From: "Steven Levine" Received: from [192.168.100.201] (HELO mail.2rosenthals.com) by 2rosenthals.com (CommuniGate Pro SMTP 5.4.10) with ESMTP id 11074905 for ecs-isp@2rosenthals.com; Fri, 11 Oct 2024 15:56:32 -0400 Received: from [192.168.200.201] (port=43439 helo=mail2.2rosenthals.com) by mail.2rosenthals.com with esmtp (Exim 4.97.1) (envelope-from ) id 1szLkV-0000000038C-03be for ecs-isp@2rosenthals.com; Fri, 11 Oct 2024 15:56:31 -0400 Received: from mta-201b.earthlink-vadesecure.net ([51.81.229.181]:35909 helo=mta-201a.earthlink-vadesecure.net) by mail2.2rosenthals.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.97.1) (envelope-from ) id 1szLkT-000000003Kt-0c4q for ecs-isp@2rosenthals.com; Fri, 11 Oct 2024 15:56:29 -0400 DKIM-Signature: v=1; a=rsa-sha256; bh=rEZm9RxykkhAWJjc/+rfxlyBeWgnimKcnDDvAR mRi0c=; c=relaxed/relaxed; d=earthlink.net; h=from:reply-to:subject: date:to:cc:resent-date:resent-from:resent-to:resent-cc:in-reply-to: references:list-id:list-help:list-unsubscribe:list-unsubscribe-post: list-subscribe:list-post:list-owner:list-archive; q=dns/txt; s=dk12062016; t=1728676588; x=1729281388; b=KeFnRvHt+1sQWLagEh396tD5s6R UX6rRJlpDxQEC2XdTN3H3aTeZ2xMlYxdcW9oPuaWnDwUyZ0pUQ8A/GD2w4nnaMhtGVsuAom uNmtG4sNLPLis4uWMfWU5lVojC9cIC9c/Qla3Xy7MF6vefLuH4LqS9H+7jfJ2gBO+JAIkrO 9/ExYzgwPOpKurs4uOBHPrNxOthAdR1R4QXO3OBtYAhFhZK+eyHA56Wm8r9iVi4n2pJDlsr mu5xND0BmtRDesWPwDgYMK5JmzUenHkpbJIUI+nWVF6wAO4UUnIyYxwoWpy9+ci59fuUSxD 9+/2CFFiMjA/FO/nlgqazTmGiBC3FlQ== Received: from slamain ([172.58.117.14]) by vsel2nmtao01p.internal.vadesecure.com with ngmta id 8f1d0395-17fd7e32a56f7c12; Fri, 11 Oct 2024 19:56:28 +0000 Message-ID: <67098877.2.mr2ice.fgrirsq@earthlink.net> Date: Fri, 11 Oct 2024 12:20:07 -0800 To: "eCS ISP Mailing List" In-Reply-To: Subject: Re: [eCS-ISP] HTTPS-Misery (for Steven) X-Mailer: MR/2 Internet Cruiser Edition for OS/2 v3.00.11.24/60 In , on 10/11/24 at 10:36 AM, "Massimo S." said: Hi Massimo, >i hope to have permissions to modify the script to adapt to my >environment/paths You don't need my permission. As it says in the header This program is free software licensed under the terms of the GNU General Public License Version 3 or newer. The GPL Software License can be found in gnugpl3.txt or at http://www.gnu.org/licenses/licenses.html#GPL If you don't know what the GPL is and how you are allowed to GPL licenced code, I recommend you do some reading. >and added just > docroot = 'X:\apache\htdocs\mywebsite\.well-known\acme-challenge' >of course like before i have to create an hook script for each domain, >but this is not a problem >now the scripts works well also here Good to hear. Let me know if you run into any unexpected problems. As I mentioned, the script is intended to be mostly generic, but one never knows how generic a script is until it's got multiple users. I would never have have gone with a multiple script solution, but it's your time and your choice. FWIW, if I had to implement a solution where the domain to directory mapping is not algorithmic, I would have used a mapping file with lines of the form domain path It's a simple job for REXX to read the file, match on the domain and map the domain to the path. This way I would only have one file to edit for all domains being managed. >i've another question >in the \acme-challenge dir with my script i was used to find a lot of >token files >eg. zGaQTb6CdwEeuLNOm4-DK8zBxCSlql-oCxXl2V3t9Q0 >now the dir remains empty This is how the ACME token files are supposed to be managed. Your naive scripts did not implement the hook as intended. The token files are only good for one use and are supposed to be deleted by the hook script. If you review uacme-hook.log, you will see log messages indicating when the token files are created and deleted. >and i didn't find in the code something that >clear the token file The token files are deleted by uacme-hook.cmd:131 call SysFileDelete gTokenFile uacme-hook.cmd:141 call SysFileDelete gTokenFile In the uacme.sh sample script, the token files are deleted by uacme.sh:48 "done"|"failed") case "$TYPE" in http-01) rm ${CHALLENGE_PATH}/${TOKEN} exit $? ;; >i also added a say gType >before > if gType \== 'http-01' then >at line 114 >but i don't find any output to the screen You are probably missing it. The logs files are a better way to look for this. They don't scroll off the screen so fast. From one of my logs, I have 2024/08/19-18:04:45 uacme-hook started at 2024/08/19-18:04:45 2024/08/19-18:04:45 method is begin 2024/08/19-18:04:45 type is dns-01 2024/08/19-18:04:45 ident is www.www.cih.bz 2024/08/19-18:04:45 token is nPKmBr_nbCWbtX-09jCugox_kuqPCSok3O13g3fb_hs 2024/08/19-18:04:45 auth is 3D6NBz-8HXPorNUQIcP2DS9DK4TeyN5L7byu10KwqYM and 2024/08/13-08:39:26 method is begin 2024/08/13-08:39:26 type is tls-alpn-01 2024/08/13-08:39:26 ident is test.warpcave.com 2024/08/13-08:39:26 token is yL12UITv9P44oo6eEpL37-MSSnxno5ECoQnJDs4QYQc 2024/08/13-08:39:26 auth is dGEv0VC2mYKwXrYn0CHyFdg_77Qzuzw-3y_O0AbqTRY so, it's clear that Let's Encrypt will try various challenge types. I do seem mostly http-01 challenges, so it's possble to LE records the last successful challenge type an tries it first most of the time. It's an obvious optimization. Steven -- ---------------------------------------------------------------------- "Steven Levine" Warp/DIY/BlueLion etc. www.scoug.com www.arcanoae.com www.warpcave.com ----------------------------------------------------------------------