OpenBSD、リレー、acme-client:サブドメインのTLS証明書を読み取れませんでした:「サーバーからの空の応答」

OpenBSD、リレー、acme-client:サブドメインのTLS証明書を読み取れませんでした:「サーバーからの空の応答」

Relayd/httpd/acme-client を持つ OpenBSD サーバー。走ろうとするhttps://mydomain.com(アプリケーションサーバーポート32489)、https://webmail.mydomain.com(48293)とhttps://forum.mydomain.com(28192). 3 つのサイトはすべて同じ TLS 証明書を共有します。一般的なHTTPは、TLS証明書(acme-client)を生成するためにのみ使用されます。

これまでhttps://mydomain.com期待どおりに動作しますが、残りの2つは次を返します。

curl -vvv https://webmail.mydomain.com

* Rebuilt URL to: https://webmail.mydomain.com/
*   Trying XXX...
* TCP_NODELAY set
* Connected to webmail.mydomain.com (XXX) port 443 (#0)
* schannel: SSL/TLS connection with webmail.mydomain.com port 443 (step 1/3)
* schannel: checking server certificate revocation
* schannel: sending initial handshake data: sending 180 bytes...
* schannel: sent initial handshake data: sent 180 bytes
* schannel: SSL/TLS connection with webmail.mydomain.com port 443 (step 2/3)
* schannel: failed to receive handshake, need more data
* schannel: SSL/TLS connection with webmail.mydomain.com port 443 (step 2/3)
* schannel: encrypted data got 4096
* schannel: encrypted data buffer: offset 4096 length 4096
* schannel: encrypted data length: 4032
* schannel: encrypted data buffer: offset 4032 length 4096
* schannel: received incomplete message, need more data
* schannel: SSL/TLS connection with webmail.mydomain.com port 443 (step 2/3)
* schannel: encrypted data got 907
* schannel: encrypted data buffer: offset 4939 length 5056
* schannel: sending next handshake data: sending 93 bytes...
* schannel: SSL/TLS connection with webmail.mydomain.com port 443 (step 2/3)
* schannel: encrypted data got 51
* schannel: encrypted data buffer: offset 51 length 5056
* schannel: SSL/TLS handshake complete
* schannel: SSL/TLS connection with webmail.mydomain.com port 443 (step 3/3)
* schannel: stored credential handle in session cache
> GET / HTTP/1.1
> Host: webmail.mydomain.com
> User-Agent: curl/7.55.1
> Accept: */*
>
* schannel: client wants to read 102400 bytes
* schannel: encdata_buffer resized 103424
* schannel: encrypted data buffer: offset 0 length 103424
* schannel: encrypted data got 31
* schannel: encrypted data buffer: offset 31 length 103424
* schannel: server closed the connection
* schannel: schannel_recv cleanup
* Empty reply from server
* Connection #0 to host webmail.mydomain.com left intact
curl: (52) Empty reply from server

acme-client.conf

authority letsencrypt {
  api url "https://acme-v02.api.letsencrypt.org/directory"
  account key "/etc/ssl/private/letsencrypt.key"
}

domain mydomain.com {
  alternative names { www.mydomain.com webmail.mydomain.com forum.mydomain.com }
  domain key "/etc/ssl/private/mydomain.com.key"
  domain full chain certificate "/etc/ssl/mydomain.com.crt"
  sign with letsencrypt
}

httpd.conf

ext_if="vio0"

types {
  include "/usr/share/misc/mime.types"
}

server "mydomain.com" {
  alias "www.mydomain.com"
  listen on $ext_if port 80
  location "/.well-known/acme-challenge/*" {
    root "/acme"
    request strip 2
  }
  location "*" {
    block return 301 "https://mydomain.com$REQUEST_URI"
  }
}

server "webmail.mydomain.com" {
  listen on $ext_if port 80
  location "/.well-known/acme-challenge/*" {
    root "/acme"
    request strip 2
  }
  location "*" {
    block return 301 "https://webmail.mydomain.com$REQUEST_URI"
  }
}

server "forum.mydomain.com" {
  listen on $ext_if port 80
  location "/.well-known/acme-challenge/*" {
    root "/acme"
    request strip 2
  }
  location "*" {
    block return 301 "https://forum.mydomain.com$REQUEST_URI"
  }
}

relayd.conf

ip="XXX"

table <cms> { 127.0.0.1 }
cms_port="32489"

table <webmail> { 127.0.0.1 }
webmail_port="48293"

table <forum> { 127.0.0.1 }
forum_port="28192"

table <httpd> { 127.0.0.1 }
httpd_port="80"

log connection errors

http protocol "http" {
  match request header set "Connection" value "close"
  match response header remove "Server"
}

relay "http_relay" {
  listen on $ip port http
  protocol "http"
  forward to <httpd> port $httpd_port
}

http protocol "https" {
  match header log "Host"
  match header log "X-Forwarded-For"
  match header log "User-Agent"
  match header log "Referer"
  match url log

  match header set "X-Forwarded-For" value "$REMOTE_ADDR"
  match header set "X-Forwarded-By" value "$SERVER_ADDR:$SERVER_PORT"
  match header set "Keep-Alive" value "$TIMEOUT"

  # Best practice security headers
  match response header remove "Server"
  match response header append "Strict-Transport-Security" value "max-age=31536000; includeSubDomains"
  match response header append "X-Frame-Options" value SAMEORIGIN
  match response header append "X-XSS-Protection" value "1; mode=block"
  match response header append "X-Content-Type-Options" value nosniff
  match response header append "Referrer-Policy" value strict-origin
  match response header append "Feature-Policy" value "accelerometer 'none'; camera 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; payment 'none'; usb 'none'"

  pass request header "Host" value "mydomain.com" forward to <cms>
  pass request header "Host" value "www.mydomain.com" forward to <cms>
  pass request header "Host" value "webmail.mydomain.com" forward to <webmail>
  pass request header "Host" value "forum.mydomain.com" forward to <forum>
  tls keypair "mydomain.com"
}

relay "https_relay" {
  listen on $ip port https tls

  protocol "https"

  forward to <cms> port $cms_port
  forward to <webmail> port $webmail_port
  forward to <forum> port $forum_port
}

答え1

relaydTLS SNIはまだ処理されていないため、tls keypair渡された各ドメインに1つのエントリが必要です。これは、あなたがサービスを提供する各ドメインに個人と.keyファイルを提供する必要があることを意味します。.crtこれはシンボリックリンクを介して簡単に処理できます。たとえば、次のようになります。

# cd /etc/ssl
# ln -s mydomain.com.crt www.mydomain.com.crt
# cd /etc/ssl/private
# ln -s mydomain.com.key www.mydomain.com.key

その後、追加

tls keypair "www.mydomain.com"

http protocol "https" {...}部分にrelayd.conf。走る

# relayd -n

すべてが大丈夫かどうか教えてくれます。

relayd証明書を更新したら、再ロードする必要があります。これは通常ジョブhttpdによって処理されます。ステータスページcronmanacme-client

A cron(8) job can renew the certificate as necessary.  On renewal,
httpd(8) is reloaded:

       ~ * * * * acme-client example.com && rcctl reload httpd

したがって、この場合、合計をrelayd再ロードするには行の末尾に追加する必要があります。他の方法やスクリプトを使用する場合は、適切に調整する必要があります。httpdrelayd

関連情報