From 39318169e0b50551db511851829f9337c5fa6313 Mon Sep 17 00:00:00 2001
From: glenda <glenda@9front.local>
Date: Sun, 15 Nov 2020 15:13:27 +0000
Subject: Import site to git

---
 sites/pmikkelsen.com/plan9/lets_encrypt.md | 59 ++++++++++++++++++++++++++++++
 1 file changed, 59 insertions(+)
 create mode 100644 sites/pmikkelsen.com/plan9/lets_encrypt.md

(limited to 'sites/pmikkelsen.com/plan9/lets_encrypt.md')

diff --git a/sites/pmikkelsen.com/plan9/lets_encrypt.md b/sites/pmikkelsen.com/plan9/lets_encrypt.md
new file mode 100644
index 0000000..f0b1c07
--- /dev/null
+++ b/sites/pmikkelsen.com/plan9/lets_encrypt.md
@@ -0,0 +1,59 @@
+## How I get tls certificates for 9front
+
+First of all, I use linux and drawterm for this for now, but
+I would like to be able to do it all from 9front at some point.
+
+## Generate the certificate
+
+Install certbot on linux and run the following command
+
+	certbot certonly --manual -d pmikkelsen.com -d vps1.pmikkelsen.com
+
+and do the challenges, they should be easy.
+
+## Importing the cert and private key
+
+Start drawterm and login as the hostowner. After this, the filesystem of the linux
+system is available at `/mnt/term`. Run the following:
+
+	cd /sys/lib/tls/
+	cp /mnt/term/etc/letsencrypt/live/pmikkelsen.com/privkey.pem ./
+	cp /mnt/term/etc/letsencrypt/live/pmikkelsen.com/fullchain.pem ./cert
+
+Now the private key must be converted to one that can be loaded into factotum
+
+	auth/pemdecode 'PRIVATE KEY' privkey.pem | auth/asn12rsa -t 'service=tls role=client' > key
+	rm privkey.pem
+	chmod 400 key
+
+Add the following to `/cfg/$sysname/cpurc` to load the private key on boot.
+
+	cat /sys/lib/tls/key >> /mnt/factotum/ctl
+
+Done.
+
+## SMTP over TLS
+
+I have the following in `/bin/service.auth/tcp25`
+
+	#!/bin/rc
+
+	user=`{cat /dev/user}
+	exec upas/smtpd -c /sys/lib/tls/cert -n $3
+
+Notice I had to put it in the `/bin/service.auth` folder so that it could find the private key.
+
+## Https with rc-httpd
+
+I have the following in `/bin/service.auth/tcp443`
+
+	#!/bin/rc
+	
+	exec tlssrv -c /sys/lib/tls/cert -l /sys/log/https /bin/service/tcp80 $*
+
+Again, in the `/bin/service.auth` folder. It simply wraps the plain http service
+in a tls wrapper which looks like this for me
+
+	#!/bin/rc
+	PLAN9=/
+	exec /rc/bin/rc-httpd/rc-httpd >>[2]/sys/log/www
-- 
cgit v1.2.3