alecmuffett/eotk

SSL for production question

drew3000 opened this issue ยท 19 comments

harica.gr is issuing Onion SSLs for v3.

To validate, one needs to place a fille in:
http://__________.onion/.well-known/pki-validation/
to validate the CSR

Are there instructions on this floating about? How can someone add these directories?

Apologies, just checking I'm doing it in the right place. this goes in the .conf file?

Hmmm. Thanks for your patience Alec, My format for the config fille looks like this:

# demo: CSV list to implement ownership proof URIs for EV SSL issuance
set hardcoded_endpoint_csv \
    ^/www/\\.well_known/pki-validation/FILE_NAME?$,"FILE_CONTENT_STRING" \
    ^/www/\\.well_known/pki-validation/FILE_NAME?$,"FILE_CONTENT_STRING"

Getting something off as harica isn't seeing it. the config and restart commands are passing without logging errors though. Are both lines needed if it's for one site's SSL?

Triage request: coulf you add a couple more lines:

    ^/foo1$,bar1 \
    ^/foo2/$,bar2 \

and do eotk restart -a and then try hitting:

  • /foo1
  • /foo2
  • /foo2/

...and let me know how you get on?

  • oops, my bad, there needs to be a config step in there, too.

Hold the phone, I've done I debugged a bit. Let me check now.

Had to alter the trailing '' above to remove an error.

set project project_name
hardmap 5ip4monionaddressisherefjnzdwmnu77whhlod6vas5yvmyd site.com

set force_https 0

# demo: CSV list to implement ownership proof URIs for EV SSL issuance
set hardcoded_endpoint_csv \
    ^/www/\\.well_known/pki-validation/FILE_NAME?$,"FILE_CONTENT" \
    ^/www/\\.well_known/pki-validation/FILE_NAME?$,"FILE_CONTENT" \
    ^/www/\\/foo1$,bar1 \
    ^/www/\\/foo2/$,bar2

Config and resttart worked. All urls get a 404.

okay, I just merged a bunch of code that should simplify this.

update your code, remove/edit the hardcoded_endpoint_csv and make it look like this:

  1. delete set force_https 0 - this is no longer needed unless you need it for other purposes, but it's a bad idea anyway
  2. do this:
set ssl_proof_csv \
    /test,hello-world \
    /www/.well_known/pki-validation/FILENAME1,CONTENT1 \
    /www/.well_known/pki-validation/FILENAME2,CONTENT2

don't bother with quotes or anything like that. Reconfigure and restart.

*edit: then hit /test

incidentally, in case this is something not obvious, you say up top:

http://__________.onion/.well-known/pki-validation/

...but all our examples cite /www/.well_known/pki-validation/...

I presume you are trying to hit:

http://__________.onion/www/.well-known/pki-validation/

...in actuality? There's meant to be a verbatim string comparison going on...

Thanks a bunch Alec,

That seems to have worked well. The test and validation file are both appearing, and now just in the queue for Harica to validate. Happy to help document anything up or read through any changes to your install or readme files.

Hi Alex,

We're getting there.

The .onion I'm using as my pilot to test this is here. Once I get the hang of things the purpose of all this is to launch a few production sites for some partners the org I work for supports.

Harica.gr issues pem bundles. (it also issues a single .pem file, .der, and .p7b format.) The two options according to them are:

  1. Replace the contents of the existing certificates that eotk generates thusly:
    a. Replace the content of ygwdnjw2gt6sabcrhjqmpgsn4hhddomhipdpxbx6bru2zr2damxevqyd.onion.cert with the contents of the harica PEM bundle;
    b. Replace the content of ygwdnjw2gt6sabcrhjqmpgsn4hhddomhipdpxbx6bru2zr2damxevqyd.onion.pem with the content of my private key generated in the csr process.

Result: The reconfig command works, but the restart eotk command causes an error.

nginx: [emerg] SSL_CTX_use_PrivateKey_file("/root/eotk/projects.d/treacherous.d/ssl.d/ygwdnjw2gt6sabcrhjqmpgsn4hhddomhipdpxbx6bru2zr2damxevqyd.onion.pem") failed (SSL: error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 cipherfinal error error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error error:0907B00D:PEM routines:PEM_read_bio_PrivateKey:ASN1 lib error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib)
/root/eotk/projects.d/treacherous.d/start.sh: nginx.pid exists, treacherous may already be started, aborting!
  1. The other option is to:
    a. upload the Harica pem bundle and key to eotk/projects.d/treacherous.d/ssl.d
    b. change the nginx.conf file under # SSL config to list those two files instead of what's there.

Result: reconfig and restart overwrites the change in the nginx.conf file and generate the previous default certificates for use.

So, to test the second option, what do I need to do when running reconfig to not overwrite my changes? Or is there something else?

Sure thing Alec, and thanks for your help. That's what I'm doing on the side. It's neeing an nginx restart I think, but something's not working there. Will figure it out and post the rest. Much appreciated.

Thank you Alec! I did get it up and running in the end. I went for the self-generated CSR and I think that led to some more messing around with the key file than may have been required had I gone for the in-browser method.