OpenBSD、relayd和acme:无法读取子域的TLS-certs：“服务器的空回复”

Question

带有中继/httpd/的OpenBSD服务器。尝试运行https://mydomain.com (端口32489上的app服务器)、https://webmail.mydomain.com (48293)和https://forum.mydomain.com (28192)。这三个站点共享相同的TLS-证书。常规HTTP仅用于生成TLS(Acme)。

到目前为止，https://mydomain.com按预期工作，但其他两个返回：

curl -vvv https://webmail.mydomain.com

* Rebuilt URL to: https://webmail.mydomain.com/
*   Trying XXX...
* TCP_NODELAY set
* Connected to webmail.mydomain.com (XXX) port 443 (#0)
* schannel: SSL/TLS connection with webmail.mydomain.com port 443 (step 1/3)
* schannel: checking server certificate revocation
* schannel: sending initial handshake data: sending 180 bytes...
* schannel: sent initial handshake data: sent 180 bytes
* schannel: SSL/TLS connection with webmail.mydomain.com port 443 (step 2/3)
* schannel: failed to receive handshake, need more data
* schannel: SSL/TLS connection with webmail.mydomain.com port 443 (step 2/3)
* schannel: encrypted data got 4096
* schannel: encrypted data buffer: offset 4096 length 4096
* schannel: encrypted data length: 4032
* schannel: encrypted data buffer: offset 4032 length 4096
* schannel: received incomplete message, need more data
* schannel: SSL/TLS connection with webmail.mydomain.com port 443 (step 2/3)
* schannel: encrypted data got 907
* schannel: encrypted data buffer: offset 4939 length 5056
* schannel: sending next handshake data: sending 93 bytes...
* schannel: SSL/TLS connection with webmail.mydomain.com port 443 (step 2/3)
* schannel: encrypted data got 51
* schannel: encrypted data buffer: offset 51 length 5056
* schannel: SSL/TLS handshake complete
* schannel: SSL/TLS connection with webmail.mydomain.com port 443 (step 3/3)
* schannel: stored credential handle in session cache
> GET / HTTP/1.1
> Host: webmail.mydomain.com
> User-Agent: curl/7.55.1
> Accept: */*
>
* schannel: client wants to read 102400 bytes
* schannel: encdata_buffer resized 103424
* schannel: encrypted data buffer: offset 0 length 103424
* schannel: encrypted data got 31
* schannel: encrypted data buffer: offset 31 length 103424
* schannel: server closed the connection
* schannel: schannel_recv cleanup
* Empty reply from server
* Connection #0 to host webmail.mydomain.com left intact
curl: (52) Empty reply from server

acme-client.conf

authority letsencrypt {
  api url "https://acme-v02.api.letsencrypt.org/directory"
  account key "/etc/ssl/private/letsencrypt.key"
}

domain mydomain.com {
  alternative names { www.mydomain.com webmail.mydomain.com forum.mydomain.com }
  domain key "/etc/ssl/private/mydomain.com.key"
  domain full chain certificate "/etc/ssl/mydomain.com.crt"
  sign with letsencrypt
}

httpd.conf

ext_if="vio0"

types {
  include "/usr/share/misc/mime.types"
}

server "mydomain.com" {
  alias "www.mydomain.com"
  listen on $ext_if port 80
  location "/.well-known/acme-challenge/*" {
    root "/acme"
    request strip 2
  }
  location "*" {
    block return 301 "https://mydomain.com$REQUEST_URI"
  }
}

server "webmail.mydomain.com" {
  listen on $ext_if port 80
  location "/.well-known/acme-challenge/*" {
    root "/acme"
    request strip 2
  }
  location "*" {
    block return 301 "https://webmail.mydomain.com$REQUEST_URI"
  }
}

server "forum.mydomain.com" {
  listen on $ext_if port 80
  location "/.well-known/acme-challenge/*" {
    root "/acme"
    request strip 2
  }
  location "*" {
    block return 301 "https://forum.mydomain.com$REQUEST_URI"
  }
}

relayd.conf

ip="XXX"

table  { 127.0.0.1 }
cms_port="32489"

table  { 127.0.0.1 }
webmail_port="48293"

table  { 127.0.0.1 }
forum_port="28192"

table  { 127.0.0.1 }
httpd_port="80"

log connection errors

http protocol "http" {
  match request header set "Connection" value "close"
  match response header remove "Server"
}

relay "http_relay" {
  listen on $ip port http
  protocol "http"
  forward to  port $httpd_port
}

http protocol "https" {
  match header log "Host"
  match header log "X-Forwarded-For"
  match header log "User-Agent"
  match header log "Referer"
  match url log

  match header set "X-Forwarded-For" value "$REMOTE_ADDR"
  match header set "X-Forwarded-By" value "$SERVER_ADDR:$SERVER_PORT"
  match header set "Keep-Alive" value "$TIMEOUT"

  # Best practice security headers
  match response header remove "Server"
  match response header append "Strict-Transport-Security" value "max-age=31536000; includeSubDomains"
  match response header append "X-Frame-Options" value SAMEORIGIN
  match response header append "X-XSS-Protection" value "1; mode=block"
  match response header append "X-Content-Type-Options" value nosniff
  match response header append "Referrer-Policy" value strict-origin
  match response header append "Feature-Policy" value "accelerometer 'none'; camera 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; payment 'none'; usb 'none'"

  pass request header "Host" value "mydomain.com" forward to 
  pass request header "Host" value "www.mydomain.com" forward to 
  pass request header "Host" value "webmail.mydomain.com" forward to 
  pass request header "Host" value "forum.mydomain.com" forward to 
  tls keypair "mydomain.com"
}

relay "https_relay" {
  listen on $ip port https tls

  protocol "https"

  forward to  port $cms_port
  forward to  port $webmail_port
  forward to  port $forum_port
}

Answer 1

relayd还没有处理TLS，因此您需要为每个转发域提供一个tls keypair条目。这意味着您需要为每个域提供单独的.key和.crt文件。这可以很容易地通过符号链接来处理，例如：

# cd /etc/ssl
# ln -s mydomain.com.crt www.mydomain.com.crt
# cd /etc/ssl/private
# ln -s mydomain.com.key www.mydomain.com.key

然后加上

tls keypair "www.mydomain.com"

到http protocol "https" {...}部分的relayd.conf。正在运行

# relayd -n

如果一切都好就告诉你。

注意，您需要在更新证书后重新加载relayd。对于httpd，这通常由cron作业处理。用于man状态的acme-client页面

A cron(8) job can renew the certificate as necessary.  On renewal,
httpd(8) is reloaded:

       ~ * * * * acme-client example.com && rcctl reload httpd

因此，在本例中，您需要将relayd添加到行尾，以重新加载httpd和relayd。如果您使用其他方法或脚本，则需要对其进行适当的调整。