Certificates Are Go
Reading time: 2 minutes (296 words)Author: @pugmiester
Tags: blog , til , selfhosted
Sometimes, you just need to walk away from a problem to see what’s going wrong. Getting a TLS certificate for the blog is a good example.
I spent a few hours yesterday going round and round in circles trying to figure this out, so much in fact that I hit the bad attempts block from Lets Encrypt in 2 hours. So I walked away.
This afternoon I decided to take another crack at it. To start with, it was failing and again I couldn’t see why but I was a little more awake than I was yesterday so took things a bit more methodically. I didn’t spot that I was getting http 404 errors when the validation was trying to run so I created a file manually in the expected location and lo and behold I couldn’t reach that either.
So, I checked all of the other files and directories that acme-client needs and they were all present and correct. Then I checked the config in /etc/httpd.conf again and it finally hit me. A stupid typo that I had now made twice, on two days, and in the exact same place in the file..
# $OpenBSD: httpd.conf,v 1.22 2020/11/04 10:34:18 denis Exp $
server "martin.hatstand.org.uk" {
listen on * port 80
root "/htdocs/martin.hatstand.org.uk"
location "./well-known/acme-challenge/*" {
root "/acme"
request strip 2
}
}
Can you spot it? It’s very subtle… That’s why I missed it more than once.
# $OpenBSD: httpd.conf,v 1.22 2020/11/04 10:34:18 denis Exp $
server "martin.hatstand.org.uk" {
listen on * port 80
root "/htdocs/martin.hatstand.org.uk"
location "/.well-known/acme-challenge/*" {
root "/acme"
request strip 2
}
}
Yep, that’s right. The location should be “/.well-known/…” and not “./well-known/…..”. What a dufus. But, found it, fixed it and as you can already see we have TLS enabled