blob: 082485c0aaebff891d738992e157147667139cb0 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
|
## How I get tls certificates for 9front
First of all, I use linux and drawterm for this for now, but
I would like to be able to do it all from 9front at some point.
## Generate the certificate
Install certbot on linux and run the following command
certbot certonly --manual -d pmikkelsen.com -d vps1.pmikkelsen.com
and do the challenges, they should be easy.
I use the diff [here](/_files/ndb.diff) to make 9fronts dns server understand the needed records.
## Importing the cert and private key
Start drawterm and login as the hostowner. After this, the filesystem of the linux
system is available at `/mnt/term`. Run the following:
cd /sys/lib/tls/
cp /mnt/term/etc/letsencrypt/live/pmikkelsen.com/privkey.pem ./
cp /mnt/term/etc/letsencrypt/live/pmikkelsen.com/fullchain.pem ./cert
Now the private key must be converted to one that can be loaded into factotum
auth/pemdecode 'PRIVATE KEY' privkey.pem | auth/asn12rsa -t 'service=tls role=client' > key
rm privkey.pem
chmod 400 key
Add the following to `/cfg/$sysname/cpurc` to load the private key on boot.
cat /sys/lib/tls/key >> /mnt/factotum/ctl
Done.
## SMTP over TLS
I have the following in `/bin/service.auth/tcp25`
#!/bin/rc
user=`{cat /dev/user}
exec upas/smtpd -c /sys/lib/tls/cert -n $3
Notice I had to put it in the `/bin/service.auth` folder so that it could find the private key.
## Https with rc-httpd
I have the following in `/bin/service.auth/tcp443`
#!/bin/rc
exec tlssrv -c /sys/lib/tls/cert -l /sys/log/https /bin/service/tcp80 $*
Again, in the `/bin/service.auth` folder. It simply wraps the plain http service
in a tls wrapper which looks like this for me
#!/bin/rc
PLAN9=/
exec /rc/bin/rc-httpd/rc-httpd >>[2]/sys/log/www
|