On Fri, Jun 02, 2017 at 08:38:50PM -0700, Dillon Jay Pena wrote:
> I'm not understanding why I'm getting a relayd error. Thanks in advance.
>
> According to http://man.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man5/relayd.conf.5#listen_on,
> I just need address.crt and private/address.key to use tls with
> relayd, which you can see I do below.
> So why am I getting the relayd error "cannot load certificates for relay www"?
>
> I have included how I got the key and crt files from acme-client/lets
> encrypt in case it's relevant.
>
>
> $ uname -prsv
> OpenBSD 6.1 GENERIC#88 amd64
>
> $ cat /etc/acme-client.conf
> #
> # $OpenBSD: acme-client.conf,v 1.4 2017/03/22 11:14:14 benno Exp $
> #
> authority letsencrypt {
> agreement url
> "https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf"
> api url "https://acme-v01.api.letsencrypt.org/directory"
> account key "/etc/acme/letsencrypt-privkey.pem"
> }
>
> authority letsencrypt-staging {
> agreement url
> "https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf"
> api url "https://acme-staging.api.letsencrypt.org/directory"
> account key "/etc/acme/letsencrypt-staging-privkey.pem"
> }
>
> domain thelang.space {
> alternative names { mail.thelang.space www.thelang.space }
> domain key "/etc/ssl/private/thelang.space.key"
> domain certificate "/etc/ssl/thelang.space.crt"
> domain full chain certificate "/etc/ssl/thelang.space.fullchain.pem"
> sign with letsencrypt
> challengedir "/var/www/htdocs/.well-known/acme-challenge"
> }
>
> $ doas acme-client -vAD thelang.space
> acme-client: /etc/ssl/private/thelang.space.key: domain key exists
> (not creating)
> acme-client: /etc/acme/letsencrypt-privkey.pem: account key exists
> (not creating)
> acme-client: https://acme-v01.api.letsencrypt.org/directory: directories
> acme-client: acme-v01.api.letsencrypt.org: DNS: 104.68.109.156
> acme-client: https://acme-v01.api.letsencrypt.org/acme/new-authz:
> req-auth: thelang.space
> acme-client: https://acme-v01.api.letsencrypt.org/acme/new-authz:
> req-auth: mail.thelang.space
> acme-client: https://acme-v01.api.letsencrypt.org/acme/new-authz:
> req-auth: www.thelang.space
> acme-client: /var/www/htdocs/.well-known/acme-challenge/hALHIbtLAX4k274bN4AFBV0W-T08pKTqD6lBw0-CplM:
> created
> acme-client: https://acme-v01.api.letsencrypt.org/acme/challenge/mempVpv498Gw4d7Wr24qcinn5ZUfX_6IO2kQOeskf40/1271082083:
> challenge
> acme-client: /var/www/htdocs/.well-known/acme-challenge/SMwY0p1ma9ZDQrlyM6h9BbZkEnMCKx2lW69__zcmCgI:
> created
> acme-client: https://acme-v01.api.letsencrypt.org/acme/challenge/bwNrTgnJmUIH-XqInRMDmRNgRMnXQKBUZngPi3wuHt4/1271082087:
> challenge
> acme-client: /var/www/htdocs/.well-known/acme-challenge/wu3Zhef8NA8b9wmxHeMjXBZCg3EKGHgnM30Tx_qn1Ws:
> created
> acme-client: https://acme-v01.api.letsencrypt.org/acme/challenge/fHeHrAzF9RAXO-eJMZxfWElhkf4duUw934pUWy2gWyM/1271082092:
> challenge
> acme-client: https://acme-v01.api.letsencrypt.org/acme/challenge/mempVpv498Gw4d7Wr24qcinn5ZUfX_6IO2kQOeskf40/1271082083:
> status
> acme-client: https://acme-v01.api.letsencrypt.org/acme/challenge/bwNrTgnJmUIH-XqInRMDmRNgRMnXQKBUZngPi3wuHt4/1271082087:
> status
> acme-client: https://acme-v01.api.letsencrypt.org/acme/challenge/fHeHrAzF9RAXO-eJMZxfWElhkf4duUw934pUWy2gWyM/1271082092:
> status
> acme-client: https://acme-v01.api.letsencrypt.org/acme/new-cert: certificate
> acme-client: http://cert.int-x3.letsencrypt.org/: full chain
> acme-client: cert.int-x3.letsencrypt.org: DNS: 165.254.42.42
> acme-client: /etc/ssl/thelang.space.crt: created
> acme-client: /etc/ssl/thelang.space.fullchain.pem: created
>
> $ cat /etc/relayd.conf
> table <httpd> { 127.0.0.1 }
>
> relay www {
> listen on thelang.space port 443 tls
>
> forward to <httpd> check tcp port 8080
> }
>
> $ doas relayd -d
> startup
> /etc/relayd.conf:7: cannot load certificates for relay www
> no actions, nothing to do
> hce exiting, pid 2324
> pfe exiting, pid 21204
> ca exiting, pid 18722
> ca exiting, pid 45718
> ca exiting, pid 79639
> relay exiting, pid 31292
> relay exiting, pid 32940
> relay exiting, pid 75225
>
> $ ls /etc/ssl/thelang.space.crt
> /etc/ssl/thelang.space.crt
> $ doas ls /etc/ssl/private/thelang.space.key
> /etc/ssl/private/thelang.space.key
>
You need to use IP addresses not domain names for the cert name.
e.g. /etc/ssl/127.0.0.1.crt ect
--
:wq Claudio
No comments:
Post a Comment