Advanced Namespace Tools blog

12 January 2017

Serving HTTPS on Plan 9 with Let's Encrypt

The workflow I used was somewhat awkward; maybe there are better ways.

Getting a Let's Encrypt Acme Client Working

I used (no relation to the acme editor, of course)

To get it set up, I had built go1.4.3->go1.7.4, then I had to make sure I had an appropriate set of certs at /sys/lib/tls/ca.pem.

hget > $home/bin/rc/git
go get
cd $GOPATH/src
unzip -f
go install acme-master

Generating Keys and Getting the Cert

Note that ape/openssl has been removed from 9front. I had an old version still installed, otherwise you can acquire it from somewhere, probably. Now we set up the SECRET keys. Keep these secure!

mkdir -p $home/.config/acme
cd $home/.config/acme
ape/openssl genrsa -out cert.key 2048
auth/pemdecode 'RSA PRIVATE KEY' cert.key | auth/asn12rsa -t 'service=tls' >factotum.key

I didn't have a Let's Encrypt account, so I had to

acme-master reg -gen

Then it was time for getting the cert itself. I had to use the manual mode as so:

acme-master cert -manual -k cert.key

That told me to copy a file from /tmp/blahblah to where it could be fetched from and press enter. So, I needed to open another rio window to work in /usr/web:

mkdir -p /usr/web/.well-known/acme-challenge
cp /tmp/barbaz /usr/web/.well-known/acme-challenge/blahderpfoo
chmod 644 /usr/web/.well-known/acme-challenge/blahderpfoo

That last step caused mea bit of grief because the original permissions didn't permit the web server to read and serve it. After pressing enter, I got the message "cert url:" and a file had appeared in $home/.config/acme.

Serving SSL with ip/httpd/httpd

I thought I was all ready, but an issue with httpd and factotum interfered. The way httpd sets up its namespace caused it to be unable to communicate with factotum, so I had to comment out these lines in /sys/src/cmd/ip/httpd/httpd.c and build a new binary.

//	if(newns("none", nil) < 0)
//		sysfatal("can't build normal namespace");

Finally, all was ready. From the .config/acme directory:

cat factotum.key >/mnt/factotum/ctl
ip/httpd/httpd -c -C

And with that, the semi-magical (actually ssl is a rather broken system, but lets not get into that right now) green padlock appeared when browsing from non-Plan9 browsers.