From: "Massimo S." <ecs-isp@2rosenthals.com>
Reply-To: ml@ecomstation.it
Subject: Re: [eCS-ISP] HTTPS-Misery (for Steven)
To: eCS ISP Mailing List <ecs-isp@2rosenthals.com>
References: <list-11074910@2rosenthals.com>
Organization: Massimo S.
Message-ID: <12dd86fa-e05a-d359-d38e-259bcb8b8f1e@ecomstation.it>
Date: Sat, 12 Oct 2024 01:40:40 +0200
User-Agent: Mozilla/5.0 (OS/2; U; Warp 4.5; it-IT; rv:1.7.13) Gecko/20060424
 Thunderbird/1.0.8 Mnenhy/0.7.4.0
MIME-Version: 1.0
In-Reply-To: <list-11074910@2rosenthals.com>
Content-Type: text/plain; charset=iso-8859-15; format=flowed
Content-Language: it-IT
Content-Transfer-Encoding: 7bit



Il 11/10/2024 22:20, Steven Levine ha scritto:
> In <list-11074276@2rosenthals.com>, on 10/11/24
>     at 10:36 AM, "Massimo S." <ecs-isp@2rosenthals.com> said:
> 
> Hi Massimo,
> 
>> i hope to have permissions to modify the script to adapt to my
>> environment/paths
> 
> You don't need my permission.  As it says in the header

politeness is much more important for me than GPL or such

>     This program is free software licensed under the terms of
>     the GNU General Public License Version 3 or newer.  The GPL
>     Software License can be found in gnugpl3.txt or at
>     http://www.gnu.org/licenses/licenses.html#GPL
> 
> If you don't know what the GPL is and how you are allowed to GPL licenced
> code, I recommend you do some reading.
> 
>> and added just
>>    docroot = 'X:\apache\htdocs\mywebsite\.well-known\acme-challenge'
> 
>> of course like before i have to create an hook script for each domain,
>> but this is not a problem
>> now the scripts works well also here
> 
> Good to hear.  Let me know if you run into any unexpected problems.  As I
> mentioned, the script is intended to be mostly generic, but one never
> knows how generic a script is until it's got multiple users.
> 
> I would never have have gone with a multiple script solution, but it's
> your time and your choice.
> 
> FWIW, if I had to implement a solution where the domain to directory
> mapping is not algorithmic, I would have used a mapping file with lines of
> the form
> 
>    domain  path
> 
> It's a simple job for REXX to read the file, match on the domain and map
> the domain to the path.  This way I would only have one file to edit for
> all domains being managed.
> 
>> i've another question
>> in the \acme-challenge dir with my script i was used to find a lot of
>> token files
>> eg. zGaQTb6CdwEeuLNOm4-DK8zBxCSlql-oCxXl2V3t9Q0
>> now the dir remains empty
> 
> This is how the ACME token files are supposed to be managed.  Your naive
> scripts did not implement the hook as intended.
> 
> The token files are only good for one use and are supposed to be deleted
> by the hook script.  If you review uacme-hook.log, you will see log
> messages indicating when the token files are created and deleted.
> 
>> and i didn't find in the code something that
>> clear the token file
> 
> The token files are deleted by
> 
> uacme-hook.cmd:131
>    call SysFileDelete gTokenFile
> 
> uacme-hook.cmd:141
>    call SysFileDelete gTokenFile
> 
> In the uacme.sh sample script, the token files are deleted by
> 
> uacme.sh:48
>      "done"|"failed")
>          case "$TYPE" in
>              http-01)
>                  rm ${CHALLENGE_PATH}/${TOKEN}
>                  exit $?
>                  ;;
> 
> 
>> i also added a say gType
>> before
>>    if gType \== 'http-01' then
>> at line 114
>> but i don't find any output to the screen
> 
> You are probably missing it.  The logs files are a better way to look for
> this.  They don't scroll off the screen so fast.  From one of my logs, I
> have >
> 2024/08/19-18:04:45 uacme-hook started at 2024/08/19-18:04:45
> 2024/08/19-18:04:45 method is begin
> 2024/08/19-18:04:45 type is dns-01
> 2024/08/19-18:04:45 ident is www.www.cih.bz
> 2024/08/19-18:04:45 token is nPKmBr_nbCWbtX-09jCugox_kuqPCSok3O13g3fb_hs
> 2024/08/19-18:04:45 auth is 3D6NBz-8HXPorNUQIcP2DS9DK4TeyN5L7byu10KwqYM
> 
> and
> 
> 2024/08/13-08:39:26 method is begin
> 2024/08/13-08:39:26 type is tls-alpn-01
> 2024/08/13-08:39:26 ident is test.warpcave.com
> 2024/08/13-08:39:26 token is yL12UITv9P44oo6eEpL37-MSSnxno5ECoQnJDs4QYQc
> 2024/08/13-08:39:26 auth is dGEv0VC2mYKwXrYn0CHyFdg_77Qzuzw-3y_O0AbqTRY
> 
> so, it's clear that Let's Encrypt will try various challenge types.
> 
> I do seem mostly http-01 challenges, so it's possble to LE records the
> last successful challenge type an tries it first most of the time.  It's
> an obvious optimization.
> 
> Steven

thank you so much
but as you know i've not your skills
i still don't understand this

2024/10/12-01:33:15 hook_webmail started at 2024/10/12-01:33:15
2024/10/12-01:33:15 method is begin
2024/10/12-01:33:15 type is http-01
2024/10/12-01:33:15 ident is webmail.mydomain.it
2024/10/12-01:33:15 token is OQg2xEXcj39j6brHDmIDwj5V5mYY1_DOvU5DRDOnPh4
2024/10/12-01:33:25 hook_webmail started at 2024/10/12-01:33:25
2024/10/12-01:33:25 method is failed
2024/10/12-01:33:25 type is http-01
2024/10/12-01:33:25 ident is webmail.mydomain.it
2024/10/12-01:33:25 token is OQg2xEXcj39j6brHDmIDwj5V5mYY1_DOvU5DRDOnPh4
2024/10/12-01:33:25 auth is 
OQg2xEXcj39j6brHDmIDwj5V5mYY1_DOvU5DRDOnPh4.zyhanFlpd0tloojCJrdfZjZwx4LbkQHuYa75ndsa-Qs 

2024/10/12-01:33:25 DoFailed deleting 
X:\apache\htdocs\webmail\.well-known\acme-challenge\OQg2xEXcj39j6brHDmIDwj5V5mYY1_DOvU5DRDOnPh4

for this domain it failed
i still find the acme-challenge dir empty
and it fails even if the method is http-01

i'm puzzled, sorry


massimo