Advanced Namespace Tools blog

12 January 2017

Serving HTTPS on Plan 9 with Let's Encrypt

The workflow I used was somewhat awkward; maybe there are better ways.

Getting a Let's Encrypt Acme Client Working

I used https://github.com/google/acme (no relation to the acme editor, of course)

To get it set up, I had built go1.4.3->go1.7.4, then I had to make sure I had an appropriate set of certs at /sys/lib/tls/ca.pem.

hget http://9legacy.org/9legacy/tools/git > $home/bin/rc/git
go get golang.org/x/net/context
cd $GOPATH/src
hget https://github.com/google/acme/archive/master.zip>acmemaster.zip
unzip -f acmemaster.zip
go install acme-master

Generating Keys and Getting the Cert

Note that ape/openssl has been removed from 9front. I had an old version still installed, otherwise you can acquire it from somewhere, probably. Now we set up the SECRET keys. Keep these secure!

mkdir -p $home/.config/acme
cd $home/.config/acme
ape/openssl genrsa -out cert.key 2048
auth/pemdecode 'RSA PRIVATE KEY' cert.key | auth/asn12rsa -t 'service=tls' >factotum.key

I didn't have a Let's Encrypt account, so I had to

acme-master reg -gen mailto:myself@myemail.com

Then it was time for getting the cert itself. I had to use the manual mode as so:

acme-master cert -manual -k cert.key my.domain.org

That told me to copy a file from /tmp/blahblah to where it could be fetched from http://my.domain.org/.well-known/acme-challenge/barbaz and press enter. So, I needed to open another rio window to work in /usr/web:

mkdir -p /usr/web/.well-known/acme-challenge
cp /tmp/barbaz /usr/web/.well-known/acme-challenge/blahderpfoo
chmod 644 /usr/web/.well-known/acme-challenge/blahderpfoo

That last step caused mea bit of grief because the original permissions didn't permit the web server to read and serve it. After pressing enter, I got the message "cert url: https://acme-v01.api.letsencrypt.org/acme/cert/barglebargle" and a file my.domain.org.crt had appeared in $home/.config/acme.

Serving SSL with ip/httpd/httpd

I thought I was all ready, but an issue with httpd and factotum interfered. The way httpd sets up its namespace caused it to be unable to communicate with factotum, so I had to comment out these lines in /sys/src/cmd/ip/httpd/httpd.c and build a new binary.

//	if(newns("none", nil) < 0)
//		sysfatal("can't build normal namespace");

Finally, all was ready. From the .config/acme directory:

cat factotum.key >/mnt/factotum/ctl
ip/httpd/httpd -c my.domain.org.crt -C my.domain.org.crt

And with that, the semi-magical (actually ssl is a rather broken system, but lets not get into that right now) green padlock appeared when browsing from non-Plan9 browsers.