13:32 <electropositron> Hi everyone ! I am looking for help on Sandstorm with the SSL certification process.

13:32 <electropositron> Where could I find an exemple of JSON request to send from the admin panel for the ACME DNS-01 challenge ?

13:32 <electropositron> Thanks in advance !

13:42 <ocdtrekkie> which DNS provider are you using?

13:42 <electropositron> Gandi

13:46 <ocdtrekkie> I suspect it looks like this: {

13:46 <ocdtrekkie> baseUrl: 'https://dns.api.gandi.net/api/v5/', // default

13:46 <ocdtrekkie> token: 'xxxx'

13:46 <ocdtrekkie> }

13:46 <ocdtrekkie> https://git.coolaj86.com/coolaj86/acme-dns-01-gandi.js.git is the Gandi plugin documentation.

13:50 <ocdtrekkie> token, or course, being a production API key from your Gandi panel

13:50 <electropositron> Thanks, I'm trying this right away !

13:52 <electropositron> Ok, I'm getting an error

13:52 <electropositron> Invalid JSON: Expected property name or '}' in JSON at position 2

13:53 <ocdtrekkie> I would probably removed the // default comment in there, perhaps?

13:53 <electropositron> Same error...

13:54 <electropositron> That's why I wandered about JSON formatting

13:54 <Ryuno-KiAndrJaen> JSON also requires double quotes

13:55 <electropositron> I didn't understood the exemples linked from sandstorm's documentation :

13:55 <electropositron> https://www.npmjs.com/package/acme-dns-01-gandi

13:55 <electropositron> Ok, so I take the javascript part and double quote everything

13:55 <electropositron> I try this

13:56 <Ryuno-KiAndrJaen> It stumbles upon some {}, though

13:56 <Ryuno-KiAndrJaen> So the first few characters of the JSON would help

13:57 <ocdtrekkie> If there's one core weakness in this ACME library, it's that having to feed it JSON objects that are different per provider, with little documentation on what they should actually look like is really irritating.

13:58 <electropositron> Good news ! It worked ! With

13:58 <electropositron> {

13:58 <electropositron>  "baseUrl": "https://dns.api.gandi.net/api/v5/",

13:58 <electropositron>  "token": "xxxx"

13:58 <electropositron> }

13:58 <electropositron> Thanks a lot for your help !!

13:59 <Ryuno-KiAndrJaen> You're welcome

13:59 <ocdtrekkie> Awesome. Knew we had to be close!

14:02 <ocdtrekkie> We probably should at some point have our own in-house documentation page for those.

14:12 <electropositron> Hi again, it seems my sandstorm installation is down now :'(

14:12 <electropositron> Once the ACME challenge is completed, I changed the sansdstorm listening port to 443 in /opt/snadstorm/sandstorm.conf

14:13 <electropositron> relaunched sandstorm process

14:14 <electropositron> But connection is refused due to ssl error

14:14 <electropositron> Is there Trouble shooting guide for this...

14:16 <electropositron> Is there a way to manage sll connection on command line perhaps ?

14:17 <ocdtrekkie> There is, though a port change shouldn't affect your certificate being valid... 🤔

14:17 <ocdtrekkie> what does your sandstorm.conf look like? you can change values a bit if needbe

14:19 <electropositron> Here is my /opt/sandstorm/sandstorm.conf

14:19 <electropositron> SERVER_USER=sandstorm

14:19 <electropositron> PORT=443

14:19 <electropositron> MONGO_PORT=6081

14:19 <electropositron> BIND_IP=0.0.0.0

14:19 <electropositron> #BASE_URL=https://charbon.sandcats.io

14:19 <electropositron> #WILDCARD_HOST=*.charbon.sandcats.io

14:19 <electropositron> BASE_URL=https://charbon.hopstudio.fr

14:19 <electropositron> WILDCARD_HOST=*.hopstudio.fr

14:19 <electropositron> UPDATE_CHANNEL=dev

14:19 <electropositron> ALLOW_DEV_ACCOUNTS=false

14:19 <electropositron> SMTP_LISTEN_PORT=25

14:19 <electropositron> #SANDCATS_BASE_DOMAIN=sandcats.io

14:19 <electropositron> #HTTPS_PORT=443

14:19 <electropositron> sudo sandstorm renew-certificate

14:19 <electropositron> get a successful result

14:19 <TimMc> Pastebin next time, please. :-) Here's one: https://bpa.st/

14:19 <electropositron> Oh ok, sorry

14:19 <ocdtrekkie> So you still want to be using HTTPS_PORT when not using Sandcats.

14:20 <ocdtrekkie> PORT= is for HTTP

14:20 <ocdtrekkie> Though I think you still need to define it.

14:21 <electropositron> Ah ok, so how do I configure it for https ?

14:21 <ocdtrekkie> Usually we use 6080 and then you just don't allow that through your firewall.

14:21 <ocdtrekkie> Uncomment that HTTPS_PORT line, and sent PORT to some other not 443 port.

14:22 <ocdtrekkie> And then restart the service, of course

14:23 <electropositron> Oh wow, it worked ! Thanks a lot !

14:23 <TimMc> I think most people listen on ports 6080 and 6443 and use port-forwarding so that external 443 goes to the service's 6443.

14:23 <TimMc> \o/

14:24 <TimMc> (or use nginx listening port 443, proxying to sandstorm 6080)

14:24 <electropositron> I tried this through nginx, but apps didin't launched

14:24 <electropositron> the wildcard wasn't supported i guess

14:28 <ocdtrekkie> There's a way to do it but it's complicated. If you're able to let Sandstorm handle it's own HTTPS now it's preferable, we just have poor documentation for it because it was done more recently than much of the rest of the software.

14:29 <ocdtrekkie> Glad we were able to sort it out for you!

14:34 <TimMc> I haven't been following that -- it sounds like Sandstorm knows how to negotiate dns-01 with some set of DNS providers now?

14:35 <ocdtrekkie> Yeah, using the ACME.js libraru

14:35 <ocdtrekkie> library*

14:35 <TimMc> nice

14:38 <TimMc> I use NearlyFreeSpeech.net as a registrar and DNS provider and so I ended up writing my own dns-01 manual-auth-hook for certbot. I should see if there's a way to contribute that script to a library.

14:39 <TimMc> NFSN has a kind of weird and gross API: https://github.com/timmc/commapps/blob/master/roles/nfsn-dns/files/scripts/api-call.sh

14:40 <TimMc> If ACME.js could support NFSN directly, then I could pass-through the TLS stream in nginx and remove a bunch of code. :-)

14:41 <ocdtrekkie> The plugin format for ACME.js is pretty straightforward I think, a couple of people have added their own provider plugins for it to Sandstorm.

14:42 <ocdtrekkie> (Check About, we list the non-upstream plugins separately, and the Sandcats provider is also a plugin for ACME.js)

15:02 <TimMc> At one point I used a thoroughly ridiculous method to get Let's Encrypt working with my XMPP server, which can't handle the easier challenge methods. I generated a key and CSR on the home server, copied the CSR to my web server (of the same domain), and configured an ACME client to periodically get certs and put them in a public directory; then I had a cron job periodically curl the certs and register

15:02 <TimMc> them with the XMPP server.

15:03 <ocdtrekkie> I mean for a lot of enterprise stuff these days that'd be what you need if you want ACME support. :P

15:04 <TimMc> Yeah. I'm glad the CSR mechanism exists. It allowed me to split the mechanism onto two servers in a secure way.

15:04 <TimMc> It's just a Bit Much, is all.

15:09 <TimMc> The alternative was dns-01, and I don't like having to provision all my servers with an API key that has complete control over my DNS records. :-/

15:13 <ocdtrekkie> It'd be nice if everyone who supported API keys also let you create them with granular access.

15:14 <TimMc> Relatedly, GitHub is *finally* rolling out fine-grained personal access tokens.

15:15 <ocdtrekkie> Yeah. Cloudflare has them now too, for a while theirs was "all of your accounts" wide.

15:15 <TimMc> oof

17:20 <ocdtrekkie> I might need to remove the double NAT configuration here at home.

17:20 <ocdtrekkie> I got away with it for a surprisingly long time, but hairpinning isn't working on my new modem they just put in.

17:22 <ocdtrekkie> My firewall should have no problem with it but since it doesn't see the public IP it doesn't know it needs to be hairpinned, but I think if I put the modem in bridge mode it would probably work.

17:22 <ocdtrekkie> Right now my Sandstorm server works from the Internet, and from my internal network (where I have my own DNS), but from my Wi-Fi network which is a separate VLAN things aren't making it out and back.