SSL for production question

[drew3000]

harica.gr is issuing Onion SSLs for v3.

To validate, one needs to place a fille in:
http://__________.onion/.well-known/pki-validation/
to validate the CSR

Are there instructions on this floating about? How can someone add these directories?

[alecmuffett]

Hi Andrew! How about this? https://github.com/alecmuffett/eotk/blob/master/docs.d/HOW-TO-INSTALL.md#proving-your-ownership-to-a-certificate-authority--hardcoded-content ... I think that is reasonably up-to-date, please let me know how you get on.

[alecmuffett]

One nit: you will have to do "set force_ssl 0" temporarily in addition to everything else, until the test is completed. I have a potential fixed for this but it is not written yet.

[drew3000]

Apologies, just checking I'm doing it in the right place. this goes in the .conf file?

[alecmuffett]

Yes, and then a re-config and restart

[drew3000]

Hmmm. Thanks for your patience Alec, My format for the config fille looks like this:

# demo: CSV list to implement ownership proof URIs for EV SSL issuance
set hardcoded_endpoint_csv \
    ^/www/\\.well_known/pki-validation/FILE_NAME?$,"FILE_CONTENT_STRING" \
    ^/www/\\.well_known/pki-validation/FILE_NAME?$,"FILE_CONTENT_STRING"

Getting something off as harica isn't seeing it. the config and restart commands are passing without logging errors though. Are both lines needed if it's for one site's SSL?

[alecmuffett]

Triage request: coulf you add a couple more lines:

    ^/foo1$,bar1 \
    ^/foo2/$,bar2 \

and do eotk restart -a and then try hitting:

• /foo1
• /foo2
• /foo2/

...and let me know how you get on?

[alecmuffett]

• oops, my bad, there needs to be a config step in there, too.

[drew3000]

Hold the phone, I've done I debugged a bit. Let me check now.

Had to alter the trailing '' above to remove an error.

set project project_name
hardmap 5ip4monionaddressisherefjnzdwmnu77whhlod6vas5yvmyd site.com

set force_https 0

# demo: CSV list to implement ownership proof URIs for EV SSL issuance
set hardcoded_endpoint_csv \
    ^/www/\\.well_known/pki-validation/FILE_NAME?$,"FILE_CONTENT" \
    ^/www/\\.well_known/pki-validation/FILE_NAME?$,"FILE_CONTENT" \
    ^/www/\\/foo1$,bar1 \
    ^/www/\\/foo2/$,bar2

Config and resttart worked. All urls get a 404.

[alecmuffett]

okay, I just merged a bunch of code that should simplify this.

update your code, remove/edit the hardcoded_endpoint_csv and make it look like this:

1. delete set force_https 0 - this is no longer needed unless you need it for other purposes, but it's a bad idea anyway
2. do this:

set ssl_proof_csv \
    /test,hello-world \
    /www/.well_known/pki-validation/FILENAME1,CONTENT1 \
    /www/.well_known/pki-validation/FILENAME2,CONTENT2

don't bother with quotes or anything like that. Reconfigure and restart.

*edit: then hit /test

[alecmuffett]

incidentally, in case this is something not obvious, you say up top:

http://__________.onion/.well-known/pki-validation/

...but all our examples cite /www/.well_known/pki-validation/...

I presume you are trying to hit:

http://__________.onion/www/.well-known/pki-validation/

...in actuality? There's meant to be a verbatim string comparison going on...

[drew3000]

Thanks a bunch Alec,

That seems to have worked well. The test and validation file are both appearing, and now just in the queue for Harica to validate. Happy to help document anything up or read through any changes to your install or readme files.

[alecmuffett]

Awesome! I'd love to get a paragraph or two outlining the Harica process: how you engage, what it costs, what you received, etc. Delighted to attribute or otherwise.

[trianglep]

Leave me alone!!!!!!

…

On Mon, May 17, 2021 at 7:31 PM Alec Muffett ***@***.***> wrote: Awesome! I'd love to get a paragraph or two outlining the Harica process: how you engage, what it costs, what you received, etc. Delighted to attribute or otherwise. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#89 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/APNXDZNUQE2J5R4AOOURA7LTOGRNZANCNFSM446KS66Q> .

[alecmuffett]

Hi Geraldy! It looks like you choose to follow this project. If that was a mistake you can unfollow it of your own accord. Best wishes.

[drew3000]

Hi Alex,

We're getting there.

The .onion I'm using as my pilot to test this is here. Once I get the hang of things the purpose of all this is to launch a few production sites for some partners the org I work for supports.

Harica.gr issues pem bundles. (it also issues a single .pem file, .der, and .p7b format.) The two options according to them are:

1. Replace the contents of the existing certificates that eotk generates thusly:
   a. Replace the content of ygwdnjw2gt6sabcrhjqmpgsn4hhddomhipdpxbx6bru2zr2damxevqyd.onion.cert with the contents of the harica PEM bundle;
   b. Replace the content of ygwdnjw2gt6sabcrhjqmpgsn4hhddomhipdpxbx6bru2zr2damxevqyd.onion.pem with the content of my private key generated in the csr process.

Result: The reconfig command works, but the restart eotk command causes an error.

nginx: [emerg] SSL_CTX_use_PrivateKey_file("/root/eotk/projects.d/treacherous.d/ssl.d/ygwdnjw2gt6sabcrhjqmpgsn4hhddomhipdpxbx6bru2zr2damxevqyd.onion.pem") failed (SSL: error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 cipherfinal error error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error error:0907B00D:PEM routines:PEM_read_bio_PrivateKey:ASN1 lib error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib)
/root/eotk/projects.d/treacherous.d/start.sh: nginx.pid exists, treacherous may already be started, aborting!

2. The other option is to:
   a. upload the Harica pem bundle and key to eotk/projects.d/treacherous.d/ssl.d
   b. change the nginx.conf file under # SSL config to list those two files instead of what's there.

Result: reconfig and restart overwrites the change in the nginx.conf file and generate the previous default certificates for use.

So, to test the second option, what do I need to do when running reconfig to not overwrite my changes? Or is there something else?

[alecmuffett]

I have limited time right now but may be able to get back to this in the morning; as a stop gap I would recommend looking up / googling for "how to install my my SSL certificate on nginx" I remember that the certificates we got from the New York times required two files to be concatenated (taking care not to delete the originals) in order to provide one of the files which nginx requires. I am pretty sure that digicert amongst others have a good web page about this. However that was for an EV certificate, so the mechanism may be different.

[drew3000]

Sure thing Alec, and thanks for your help. That's what I'm doing on the side. It's neeing an nginx restart I think, but something's not working there. Will figure it out and post the rest. Much appreciated.

[alecmuffett]

@drew3000 more docs at https://alecmuffett.com/article/14735 and https://github.com/alecmuffett/eotk/blob/master/docs.d/HOW-TO-INSTALL.md#buying-a-https-certificate-from-harica

[drew3000]

Thank you Alec! I did get it up and running in the end. I went for the self-generated CSR and I think that led to some more messing around with the key file than may have been required had I gone for the in-browser method.