 Thread Anthony J. Bentley 
he...@ezaquarii.com writes:
> On 21/08/2018 20:46, Parikh, Samir wrote:>   # cgit CGI
> >   root "/cgi-bin/cgit.cgi"
> >   fastcgi socket "/run/slowcgi.sock"
> >   location "/.well-known/acme-challenge/*" {
> >   root { "/acme", strip 2 }
> >   }
> > }
>
> Do you have /var/www/cgi-bin/cgit.cgi/.well-known/acme-challenge/ directory?
>
> Because this is where the httpd server will look for it.

Not when you have a location block specifying the correct root...

Re: Let's Encrypt Error with cgit, httpd, acme-client

2018-08-22 Thread Parikh, Samir 
Anthony J. Bentley wrote on 22/08/18 01:37:
> Do you see anything in /var/www/logs/access.log? Here's what I see:
>
> example.com 66.133.109.36 - - [21/Aug/2018:23:03:35 -0600] "GET
> /.well-known/acme-challenge/YXRuZWJ1c2FvdGV1Ym5hc290ZGFvZXNudGh1YW9lc25
> HTTP/1.1" 200 87

Thanks for your reply! I do see the following:

# grep well-known /var/www/logs/access.log
localhost 64.78.149.164 - - [21/Aug/2018:19:40:39 +] "GET
/.well-known/acme-challenge/5HgvXSBECEtZGTGaMh3b64LVQ1RG7OQGBp-iJBt0CjY
HTTP/1.1" 500 0
git.example.com 64.78.149.164 - - [21/Aug/2018:19:41:24 +] "GET
/.well-known/acme-challenge/ccmy5LbVl6-mIft2IhlL2NooxHx33dag7QntuZ5RGW0
HTTP/1.1" 500 0
git.example.com 64.78.149.164 - - [22/Aug/2018:17:19:43 +] "GET
/.well-known/acme-challenge/tkQw_0qDhDjEgxvy5WNZKuyhjPQwRHvIgT3nbGrCAI0
HTTP/1.1" 500 0

Does that mean that the acme-client is able to at least reach Let's Encrypt?

Thanks
Samir



This e-mail, and any attachments are strictly confidential and intended for the 
addressee(s) only. The content may also contain legal, professional or other 
privileged information. If you are not the intended recipient, please notify 
the sender immediately and then delete the e-mail and any attachments. You 
should not disclose, copy or take any action in reliance on this transmission.

You may report the matter by contacting us via our UK Contacts 
Page or our US Contacts 
Page (accessed by clicking on the 
appropriate link)

Please ensure you have adequate virus protection before you open or detach any 
documents from this transmission. National Grid plc and its affiliates do not 
accept any liability for viruses. An e-mail reply to this address may be 
subject to monitoring for operational reasons or lawful business practices.

For the registered information on the UK operating companies within the 
National Grid group please use the attached link: 
https://www.nationalgrid.com/group/about-us/corporate-registrations

Re: Let's Encrypt Error with cgit, httpd, acme-client

2018-08-22 Thread Parikh, Samir 
flipchan wrote on 22/08/18 01:19:
> Try removing all keys in the ssl directory aswell as
> /etc/acme/letsencrypt-privkey.pem

Thank you for your suggestion! I tried that and still received a similar
error:

# acme-client -vAD git.example.com
acme-client: /etc/ssl/private/git.example.com.key: domain key exists
(not creating)
acme-client: /etc/acme/letsencrypt-privkey.pem: generated RSA account key
acme-client: https://acme-v01.api.letsencrypt.org/directory: directories
acme-client: acme-v01.api.letsencrypt.org: DNS: 23.203.86.101
acme-client: https://acme-v01.api.letsencrypt.org/acme/new-reg: new-reg
acme-client: https://acme-v01.api.letsencrypt.org/acme/new-authz:
req-auth: git.example.com
acme-client: /var/www/acme/tkQw_0qDhDjEgxvy5WNZKuyhjPQwRHvIgT3nbGrCAI0:
created
acme-client:
https://acme-v01.api.letsencrypt.org/acme/challenge/qG_m-oh4J3c4mTSsdOoVZmOg3EpLwXQn1zRHgDTtwgM/6689241118:
challenge
acme-client:
https://acme-v01.api.letsencrypt.org/acme/challenge/qG_m-oh4J3c4mTSsdOoVZmOg3EpLwXQn1zRHgDTtwgM/6689241118:
status
acme-client:
https://acme-v01.api.letsencrypt.org/acme/challenge/qG_m-oh4J3c4mTSsdOoVZmOg3EpLwXQn1zRHgDTtwgM/6689241118:
bad response
acme-client: transfer buffer: [{ "type": "http-01", "status": "invalid",
"error": { "type": "urn:acme:error:unauthorized", "detail": "Invalid
response from
http://git.example.com/.well-known/acme-challenge/tkQw_0qDhDjEgxvy5WNZKuyhjPQwRHvIgT3nbGrCAI0:
\"\u003c!DOCTYPE
html\u003e\n\u003chtml\u003e\n\u003chead\u003e\n\u003cmeta
http-equiv=\"Content-Type\" content=\"text/html;
charset=utf-8\"/\u003e\n\u003ctitle\u003e500 Internal Server Er\"",
"status": 403 }, "uri":
"https://acme-v01.api.letsencrypt.org/acme/challenge/qG_m-oh4J3c4mTSsdOoVZmOg3EpLwXQn1zRHgDTtwgM/6689241118";,
"token": "tkQw_0qDhDjEgxvy5WNZKuyhjPQwRHvIgT3nbGrCAI0",
"keyAuthorization":
"tkQw_0qDhDjEgxvy5WNZKuyhjPQwRHvIgT3nbGrCAI0.JoZcpmrIKNVhHlsofYyIPvX9025UcWhHyj-vQAnrTkg",
"validationRecord": [ { "url":
"http://git.example.com/.well-known/acme-challenge/tkQw_0qDhDjEgxvy5WNZKuyhjPQwRHvIgT3nbGrCAI0";,
"hostname": "git.example.com", "port": "80", "addressesResolved": [
"144.202.9.26" ], "addressUsed": "144.202.9.26" } ] }] (1039 bytes)
acme-client: bad exit: netproc(80489): 1



This e-mail, and any attachments are strictly confidential and intended for the 
addressee(s) only. The content may also contain legal, professional or other 
privileged information. If you are not the intended recipient, please notify 
the sender immediately and then delete the e-mail and any attachments. You 
should not disclose, copy or take any action in reliance on this transmission.

You may report the matter by contacting us via our UK Contacts 
Page or our US Contacts 
Page (accessed by clicking on the 
appropriate link)

Please ensure you have adequate virus protection before you open or detach any 
documents from this transmission. National Grid plc and its affiliates do not 
accept any liability for viruses. An e-mail reply to this address may be 
subject to monitoring for operational reasons or lawful business practices.

For the registered information on the UK operating companies within the 
National Grid group please use the attached link: 
https://www.nationalgrid.com/group/about-us/corporate-registrations

Re: Let's Encrypt Error with cgit, httpd, acme-client

2018-08-22 Thread trondd 
On Wed, August 22, 2018 1:23 pm, Parikh, Samir wrote:
> flipchan wrote on 22/08/18 01:19:
>> Try removing all keys in the ssl directory aswell as
>> /etc/acme/letsencrypt-privkey.pem
>
> Thank you for your suggestion! I tried that and still received a similar
> error:
>
> # acme-client -vAD git.example.com
> acme-client: /etc/ssl/private/git.example.com.key: domain key exists
> (not creating)
> acme-client: /etc/acme/letsencrypt-privkey.pem: generated RSA account key
> acme-client: https://acme-v01.api.letsencrypt.org/directory: directories
> acme-client: acme-v01.api.letsencrypt.org: DNS: 23.203.86.101
> acme-client: https://acme-v01.api.letsencrypt.org/acme/new-reg: new-reg
> acme-client: https://acme-v01.api.letsencrypt.org/acme/new-authz:
> req-auth: git.example.com
> acme-client: /var/www/acme/tkQw_0qDhDjEgxvy5WNZKuyhjPQwRHvIgT3nbGrCAI0:
> created
> acme-client:
> https://acme-v01.api.letsencrypt.org/acme/challenge/qG_m-oh4J3c4mTSsdOoVZmOg3EpLwXQn1zRHgDTtwgM/6689241118:
> challenge
> acme-client:
> https://acme-v01.api.letsencrypt.org/acme/challenge/qG_m-oh4J3c4mTSsdOoVZmOg3EpLwXQn1zRHgDTtwgM/6689241118:
> status
> acme-client:
> https://acme-v01.api.letsencrypt.org/acme/challenge/qG_m-oh4J3c4mTSsdOoVZmOg3EpLwXQn1zRHgDTtwgM/6689241118:
> bad response
> acme-client: transfer buffer: [{ "type": "http-01", "status": "invalid",
> "error": { "type": "urn:acme:error:unauthorized", "detail": "Invalid
> response from
> http://git.example.com/.well-known/acme-challenge/tkQw_0qDhDjEgxvy5WNZKuyhjPQwRHvIgT3nbGrCAI0:
> \"\u003c!DOCTYPE
> html\u003e\n\u003chtml\u003e\n\u003chead\u003e\n\u003cmeta
> http-equiv=\"Content-Type\" content=\"text/html;
> charset=utf-8\"/\u003e\n\u003ctitle\u003e500 Internal Server Er\"",
> "status": 403 }, "uri":

Clearly, Let's Encrypt can't access teh file on your server.  The easiest
way to debug is to drop an html file into /acme and go to your server
/.well-known/acme-challenge/file.html in a browser and see what happens.

I could reproduce the 500 error in a browser with your config.  I had to
do 2 things to fix it (which may or may not break cgit).

Wrap your general root "/cgi-bin/cgit.cgi" and fastcgi socket in a
location "*" {} block and then move that block to the bottom of the server
block under location ".well-known..."

This works for me (you might need to fix the "request strip" line as I am
on some version of -current).  The cgit location might need to move as
well, I didn't test further.

server "localhost" {
listen on 127.0.0.1 port 80
#serve the cgit static files directly
location "/cgit.*" {
root "/cgit"
no fastcgi
}
location "/.well-known/acme-challenge/*" {
root "/acme"
request strip 2
}
# cgit CGI
location "*" {
root "/cgi-bin/cgit.cgi"
fastcgi socket "/run/slowcgi.sock"
}
}

Re: Let's Encrypt Error with cgit, httpd, acme-client

2018-08-26 Thread Parikh, Samir 
Your suggestion of changing things up in my /etc/httpd.conf file did the
trick!  My initial version of the file, prior to initializing the
account and requesting a new domain key ended up looking like this based
on your suggestions:

ext_ip="0.0.0.0"
#server "localhost" {
server "git.example.com" {
 listen on $ext_ip port 80

 # serve the cgit static files directly
 location "/cgit.*" {
 root "/cgit"
 no fastcgi
 }

 location "/.well-known/acme-challenge/*" {
 root { "/acme", strip 2 }
 }

 # cgit CGI
 location "*" {
 root "/cgi-bin/cgit.cgi"
 fastcgi socket "/run/slowcgi.sock"
 }
}

After I was able to successfully run
# acme-client -vAD git.example.com

I modified /etc/httpd.conf to:

ext_ip="0.0.0.0"
#server "localhost" {
server "git.example.com" {
#listen on $ext_ip port 80
 listen on * tls port 443
 tls certificate "/etc/ssl/git.example.com.fullchain.pem"
 tls key "/etc/ssl/private/git.example.com.key"

 # serve the cgit static files directly
 location "/cgit.*" {
 root "/cgit"
 no fastcgi
 }

 location "/.well-known/acme-challenge/*" {
 root { "/acme", strip 2 }
 }

 # cgit CGI
 location "*" {
 root "/cgi-bin/cgit.cgi"
 fastcgi socket "/run/slowcgi.sock"
 }
}

server "git.example.com" {
 listen on * port 80
 block return 301 "https://git.example.com$REQUEST_URI";
}

The site now gets an "A" grade over at ssllabs.com.

I guess my only remaining question is how did you know I needed to make
this change?  I know the OpenBSD documentation is really good but I'm
still fascinated how people manage to sort things like this out.  Maybe
it's just pure experience?

Either way, thanks again!

Samir



This e-mail, and any attachments are strictly confidential and intended for the 
addressee(s) only. The content may also contain legal, professional or other 
privileged information. If you are not the intended recipient, please notify 
the sender immediately and then delete the e-mail and any attachments. You 
should not disclose, copy or take any action in reliance on this transmission.

You may report the matter by contacting us via our UK Contacts 
Page or our US Contacts 
Page (accessed by clicking on the 
appropriate link)

Please ensure you have adequate virus protection before you open or detach any 
documents from this transmission. National Grid plc and its affiliates do not 
accept any liability for viruses. An e-mail reply to this address may be 
subject to monitoring for operational reasons or lawful business practices.

For the registered information on the UK operating companies within the 
National Grid group please use the attached link: 
https://www.nationalgrid.com/group/about-us/corporate-registrations

Re: Let's Encrypt Error with cgit, httpd, acme-client

2018-08-27 Thread trondd 
On Sun, August 26, 2018 4:40 pm, Parikh, Samir wrote:
>
> I guess my only remaining question is how did you know I needed to make
> this change?  I know the OpenBSD documentation is really good but I'm
> still fascinated how people manage to sort things like this out.  Maybe
> it's just pure experience?
>
> Either way, thanks again!
>
> Samir
>

It's part experience, part reading the output and logs, and part just
trying things.  I didn't know what the solution was.  I looked at
/etc/examples/httpd.conf, looked at the errors and made changes.

Be explicit in the configuration.  The 'root' without a 'location' wasn't
explicit so I didn't know how it got intrepreted.  Put it in a 'location'.
And most configurations on OpenBSD have an order to their evaluation. 
Some are first match wins, some are last match wins, so move things
around.

Tim.