DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD General

OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 2nd May 2017
ed.n1n2 ed.n1n2 is offline
Port Guard
 
Join Date: Mar 2015
Posts: 23
Default Letsencrypt not working

There has been a couple of guides on how to do this recently (5.9,6.0)

https://spin.atomicobject.com/2016/0...-lets-encrypt/
https://lab.rickauer.com/post/2016/0...ypt-on-OpenBSD

Both are using https://kristaps.bsd.lv/acme-client/ which has supposedly been included in the -current branch for 6.0

None of that crap works. None of it. Which really surprises me since they make it sound like ABC123.

I've followed both guides verbatim on relatively fresh installs of 6.0 and receive the following error:
Code:
acme-client: /etc/acme/privkey.pem: account key exists (not creating)
acme-client: /etc/ssl/acme/private/privkey.pem: domain key exists (not creating)
acme-client: /etc/ssl/acme/private/privkey.pem: PEM_read_PrivateKey
2256225808:error:0906D06C:PEM routines:PEM_read_bio:no start line:/usr/src/lib/libcrypto/crypto/../../libssl/src/crypto/pem/pem_lib.c:704:Expecting: ANY PRIVATE KEY
acme-client: bad exit: keyproc(33902): 1
Under no circumstances does it *just work*. I have absolutely no idea why.

Code:
acme-client \
        -C /var/www/letsencrypt/.well-known/acme-challenge \
        -c /etc/ssl/acme \
        -k /etc/ssl/acme/private/privkey.pem \
        -f /etc/acme/privkey.pem \
        -vNn my.domain
The acme-challenge should work just fine. I tested the webserver itself and I can pull files out of that directory without issue. All of the other directories were created as the guide(s) indicated (I used their different respective paths)

I'm used to the letsencrypt-auto that I download via git. I use it all the time in various Linux boxes without issue. In 5.8, IIRC, I was able to download the source and did indeed get it working. None of that works now in 6.0, and you cannot get what was downloaded with git to work in it.

How are other people getting LE to work on OpenBSD? Are there any success stories out there? Any guides I can find online are just too out of date, and I'm looking for updated information.
Reply With Quote
  #2   (View Single Post)  
Old 2nd May 2017
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 3,261
Default

Quote:
Originally Posted by ed.n1n2 View Post
How are other people getting LE to work on OpenBSD? Are there any success stories out there? Any guides I can find online are just too out of date, and I'm looking for updated information.
While someone may step up with salient information, I suspect none in this community will be able to answer your question(s). My recommendation would be to contact the original authors of the how-to's/tutorials used.
Reply With Quote
  #3   (View Single Post)  
Old 2nd May 2017
ed.n1n2 ed.n1n2 is offline
Port Guard
 
Join Date: Mar 2015
Posts: 23
Default

You mean that nobody in this community has any interest, at all, in free certificates from LetsEncrypt?

I guess everyone here is worth billions or something and doesn't mind paying the SSL mafiaa for their stuff to work

With all due respect, LE is now a basic requirement. Almost every piece of vendor hardware that I know is for all intents and purposes crippled with anything less than CA verified SSL certs. Nothing self-signed works anymore.

Forgive me, but I'm astounded that there would be no interest in making this happen.

I'm super pissed at the lack of LE support in OpenBSD, which makes it look like an inferior operating system. I hope somebody here can help, but an LE tutorial should be a sticky for OpenBSD when we have one that works.
Reply With Quote
  #4   (View Single Post)  
Old 2nd May 2017
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 5,705
Default

It has been just about an hour, Ed, since your first post in this thread.

I use acme-client with Letsencrypt. Successfully.

I began using it with OpenBSD 6.0, and used Kristaps Dzonsons's acme-client-0.1.16 with that release.

When I upgraded the server to 6.1 last month, I transitioned to using the built-in acme-client(1), which is an updated version of Kristaps' application.
Reply With Quote
  #5   (View Single Post)  
Old 2nd May 2017
ed.n1n2 ed.n1n2 is offline
Port Guard
 
Join Date: Mar 2015
Posts: 23
Default

Would you be interested in making a tutorial?

I'm doing this on two different 6.0 boxes that I created. Nothing has been done to them in terms of SSL/HTTP from that basic install.

Nginx is easy enough to get working and the acme-challenge is served up in my web browser without incident.

Absolutely none of the tutorials anywhere will work. So either my two fresh boxes are wholly broken (although working otherwise).... or.... the tutorials are all out of date. Which they all seem to be over 6 months, and there has been a lot of movement and change from letskencrypt and acme-client.

I *NEED* https working on my boxes to go forward at all, and this is disheartening to say the least.

Code:
acme-client: /etc/ssl/acme/private/privkey.pem: PEM_read_PrivateKey
2173063696:error:0906D06C:PEM routines:PEM_read_bio:no start line:/usr/src/lib/libcrypto/crypto/../../libssl/src/crypto/pem/pem_lib.c:704:Expecting: ANY PRIVATE KEY
Multiple boxes and the only thing I ever receive are SSL errors that make no sense. These are fresh installs and the tutorials maddeningly indicate the commands should 'just work'.

On another note, I'm trying to get the letsencrypt-auto source to work from git, but there is nothing in it that understands OpenBSD as an OS. However, I swear that I got it to work under 5.8 or 5.9. Got it done in 30 minutes in an afternoon, and here 6 months later, can't be done at all.

Extremely frustrating.
Reply With Quote
  #6   (View Single Post)  
Old 2nd May 2017
TronDD TronDD is offline
Shell Scout
 
Join Date: Sep 2014
Posts: 130
Default

I was using acme-client 0.1.11 built from github with 6.0 as well and transitioned to the base acme-client with 6.1.

Which version are you using? Did you try following the example in the manpage?
Reply With Quote
  #7   (View Single Post)  
Old 2nd May 2017
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 5,705
Default

I would recommend upgrading to 6.1, and using the built-in acme-client. Both Trondd and I have done this, so you would not be breaking any new ground.

The acme-client.conf(5) and acme-client(8) man pages that come with 6.1 have clear examples.
Reply With Quote
  #8   (View Single Post)  
Old 4th May 2017
ed.n1n2 ed.n1n2 is offline
Port Guard
 
Join Date: Mar 2015
Posts: 23
Default

I'm aware that there are clear examples. It's the fact that they are so clear, and not working, that has driven me insane.

In 6.0 acme-client is not available from pkg_add, only letskencrypt is. That is letskencrypt-0.1.7. I downloaded acme-client-0.1.16 and its portable version.

Following the man pages is one of the first things that I did, sans Apache. I used nginx instead to serve the acme-challenge which should not be an issue. The webserver does serve pages so....

Everything runs right as expected right up to the point where it complains about the private key, even though it is fully responsible for generating it in the first place.

I guess I can try upgrading these to 6.1 since LE support in 6.0 seems to be lacking.
Reply With Quote
  #9   (View Single Post)  
Old 4th May 2017
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 5,705
Default

Quote:
I guess I can try upgrading these to 6.1 since LE support in 6.0 seems to be lacking.
If you have not upgraded, I can pull my 6.0-stable configuration from an old backup.

Just let me know.
Reply With Quote
Old 4th May 2017
scottro's Avatar
scottro scottro is offline
Real Name: Scott Robbins
ISO Quartermaster
 
Join Date: Apr 2008
Location: NYC
Posts: 521
Default

There are commercial solutions like a Comodo for $5.00 USD a year.

https://www.ssls.com/brand/comodo-ssl-certificates

(That's apparently a reseller, I just vaguely remembered there were cheap ones and googled comodo cheap SSL and that was the first hit).
Reply With Quote
Old 5th May 2017
ed.n1n2 ed.n1n2 is offline
Port Guard
 
Join Date: Mar 2015
Posts: 23
Default

@scottro

Comodo is okay, but what I'm creating is a specialized server that can be installed via a script. Since it is all automated I really need to use LE for that reason. It's the only method that I'm aware of, that's also free, in which you can automatically receive and renew a "commercial" SSL certificate. As I understand it, one of the reasons why there was a push for acme in the first place was to have a standardized method for administrating SSL. So even if I did use Comodo instead of LE, I still need it work with an acme-like installer.

@jggmi

The configuration would be appreciated. I've not upgraded yet.
Reply With Quote
Old 5th May 2017
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 5,705
Default

noted. I will be able to run a restore and post provisioning information in about 4 or 5 hours.
Reply With Quote
Old 5th May 2017
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 5,705
Default

My 6.0-stable Letsencrypt provisioning

I installed acme-client-0.1.16, and then followed the guidance in the acme-client(1) man page, except that my webserver was httpd(8), rather than www/nginx.

httpd.conf(5):
Code:
server "default" {
        listen on * port www
        listen on * tls port https
        listen on :: port www
        listen on :: tls port https
        tls certificate "/etc/ssl/acme/fullchain.pem"
        tls key "/etc/ssl/acme/private/privkey.pem"
        location "/.well-known/acme-challenge/*" {
                root "/acme"
                root strip 2
           }
}
Following the man page, I set up the /var/www/acme directory used for challenges, and the directories for certificates and keys:
Code:
# mkdir /var/www/acme
# mkdir /etc/ssl/acme
# mkdir /etc/ssl/acme/private /etc/acme
# chmod 0700 /etc/ssl/acme/private /etc/acme
I then established the first keys, testing with the staging server first, before removing the -s option to create production keys. I'm showing jggimi.net in this example, but I included several altnames.

# acme-client -vNns jggimi.net

Then, later...

# acme-client -vNn jggimi.net

I added a short script based on the one in the man page, which I called from daily.local(8). This ran the daily challenge and then restarted the webserver whenever new keys were established.

Certificates and Keys:

Running acme-client(1) with -n will create a new account key if needed, and store it in /etc/acme/privkey.pem.

Running acme-client(1) with -N will create a new domain key if needed. The key and certificates are stored in /etc/ssl/acme.

Transition to acme-client 1.0 in OpenBSD-6.1

The big operational change is the transition to an acme-client.conf(5) configuration file. The recommended update script was simplified.
Reply With Quote
Reply

Tags
openbsd ssl letsencrypt

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Working on TTY sML OpenBSD Packages and Ports 1 27th December 2015 08:17 PM
sndiod not working? ahriman OpenBSD General 5 25th March 2015 06:02 PM
Mouse:X (not-working) and tty-Console (working), in 8.0 ykt FreeBSD General 1 22nd December 2009 12:26 PM
Working with CVS? Zmyrgel OpenBSD General 15 6th October 2009 01:32 PM
Crontab not working beandip FreeBSD General 6 6th August 2008 08:33 PM


All times are GMT. The time now is 12:51 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2017, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick