Let's encrypt and httpd OpenBSD 7.1

[epitaxial]

So I run a little private website and decided it was time to move to https via Let's Encrypt. The instructions went fine but are a bit misleading. They make it sound like running the acme client and getting the keys magically makes your server use https. No you still have to update httpd.conf yourself, ok fair enough. But it's giving me nothing but problems.

Browsers refuse to connect but

Code:

curl -vi https://www.mysite.net:808

appears to show it working.

Code:

* Connected to www.mysite.net (x.x.x.x) port 808 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS header, Finished (20):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.2 (OUT), TLS header, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_CHACHA20_POLY1305_SHA256
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: CN=www.mysite.net
*  start date: Jul 31 22:56:32 2022 GMT
*  expire date: Oct 29 22:56:31 2022 GMT
*  subjectAltName: host "www.mysite.net" matched cert's "www.mysite.net"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
> GET / HTTP/1.1

My httpd.conf

Code:

#[ MACROS ]
ext_ip = "x.x.x.x"
# ext_ip = "*"      # open to the outside network
# ext_ip = "egress" # open to only the primary IP address of the network interface

# [ GLOBAL CONFIGURATION ]
# none

# [ SERVERS ]
server "www.mysite.net" {
    listen on $ext_ip tls port 808
  directory auto index
    root "/htdocs/www.mysite.net"
    tls {
      certificate "/etc/letsencrypt/live/www.mysite.net/fullchain.pem"
      key "/etc/letsencrypt/live/www.mysite.net/privkey.pem"
}
  location "/.well-known/acme-challenge/*" {
    root "/acme"
    request strip 2
  }
}

server "mysite.net" {
  listen on $ext_ip port 80
  block return 301 "http://www.mysite.net$REQUEST_URI"
}



# [ TYPES ]
types {
    include "/usr/share/misc/mime.types"
}

Starting up httpd debug verbose mode shows

Code:

startup
socket_rlimit: max open files 1024
socket_rlimit: max open files 1024
socket_rlimit: max open files 1024
server_tls_load_keypair: using certificate /etc/letsencrypt/live/www.mysite.net/fullchain.pem
server_tls_load_keypair: using private key /etc/letsencrypt/live/www.mysite.net/privkey.pem
server_privinit: adding server www.mysite.net
config_setserver_tls: configuring tls for www.mysite.net
server_privinit: adding server mysite.net
server_launch: configuring server www.mysite.net
server_tls_init: setting up tls for www.mysite.net
server_launch: configuring server www.mysite.net
server_launch: configuring server www.mysite.net
server_tls_init: setting up tls for www.mysite.net
server_tls_init: setting up tls for www.mysite.net
server_tls_init: adding keypair for server www.mysite.net
server_tls_init: adding keypair for server www.mysite.net
server_launch: running server www.mysite.net
server_launch: configuring server mysite.net
server_launch: running server mysite.net
server_launch: running server www.mysite.net
server_launch: configuring server mysite.net
server_launch: running server mysite.net
server_tls_init: adding keypair for server www.mysite.net
server_launch: running server www.mysite.net
server_launch: configuring server mysite.net
server_launch: running server mysite.net
server_tls_handshake: tls handshake failed - handshake failed: error:1402542E:SSL routines:ACCEPT_SR_CLNT_HELLO:tlsv1 alert protocol version
server www.mysite.net, client 1 (1 active), 192.168.1.32:53681 -> x.x.x.x:808, tls handshake failed
server_tls_handshake: tls handshake failed - handshake failed: error:1402542E:SSL routines:ACCEPT_SR_CLNT_HELLO:tlsv1 alert protocol version
server www.mysite.net, client 1 (1 active), 192.168.1.32:53682 -> x.x.x.x:808, tls handshake failed
server_tls_handshake: tls handshake failed - handshake failed: error:1402542E:SSL routines:ACCEPT_SR_CLNT_HELLO:tlsv1 alert protocol version
server www.mysite.net, client 1 (1 active), 192.168.1.32:53683 -> x.x.x.x:808, tls handshake failed
server_tls_handshake: tls handshake failed - handshake failed: error:1402542E:SSL routines:ACCEPT_SR_CLNT_HELLO:tlsv1 alert protocol version
server www.mysite.net, client 2 (1 active), 192.168.1.32:53684 -> x.x.x.x:808, tls handshake failed
server_tls_handshake: tls handshake failed - handshake failed: error:1402542E:SSL routines:ACCEPT_SR_CLNT_HELLO:tlsv1 alert protocol version
server www.mysite.net, client 2 (1 active), 192.168.1.32:53685 -> x.x.x.x:808, tls handshake failed
server_tls_handshake: tls handshake failed - handshake failed: error:1402542E:SSL routines:ACCEPT_SR_CLNT_HELLO:tlsv1 alert protocol version
server www.mysite.net, client 3 (1 active), 192.168.1.32:53686 -> x.x.x.x:808, tls handshake failed
server_tls_handshake: tls handshake failed - handshake failed: error:1402542E:SSL routines:ACCEPT_SR_CLNT_HELLO:tlsv1 alert protocol version

Any ideas what I'm doing wrong?

[jggimi]

I can see a possible error in your 301 return provisioning. You have http rather than https as the URI protocol. Also, I assume that $ext_ip is defined above your global configuration section somewhere as it is not shown in your post.

[JonTee]

Looks like a TLSv1 issue. I have a ciphers line, just below my key and certificate lines. Try adding this in the tls section:

ciphers "TLSv1.2:!CAMELLIA:!ARIA:!DSS:!ADH:!PSK:!RSA:!ECDH E-RSA-AES256-SHA384:!ECDHE-RSA-AES128-SHA256:!DHE-RSA-AES256-SHA256:!DHE-RSA-AES128-SHA256"

[epitaxial]

It looks like things are mostly working now. The block return 301 line is supposed to redirect http to https, correct? Something is up with that section. I ended up fixing my html code to reflect the new https prefix.

[JonTee]

Quote:

Originally Posted by epitaxial

It looks like things are mostly working now. The block return 301 line is supposed to redirect http to https, correct? Something is up with that section. I ended up fixing my html code to reflect the new https prefix.

Correct, the block return redirects to HTTPS when the user tries to access HTTP. You may need to add your port in there, since you're not running on port 443 for HTTPS.

I think your block return line needs to be this:

block return 301 "https://www.mysite.net:808$REQUEST_URI"

[J65nko]

Yes, that block line is to redirect to https.

I use the $SERVER_NAME macro to make it easier:

Code:

 block return 301 "https://$SERVER_NAME$REQUEST_URI"

If you want to redirect to https on port 808, you would have to use something like this (untested):

Code:

block return 301 "https://$SERVER_NAME:808$REQUEST_URI"