Peter's website random notes

How I get tls certificates for 9front

First of all, I use linux and drawterm for this for now, but I would like to be able to do it all from 9front at some point.

Generate the certificate

Install certbot on linux and run the following command

certbot certonly --manual -d -d

and do the challenges, they should be easy. I use the diff here to make 9fronts dns server understand the needed records.

EDIT: As of Sun Feb 14 2021, this patch is no longer needed since cinap pushed a proper fix.

Importing the cert and private key

Start drawterm and login as the hostowner. After this, the filesystem of the linux system is available at /mnt/term. Run the following:

cd /sys/lib/tls/
cp /mnt/term/etc/letsencrypt/live/ ./
cp /mnt/term/etc/letsencrypt/live/ ./cert

Now the private key must be converted to one that can be loaded into factotum

auth/pemdecode 'PRIVATE KEY' privkey.pem | auth/asn12rsa -t 'service=tls role=client' > key
rm privkey.pem
chmod 400 key

Add the following to /cfg/$sysname/cpurc to load the private key on boot.

cat /sys/lib/tls/key >> /mnt/factotum/ctl

Done. The key can also be stored in secstore if that is setup, so it doesn't lay unencryped on the disk.


I have the following in /bin/service.auth/tcp25

user=`{cat /dev/user}
exec upas/smtpd -c /sys/lib/tls/cert -n $3

Notice I had to put it in the /bin/service.auth folder so that it could find the private key.

Https with rc-httpd

I have the following in /bin/service.auth/tcp443


exec tlssrv -c /sys/lib/tls/cert -l /sys/log/https /bin/service/tcp80 $*

Again, in the /bin/service.auth folder. It simply wraps the plain http service in a tls wrapper. The plain tcp80 service looks like this for me

auth/none /rc/bin/rc-httpd/rc-httpd >>[2]/sys/log/www