Advanced Namespace Tools blog
12 January 2017
Serving HTTPS on Plan 9 with Let's Encrypt
The workflow I used was somewhat awkward; maybe there are better ways.
Getting a Let's Encrypt Acme Client Working
I used https://github.com/google/acme (no relation to the acme editor, of course)
To get it set up, I had built go1.4.3->go1.7.4, then I had to make sure I had an appropriate set of certs at /sys/lib/tls/ca.pem.
hget http://9legacy.org/9legacy/tools/git > $home/bin/rc/git
go get golang.org/x/net/context
cd $GOPATH/src
hget https://github.com/google/acme/archive/master.zip>acmemaster.zip
unzip -f acmemaster.zip
go install acme-master
Generating Keys and Getting the Cert
Note that ape/openssl has been removed from 9front. I had an old version still installed, otherwise you can acquire it from somewhere, probably. Now we set up the SECRET keys. Keep these secure!
mkdir -p $home/.config/acme
cd $home/.config/acme
ape/openssl genrsa -out cert.key 2048
auth/pemdecode 'RSA PRIVATE KEY' cert.key | auth/asn12rsa -t 'service=tls' >factotum.key
I didn't have a Let's Encrypt account, so I had to
acme-master reg -gen mailto:myself@myemail.com
Then it was time for getting the cert itself. I had to use the manual mode as so:
acme-master cert -manual -k cert.key my.domain.org
That told me to copy a file from /tmp/blahblah to where it could be fetched from http://my.domain.org/.well-known/acme-challenge/barbaz and press enter. So, I needed to open another rio window to work in /usr/web:
mkdir -p /usr/web/.well-known/acme-challenge
cp /tmp/barbaz /usr/web/.well-known/acme-challenge/blahderpfoo
chmod 644 /usr/web/.well-known/acme-challenge/blahderpfoo
That last step caused mea bit of grief because the original permissions didn't permit the web server to read and serve it. After pressing enter, I got the message "cert url: https://acme-v01.api.letsencrypt.org/acme/cert/barglebargle" and a file my.domain.org.crt had appeared in $home/.config/acme.
Serving SSL with ip/httpd/httpd
I thought I was all ready, but an issue with httpd and factotum interfered. The way httpd sets up its namespace caused it to be unable to communicate with factotum, so I had to comment out these lines in /sys/src/cmd/ip/httpd/httpd.c and build a new binary.
// if(newns("none", nil) < 0)
// sysfatal("can't build normal namespace");
Finally, all was ready. From the .config/acme directory:
cat factotum.key >/mnt/factotum/ctl
ip/httpd/httpd -c my.domain.org.crt -C my.domain.org.crt
And with that, the semi-magical (actually ssl is a rather broken system, but lets not get into that right now) green padlock appeared when browsing from non-Plan9 browsers.