DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD General

OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 1st August 2022
epitaxial epitaxial is offline
Port Guard
 
Join Date: Feb 2015
Posts: 19
Default Let's encrypt and httpd OpenBSD 7.1

So I run a little private website and decided it was time to move to https via Let's Encrypt. The instructions went fine but are a bit misleading. They make it sound like running the acme client and getting the keys magically makes your server use https. No you still have to update httpd.conf yourself, ok fair enough. But it's giving me nothing but problems.

Browsers refuse to connect but
Code:
curl -vi https://www.mysite.net:808
appears to show it working.

Code:
* Connected to www.mysite.net (x.x.x.x) port 808 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS header, Finished (20):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.2 (OUT), TLS header, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_CHACHA20_POLY1305_SHA256
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: CN=www.mysite.net
*  start date: Jul 31 22:56:32 2022 GMT
*  expire date: Oct 29 22:56:31 2022 GMT
*  subjectAltName: host "www.mysite.net" matched cert's "www.mysite.net"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
> GET / HTTP/1.1
My httpd.conf

Code:
#[ MACROS ]
ext_ip = "x.x.x.x"
# ext_ip = "*"      # open to the outside network
# ext_ip = "egress" # open to only the primary IP address of the network interface

# [ GLOBAL CONFIGURATION ]
# none

# [ SERVERS ]
server "www.mysite.net" {
    listen on $ext_ip tls port 808
  directory auto index
    root "/htdocs/www.mysite.net"
    tls {
      certificate "/etc/letsencrypt/live/www.mysite.net/fullchain.pem"
      key "/etc/letsencrypt/live/www.mysite.net/privkey.pem"
}
  location "/.well-known/acme-challenge/*" {
    root "/acme"
    request strip 2
  }
}

server "mysite.net" {
  listen on $ext_ip port 80
  block return 301 "http://www.mysite.net$REQUEST_URI"
}



# [ TYPES ]
types {
    include "/usr/share/misc/mime.types"
}

Starting up httpd debug verbose mode shows

Code:
startup
socket_rlimit: max open files 1024
socket_rlimit: max open files 1024
socket_rlimit: max open files 1024
server_tls_load_keypair: using certificate /etc/letsencrypt/live/www.mysite.net/fullchain.pem
server_tls_load_keypair: using private key /etc/letsencrypt/live/www.mysite.net/privkey.pem
server_privinit: adding server www.mysite.net
config_setserver_tls: configuring tls for www.mysite.net
server_privinit: adding server mysite.net
server_launch: configuring server www.mysite.net
server_tls_init: setting up tls for www.mysite.net
server_launch: configuring server www.mysite.net
server_launch: configuring server www.mysite.net
server_tls_init: setting up tls for www.mysite.net
server_tls_init: setting up tls for www.mysite.net
server_tls_init: adding keypair for server www.mysite.net
server_tls_init: adding keypair for server www.mysite.net
server_launch: running server www.mysite.net
server_launch: configuring server mysite.net
server_launch: running server mysite.net
server_launch: running server www.mysite.net
server_launch: configuring server mysite.net
server_launch: running server mysite.net
server_tls_init: adding keypair for server www.mysite.net
server_launch: running server www.mysite.net
server_launch: configuring server mysite.net
server_launch: running server mysite.net
server_tls_handshake: tls handshake failed - handshake failed: error:1402542E:SSL routines:ACCEPT_SR_CLNT_HELLO:tlsv1 alert protocol version
server www.mysite.net, client 1 (1 active), 192.168.1.32:53681 -> x.x.x.x:808, tls handshake failed
server_tls_handshake: tls handshake failed - handshake failed: error:1402542E:SSL routines:ACCEPT_SR_CLNT_HELLO:tlsv1 alert protocol version
server www.mysite.net, client 1 (1 active), 192.168.1.32:53682 -> x.x.x.x:808, tls handshake failed
server_tls_handshake: tls handshake failed - handshake failed: error:1402542E:SSL routines:ACCEPT_SR_CLNT_HELLO:tlsv1 alert protocol version
server www.mysite.net, client 1 (1 active), 192.168.1.32:53683 -> x.x.x.x:808, tls handshake failed
server_tls_handshake: tls handshake failed - handshake failed: error:1402542E:SSL routines:ACCEPT_SR_CLNT_HELLO:tlsv1 alert protocol version
server www.mysite.net, client 2 (1 active), 192.168.1.32:53684 -> x.x.x.x:808, tls handshake failed
server_tls_handshake: tls handshake failed - handshake failed: error:1402542E:SSL routines:ACCEPT_SR_CLNT_HELLO:tlsv1 alert protocol version
server www.mysite.net, client 2 (1 active), 192.168.1.32:53685 -> x.x.x.x:808, tls handshake failed
server_tls_handshake: tls handshake failed - handshake failed: error:1402542E:SSL routines:ACCEPT_SR_CLNT_HELLO:tlsv1 alert protocol version
server www.mysite.net, client 3 (1 active), 192.168.1.32:53686 -> x.x.x.x:808, tls handshake failed
server_tls_handshake: tls handshake failed - handshake failed: error:1402542E:SSL routines:ACCEPT_SR_CLNT_HELLO:tlsv1 alert protocol version
Any ideas what I'm doing wrong?
Reply With Quote
  #2   (View Single Post)  
Old 1st August 2022
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,838
Default

I can see a possible error in your 301 return provisioning. You have http rather than https as the URI protocol. Also, I assume that $ext_ip is defined above your global configuration section somewhere as it is not shown in your post.
Reply With Quote
  #3   (View Single Post)  
Old 1st August 2022
JonTee JonTee is offline
New User
 
Join Date: May 2021
Posts: 4
Default

Looks like a TLSv1 issue. I have a ciphers line, just below my key and certificate lines. Try adding this in the tls section:

ciphers "TLSv1.2:!CAMELLIA:!ARIA:!DSS:!ADH:!PSK:!RSA:!ECDH E-RSA-AES256-SHA384:!ECDHE-RSA-AES128-SHA256:!DHE-RSA-AES256-SHA256:!DHE-RSA-AES128-SHA256"
Reply With Quote
  #4   (View Single Post)  
Old 1st August 2022
epitaxial epitaxial is offline
Port Guard
 
Join Date: Feb 2015
Posts: 19
Default

It looks like things are mostly working now. The block return 301 line is supposed to redirect http to https, correct? Something is up with that section. I ended up fixing my html code to reflect the new https prefix.
Reply With Quote
  #5   (View Single Post)  
Old 1st August 2022
JonTee JonTee is offline
New User
 
Join Date: May 2021
Posts: 4
Default

Quote:
Originally Posted by epitaxial View Post
It looks like things are mostly working now. The block return 301 line is supposed to redirect http to https, correct? Something is up with that section. I ended up fixing my html code to reflect the new https prefix.
Correct, the block return redirects to HTTPS when the user tries to access HTTP. You may need to add your port in there, since you're not running on port 443 for HTTPS.

I think your block return line needs to be this:

block return 301 "https://www.mysite.net:808$REQUEST_URI"
Reply With Quote
  #6   (View Single Post)  
Old 1st August 2022
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,006
Default

Yes, that block line is to redirect to https.

I use the $SERVER_NAME macro to make it easier:
Code:
 block return 301 "https://$SERVER_NAME$REQUEST_URI"
If you want to redirect to https on port 808, you would have to use something like this (untested):
Code:
block return 301 "https://$SERVER_NAME:808$REQUEST_URI"
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Automating the "vi /etc/httpd.conf", httpd -n, rcctl restart httpd" treadmill J65nko Guides 0 18th May 2021 12:58 AM
FCGI.pm on OpenBSD httpd pmaddams OpenBSD General 4 26th April 2017 12:53 AM
How to configure nagios-web on OpenBSD 5.8 httpd? kleefaj OpenBSD Packages and Ports 0 11th April 2016 04:58 PM
Patch for OpenBSD 5.6 httpd(8) J65nko OpenBSD General 12 7th January 2015 12:49 PM
httpd in OpenBSD 5.6 jorisvh OpenBSD Packages and Ports 8 4th November 2014 12:14 AM


All times are GMT. The time now is 12:08 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2023, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick