View Single Post
  #1   (View Single Post)  
Old 1st August 2022
epitaxial epitaxial is offline
Port Guard
 
Join Date: Feb 2015
Posts: 21
Default Let's encrypt and httpd OpenBSD 7.1

So I run a little private website and decided it was time to move to https via Let's Encrypt. The instructions went fine but are a bit misleading. They make it sound like running the acme client and getting the keys magically makes your server use https. No you still have to update httpd.conf yourself, ok fair enough. But it's giving me nothing but problems.

Browsers refuse to connect but
Code:
curl -vi https://www.mysite.net:808
appears to show it working.

Code:
* Connected to www.mysite.net (x.x.x.x) port 808 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS header, Finished (20):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.2 (OUT), TLS header, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_CHACHA20_POLY1305_SHA256
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: CN=www.mysite.net
*  start date: Jul 31 22:56:32 2022 GMT
*  expire date: Oct 29 22:56:31 2022 GMT
*  subjectAltName: host "www.mysite.net" matched cert's "www.mysite.net"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
> GET / HTTP/1.1
My httpd.conf

Code:
#[ MACROS ]
ext_ip = "x.x.x.x"
# ext_ip = "*"      # open to the outside network
# ext_ip = "egress" # open to only the primary IP address of the network interface

# [ GLOBAL CONFIGURATION ]
# none

# [ SERVERS ]
server "www.mysite.net" {
    listen on $ext_ip tls port 808
  directory auto index
    root "/htdocs/www.mysite.net"
    tls {
      certificate "/etc/letsencrypt/live/www.mysite.net/fullchain.pem"
      key "/etc/letsencrypt/live/www.mysite.net/privkey.pem"
}
  location "/.well-known/acme-challenge/*" {
    root "/acme"
    request strip 2
  }
}

server "mysite.net" {
  listen on $ext_ip port 80
  block return 301 "http://www.mysite.net$REQUEST_URI"
}



# [ TYPES ]
types {
    include "/usr/share/misc/mime.types"
}

Starting up httpd debug verbose mode shows

Code:
startup
socket_rlimit: max open files 1024
socket_rlimit: max open files 1024
socket_rlimit: max open files 1024
server_tls_load_keypair: using certificate /etc/letsencrypt/live/www.mysite.net/fullchain.pem
server_tls_load_keypair: using private key /etc/letsencrypt/live/www.mysite.net/privkey.pem
server_privinit: adding server www.mysite.net
config_setserver_tls: configuring tls for www.mysite.net
server_privinit: adding server mysite.net
server_launch: configuring server www.mysite.net
server_tls_init: setting up tls for www.mysite.net
server_launch: configuring server www.mysite.net
server_launch: configuring server www.mysite.net
server_tls_init: setting up tls for www.mysite.net
server_tls_init: setting up tls for www.mysite.net
server_tls_init: adding keypair for server www.mysite.net
server_tls_init: adding keypair for server www.mysite.net
server_launch: running server www.mysite.net
server_launch: configuring server mysite.net
server_launch: running server mysite.net
server_launch: running server www.mysite.net
server_launch: configuring server mysite.net
server_launch: running server mysite.net
server_tls_init: adding keypair for server www.mysite.net
server_launch: running server www.mysite.net
server_launch: configuring server mysite.net
server_launch: running server mysite.net
server_tls_handshake: tls handshake failed - handshake failed: error:1402542E:SSL routines:ACCEPT_SR_CLNT_HELLO:tlsv1 alert protocol version
server www.mysite.net, client 1 (1 active), 192.168.1.32:53681 -> x.x.x.x:808, tls handshake failed
server_tls_handshake: tls handshake failed - handshake failed: error:1402542E:SSL routines:ACCEPT_SR_CLNT_HELLO:tlsv1 alert protocol version
server www.mysite.net, client 1 (1 active), 192.168.1.32:53682 -> x.x.x.x:808, tls handshake failed
server_tls_handshake: tls handshake failed - handshake failed: error:1402542E:SSL routines:ACCEPT_SR_CLNT_HELLO:tlsv1 alert protocol version
server www.mysite.net, client 1 (1 active), 192.168.1.32:53683 -> x.x.x.x:808, tls handshake failed
server_tls_handshake: tls handshake failed - handshake failed: error:1402542E:SSL routines:ACCEPT_SR_CLNT_HELLO:tlsv1 alert protocol version
server www.mysite.net, client 2 (1 active), 192.168.1.32:53684 -> x.x.x.x:808, tls handshake failed
server_tls_handshake: tls handshake failed - handshake failed: error:1402542E:SSL routines:ACCEPT_SR_CLNT_HELLO:tlsv1 alert protocol version
server www.mysite.net, client 2 (1 active), 192.168.1.32:53685 -> x.x.x.x:808, tls handshake failed
server_tls_handshake: tls handshake failed - handshake failed: error:1402542E:SSL routines:ACCEPT_SR_CLNT_HELLO:tlsv1 alert protocol version
server www.mysite.net, client 3 (1 active), 192.168.1.32:53686 -> x.x.x.x:808, tls handshake failed
server_tls_handshake: tls handshake failed - handshake failed: error:1402542E:SSL routines:ACCEPT_SR_CLNT_HELLO:tlsv1 alert protocol version
Any ideas what I'm doing wrong?
Reply With Quote