Dehydrated setup

Dirk Engling erdgeist at erdgeist.org
Tue Nov 8 14:11:47 UTC 2016 

On 08/11/2016 14:59, @lbutlr wrote:

> # su -m _dehydrated -c 'bash /usr/local/bin/dehydrated --cron'
> # INFO: Using main config file /usr/local/etc/dehydrated/config
> Processing covisp.net with alternative names: covisp.net www.covisp.net
>  + Signing domains...
>  + Generating private key...
>  + Generating signing request...
>  + Requesting challenge for covisp.net...
>  + Requesting challenge for covisp.net...
>  + Requesting challenge for www.covisp.net...
>  + Responding to challenge for covisp.net...
> ERROR: Challenge is invalid! (returned: invalid) (result: {
>   "type": "http-01",
>   "status": "invalid",
>   "error": {
>     "type": "urn:acme:error:unauthorized",
>     "detail": "Invalid response from http://covisp.net/.well-known/acme-challenge/t4DhXZyC
> 
> same results with WELLKNOWN="/usr/local/etc/dehydrated/.well-known"

It says unauthorized now. Could it be that your web server does not
follow links by default? Could you tell me, which webserver you're
using? Then I can copy you a snippet for its config that should work.

> /usr/local/etc/dehydrated]# ls -lsR
> total 40
> 8 drwxrwx---  2 root  _dehydrated  512 Nov  8 04:34 .acme-challenges
> 0 lrwxr-xr-x  1 root  _dehydrated   16 Nov  8 06:48 .well-known ->
/www/.well-known
> 8 drwxrwx---  3 root  _dehydrated  512 Nov  8 06:45 accounts
> 8 drwxrwx---  3 root  _dehydrated  512 Oct 31 17:38 certs
> 8 -rw-r--r--  1 root  _dehydrated  141 Nov  8 06:56 config
> 8 -rw-r--r--  1 root  _dehydrated  129 Nov  8 06:54 domains.txt

Also I would suggest setting

BASEDIR=/var/dehydrated

in your config and make /usr/local/etc/dehydrated/ belong to root.
Currently your privlege separation does not yield much, as the
_dehydrated can write /usr/local/etc/dehydrated and could possibly
overwrite your deploy.sh script, if you chose to provide one for use
with periodic.

You would just need to move the accounts and certs directory and
domains.txt to /var/dehydrated, give this directory to _dehdrated and
leave permissions on /usr/local/etc/dehydrated/ as they are (this saves
you A LOT of trouble when updating the package).

  erdgeist

More information about the freebsd-ports mailing list