code: fqa.9front.org

Download patch

ref: cf1b29e88a566ed37e19c5cfbc520f6c036505ef
parent: f8f20d81d54221d582ea04147e536196bc22964a
author: sl <sl@stanleylieber.com>
date: Thu Oct 21 17:56:15 EDT 2021 

fqa.ms, fqa7.ms: add 7.9.1 - ACME protocol (thanks, ori)


--- a/fqa.ms
+++ b/fqa.ms
@@ -1145,6 +1145,10 @@
 7.9 - TLS certificates
 .ihtml a
 
+.ihtml a <a href="fqa7.html#7.9.1">
+7.9.1 - ACME protocol
+.ihtml a
+
 .ihtml h1 <h1>
 .SH
 8 - Using 9front
--- a/fqa7.ms
+++ b/fqa7.ms
@@ -1922,6 +1922,78 @@
 .CW rsa(8)
 .ihtml a
 
+.html - <a name="7.9.1" />
+.ihtml h2 <h2>
+.SH
+7.9.1 - ACME protocol
+.R
+.ihtml h2
+9front ships an
+.ihtml a <a href="https://datatracker.ietf.org/doc/rfc8555/">
+Automatic Certificate Management Environment (ACME)
+.ihtml a
+client called
+.ihtml a <a href="http://man.9front.org/8/acmed">
+.CW acmed(8) .
+.ihtml a
+
+The following prepares an identity and certificate signing request, so that a certificate can be requested via the ACME protocol.
+.ihtml a <a href="https://letsencrypt.org">
+Letsencrypt
+.ihtml a
+is a popular ACME provider.
+
+.P1
+auth/rsagen -t 'service=acme role=sign hash=sha256 acct=a@b.org'\\
+	>acct.key
+auth/rsa2jwk acct.key >/sys/lib/tls/acmed/me@example.org.pub
+auth/rsagen -t 'service=tls owner=*' >/sys/lib/tls/key
+auth/rsa2csr 'CN=fakedom.com' /sys/lib/tls/key \\
+	>/sys/lib/tls/acmed/fakedom.com.csr} \\
+.P2
+
+The following uses the CSR from above, and fetches a newly signed certificate:
+
+.P1
+ip/acmed me@example.com fakedom.com.csr \\
+	>fakedom.com.crt
+.P2
+
+This requires the output directory (by default, /usr/web/.well-known/acme-challenge) to be served over
+http. It must appear as a directory available at
+
+.P1
+http://fakedom.com/.well/known/acme-challenge
+.P2
+
+containing the challenge files generated by
+.CW ip/acmed .
+
+Alternatively, the challenges can be completed using DNS.
+This requires your ndb to include the ndb snippet generated by
+.CW ip/acmed :
+
+.P1
+database=
+	...
+	file=/lib/ndb/dnschallenge
+.P2
+
+after which, acmed should be invoked with the
+.I -t
+.B dns
+flag.
+
+.P1
+ip/acmed -t dns me@example.com fakedom.com.csr fakedom.com \\
+	>fakedom.com.crt
+.P2
+
+Read:
+.ihtml a <a href="http://man.9front.org/8/acmed">
+.CW acmed(8)
+.ihtml a
+
 .html - <hr />
 .html - <a href="fqa.html">FQA INDEX</a> |
 .html - <a href="fqa6.html">FQA 6 - Networking</a> |