04-Jan-2018

More on certificate renewal
Comparing genealogy (wichh got the certificate a few days ago) and both webmail and homedesk made it clear that the mapping for the certificates is fine:


[[(service):80]]
map /.well-known/acme-challenge/* \
/wcme/.well-known/acme-challenge/* map=once
script /wcme* /cgi-bin/wcme*
pass * 403

[[(service):443]]
##[[192.168.0.2:443]]
# ...

but authorization wasn’t:

[[service]]
#[NONE]
#/.well-known/* read

[Auth=VMS]
/* read+write

so nothing could be done on port 80…Obvious, since access to both webmail and homedesk require authentication. For genealogy, unauthorized access is an option, so here it states

[NONE]
/* read
/public/* read

and so I changed the settings for webmail and homedesk accordingly, and now the certificates were created and stored in place.
But the browsers still complained about the invalidity of the certificates, even after clearing the bowser and server caches. The only way to get around it was to restart the server (from the web-admin page, or by
$ httpd/do=restart from the commandline – the same thing.

Now wait until April, for the next renewal…

I wrote a small report on all issues on the WASD mailing list.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.