Date Category blog

I spent most of today learning that Google Apps were no longer free, and wandering through their support pages trying to pull apart the momentary domain email I'd set up to get going. Because (1) it's not free anymore, (2) at best all I can do is add queerbsd.com et al as aliases to my legacy domains which is not what I want at all, and (3) it's google. Which has, of late, gotten big enough for itself that it may as well be wandering around without anything like a brain anymore.

So instead I went down the rabbit hole of trying to host my own mail setup (which I haven't bothered trying to do in nearly 10 years). So the first thing I wanted to do was attempt to set up an MTA and SMTP server... but lo and behold, that means setting up SSL finally. So after discovering that StartSSL has effectively gone defunct, and refusing to even consider Comodo (for historical reasons), I decided to try getting back into LetsEncrypt, as Bernard Spil has a very nice guide about how he's already done it. I quickly discovered that there were pieces missing now from the ports tree; "letsencrypt" is no longer advertised as an available port, and LetsKEncrypt has since been changed to acme-client, but that's hardly a problem.

The first thing I found confusing was that there's no clear method for setting up DNS domain validation, which is obviously the first step for this site or doing anything else useful. The guide at LetsEncrypt.org only points to using CertBot from the EFF, which is all well and good but also includes only a list of commands to run and no background or expectations. If I need to first manually create an openSSL or LibreSSL key, I'd very much like to know how I'm supposed to go about doing so before dealing with all this.

Turns out I had to go to the IETF RFC for the ACME protocol just to figure this out.

Domain name validation takes place one of two ways:

http-01 is a method of validation using the standard directory, *which must have a web mapping from "/.well-known/acme-challenge" to the challenge directory used. I read the man page too quickly and didn't realize this, forcing me to try multiple times. Installing the package for acme-client currently creates all the correct paths, and can set up the keys and whatnot, but when the LetsEncrypt CA queries the webserver, it will try specifically to query the URL http://{domain}/.web-known/acme-challenge/{token} given a plain-vanilla acme-client installation and startup. So a lot of the issues I had here just revolved around getting my nginx configuration correct to present the tokens acme-client was creating. Reminded me how confusing NginX aliases can be. Once I got that actually working, and the certs created and signed, I get an SSL Protocol error. So turned it off for now; probably have to rebuild NginX with LibreSSL support :o/ Since I have that built already (and because it's a bit of a pain to do on AWS (due to the resources), I'll just fire up my vagrant port builder and build the package separately.