Discussion:
[prosody-dev] [PATCH] certmanager: Also look for cert/key files without .pem extension
Daniel Schulte
2017-12-17 20:08:51 UTC
Permalink
Greetings,

today I setup a new instance of Prosody 0.10 and wanted to try out the
built in Let's Encrypt support.
I ran
prosodyctl --root cert import /var/lib/acme/live
as I use acmetool [0] as my LE client but it didn't work as the filename
structure of acmetool is slightly different from the one certbot uses.

After a brief session with strace and some looking around in the prosodyctl
source I wrote a simple patch that makes certmanager also inspect correctly
named files in a subfolder with the hostname without the .pem extension.

I hope this will be included in a future release of prosody as I'd like to
continue using acmetool and not patch Prosody on every new release.

Regards
Daniel

[0] https://github.com/hlandau/acme
--
You received this message because you are subscribed to the Google Groups "prosody-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to prosody-dev+***@googlegroups.com.
To post to this group, send email to prosody-***@googlegroups.com.
Visit this group at https://groups.google.com/group/prosody-dev.
For more options, visit https://groups.google.com/d/optout.
Kim Alvefur
2017-12-30 16:38:32 UTC
Permalink
Hi,
Post by Daniel Schulte
today I setup a new instance of Prosody 0.10 and wanted to try out the
built in Let's Encrypt support.
I ran
prosodyctl --root cert import /var/lib/acme/live
as I use acmetool [0] as my LE client but it didn't work as the filename
structure of acmetool is slightly different from the one certbot uses.
After a brief session with strace and some looking around in the prosodyctl
source I wrote a simple patch that makes certmanager also inspect correctly
named files in a subfolder with the hostname without the .pem extension.
I hope this will be included in a future release of prosody as I'd like to
continue using acmetool and not patch Prosody on every new release.
This seems to be something of a can of worms. I stumbled upon another
case of it not working at all because yet another ACME client put both
the key and certificate into the same file called 'full.pem'.

So the question is, how many different forms are there and how many do
we want to support?

At what point does it become easier to just go finish the original plan
of having `prosodyctl cert import` inspect the files it finds to see
what they are and puzzle them into something sensible.
--
Zash
--
You received this message because you are subscribed to the Google Groups "prosody-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to prosody-dev+***@googlegroups.com.
To post to this group, send email to prosody-***@googlegroups.com.
Visit this group at https://groups.google.com/group/prosody-dev.
For more options, visit https://groups.google.com/d/optout.
Loading...