Hi, Peter!
Well, when you run the step-ca as a non-root user (which is the default
config for the package) you cannot use the default TLS port (443) -
hence 8443 for the step-ca service.
I don't want to run step-ca as root user for a couple of reasons:
- deviate from the default package configuration
- introduce potential security risks
Don't get me wrong, a DNS service discovery sounds interesting, but it
would put another layer of complexity on the configuration (compared to
just add the port in a URL - which is part of an RFC:
https://www.ietf.org/rfc/rfc1738.txt).
Best regards,
Ronald
On 6/4/23 16:04, Peter J. Philipp wrote:
On Sun, Jun 04, 2023 at 10:48:07AM +0200, Ronald Heggenberger wrote:
Hi!
(sorry for the second attempt of this message - our domain was not configured
properly for mailing lists (dmarc reject) and I think the first attempt
probably wasn't processed properly)
I am using step-ca to host my own acme provisioner (which is already working -
an existing proxmox cluster can request and get x509 TLS certificates just
fine), and as next step I wanted to use acme-client on OpenBSD servers, since
it's deployed within the default installation. So I added it to
/etc/acme-client.conf
```
[...]
api url "https://use.some.domain.com:8443/acme/acme/directory";
[...]
```
But, when I run acme-client to actually get a certificate it terminates with
the following error:
```
acme-client:https://use.some.domain.com:8443/acme/acme/directory: directories
acme-client: use.some.domain.com:8443: parse error: non-recoverable failure in
name resolution
acme-client:https://use.some.domain.com:8443/acme/acme/directory: bad comm
acme-client: bad exit: netproc(21203): 1
acme-client: bad exit: dnsproc(35017): 1
```
I think the acme-client's interpretation of the host-name is wrong since it's
trying to resolve the hostname including the used tcp port as well.
What I've tried so far:
Using a relayd configuration to forward port 443 to 8443 (this was not
correctly working - just to prove a point) and changed the api url within the
acme-client.conf to get rid of the port definition:
```
[...]
api url "https://use.some.domain.com/acme/acme/directory";
[...]
```
When having the relayd setup waiting for connections and using acme-client I
got the following error (which makes me even more confident that there is a
problem in acme-client's handling of the hostname):
```
acme-client: 10.42.120.12: tls_write: handshake failed: unexpected EOF
acme-client: 10.42.120.12: tls_read: handshake failed: unexpected EOF
```
I don't want to setup relayd to handle my TLS properly on port 443, since I am
totally fine having the step-ca service handling it over port 8443.
I am currently running OpenBSD 7.3, with default setup/configuration - nothing
special.
How would one navigate this issue?
Thank you in advance and best regards
Ronald
BEGIN:VCARD
VERSION:4.0
N:Heggenberger;Ronald;;;
FN:Ronald Heggenberger
EMAIL;PREF=1:[email protected]
END:VCARD
Hi Ronald,
I think the approach is wrong to add a port number into acme-client. What
you perhaps need is something of the proposed internet standard for HTTPS RR's.
https://datatracker.ietf.org/doc/draft-ietf-dnsop-svcb-https/
It's not an STD or RFC yet but it soon will be, many DNS Server softwares
support it already. As far as browser support I dunno :-( Perhaps someone
else knows.
Best Regards,
-peter
