SSL for production question about eotk HOT 19 OPEN

Triage request: coulf you add a couple more lines:

    ^/foo1$,bar1 \
    ^/foo2/$,bar2 \

and do eotk restart -a and then try hitting:

• /foo1
• /foo2
• /foo2/

...and let me know how you get on?

from eotk.

from eotk.

@drew3000 more docs at https://alecmuffett.com/article/14735 and https://github.com/alecmuffett/eotk/blob/master/docs.d/HOW-TO-INSTALL.md#buying-a-https-certificate-from-harica

from eotk.

from eotk.

from eotk.

Apologies, just checking I'm doing it in the right place. this goes in the .conf file?

from eotk.

from eotk.

Hmmm. Thanks for your patience Alec, My format for the config fille looks like this:

# demo: CSV list to implement ownership proof URIs for EV SSL issuance
set hardcoded_endpoint_csv \
    ^/www/\\.well_known/pki-validation/FILE_NAME?$,"FILE_CONTENT_STRING" \
    ^/www/\\.well_known/pki-validation/FILE_NAME?$,"FILE_CONTENT_STRING"

Getting something off as harica isn't seeing it. the config and restart commands are passing without logging errors though. Are both lines needed if it's for one site's SSL?

from eotk.

• oops, my bad, there needs to be a config step in there, too.

from eotk.

Hold the phone, I've done I debugged a bit. Let me check now.

Had to alter the trailing '' above to remove an error.

set project project_name
hardmap 5ip4monionaddressisherefjnzdwmnu77whhlod6vas5yvmyd site.com

set force_https 0

# demo: CSV list to implement ownership proof URIs for EV SSL issuance
set hardcoded_endpoint_csv \
    ^/www/\\.well_known/pki-validation/FILE_NAME?$,"FILE_CONTENT" \
    ^/www/\\.well_known/pki-validation/FILE_NAME?$,"FILE_CONTENT" \
    ^/www/\\/foo1$,bar1 \
    ^/www/\\/foo2/$,bar2

Config and resttart worked. All urls get a 404.

from eotk.

okay, I just merged a bunch of code that should simplify this.

update your code, remove/edit the hardcoded_endpoint_csv and make it look like this:

1. delete set force_https 0 - this is no longer needed unless you need it for other purposes, but it's a bad idea anyway
2. do this:

set ssl_proof_csv \
    /test,hello-world \
    /www/.well_known/pki-validation/FILENAME1,CONTENT1 \
    /www/.well_known/pki-validation/FILENAME2,CONTENT2

don't bother with quotes or anything like that. Reconfigure and restart.

*edit: then hit /test

from eotk.

incidentally, in case this is something not obvious, you say up top:

http://__________.onion/.well-known/pki-validation/

...but all our examples cite /www/.well_known/pki-validation/...

I presume you are trying to hit:

http://__________.onion/www/.well-known/pki-validation/

...in actuality? There's meant to be a verbatim string comparison going on...

from eotk.

Thanks a bunch Alec,

That seems to have worked well. The test and validation file are both appearing, and now just in the queue for Harica to validate. Happy to help document anything up or read through any changes to your install or readme files.

from eotk.

from eotk.

from eotk.

Hi Alex,

We're getting there.

The .onion I'm using as my pilot to test this is here. Once I get the hang of things the purpose of all this is to launch a few production sites for some partners the org I work for supports.

Harica.gr issues pem bundles. (it also issues a single .pem file, .der, and .p7b format.) The two options according to them are:

1. Replace the contents of the existing certificates that eotk generates thusly:
   a. Replace the content of ygwdnjw2gt6sabcrhjqmpgsn4hhddomhipdpxbx6bru2zr2damxevqyd.onion.cert with the contents of the harica PEM bundle;
   b. Replace the content of ygwdnjw2gt6sabcrhjqmpgsn4hhddomhipdpxbx6bru2zr2damxevqyd.onion.pem with the content of my private key generated in the csr process.

Result: The reconfig command works, but the restart eotk command causes an error.

nginx: [emerg] SSL_CTX_use_PrivateKey_file("/root/eotk/projects.d/treacherous.d/ssl.d/ygwdnjw2gt6sabcrhjqmpgsn4hhddomhipdpxbx6bru2zr2damxevqyd.onion.pem") failed (SSL: error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 cipherfinal error error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error error:0907B00D:PEM routines:PEM_read_bio_PrivateKey:ASN1 lib error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib)
/root/eotk/projects.d/treacherous.d/start.sh: nginx.pid exists, treacherous may already be started, aborting!

2. The other option is to:
   a. upload the Harica pem bundle and key to eotk/projects.d/treacherous.d/ssl.d
   b. change the nginx.conf file under # SSL config to list those two files instead of what's there.

Result: reconfig and restart overwrites the change in the nginx.conf file and generate the previous default certificates for use.

So, to test the second option, what do I need to do when running reconfig to not overwrite my changes? Or is there something else?

from eotk.

from eotk.

Sure thing Alec, and thanks for your help. That's what I'm doing on the side. It's neeing an nginx restart I think, but something's not working there. Will figure it out and post the rest. Much appreciated.

from eotk.

Thank you Alec! I did get it up and running in the end. I went for the self-generated CSR and I think that led to some more messing around with the key file than may have been required had I gone for the in-browser method.

from eotk.