Dehydrated setup
Dirk Engling
erdgeist at erdgeist.org
Tue Nov 8 14:11:47 UTC 2016
On 08/11/2016 14:59, @lbutlr wrote:
> # su -m _dehydrated -c 'bash /usr/local/bin/dehydrated --cron'
> # INFO: Using main config file /usr/local/etc/dehydrated/config
> Processing covisp.net with alternative names: covisp.net www.covisp.net
> + Signing domains...
> + Generating private key...
> + Generating signing request...
> + Requesting challenge for covisp.net...
> + Requesting challenge for covisp.net...
> + Requesting challenge for www.covisp.net...
> + Responding to challenge for covisp.net...
> ERROR: Challenge is invalid! (returned: invalid) (result: {
> "type": "http-01",
> "status": "invalid",
> "error": {
> "type": "urn:acme:error:unauthorized",
> "detail": "Invalid response from http://covisp.net/.well-known/acme-challenge/t4DhXZyC
>
> same results with WELLKNOWN="/usr/local/etc/dehydrated/.well-known"
It says unauthorized now. Could it be that your web server does not
follow links by default? Could you tell me, which webserver you're
using? Then I can copy you a snippet for its config that should work.
> /usr/local/etc/dehydrated]# ls -lsR
> total 40
> 8 drwxrwx--- 2 root _dehydrated 512 Nov 8 04:34 .acme-challenges
> 0 lrwxr-xr-x 1 root _dehydrated 16 Nov 8 06:48 .well-known ->
/www/.well-known
> 8 drwxrwx--- 3 root _dehydrated 512 Nov 8 06:45 accounts
> 8 drwxrwx--- 3 root _dehydrated 512 Oct 31 17:38 certs
> 8 -rw-r--r-- 1 root _dehydrated 141 Nov 8 06:56 config
> 8 -rw-r--r-- 1 root _dehydrated 129 Nov 8 06:54 domains.txt
Also I would suggest setting
BASEDIR=/var/dehydrated
in your config and make /usr/local/etc/dehydrated/ belong to root.
Currently your privlege separation does not yield much, as the
_dehydrated can write /usr/local/etc/dehydrated and could possibly
overwrite your deploy.sh script, if you chose to provide one for use
with periodic.
You would just need to move the accounts and certs directory and
domains.txt to /var/dehydrated, give this directory to _dehdrated and
leave permissions on /usr/local/etc/dehydrated/ as they are (this saves
you A LOT of trouble when updating the package).
erdgeist
More information about the freebsd-ports
mailing list