Untitled attachment

Notices where this attachment appears

1. Phantasm (phnt@fluffytail.org)'s status on Monday, 07-Oct-2024 09:12:20 JST Phantasm

   in reply to

   @pernia @0 @pwm relayd is a bit retarded, that it by default looks for TLS certs/keys with the same IP the relay listens on. Because I wanted to support serving on subdomains with a different cert than the main domain, I would have to use the alternative way of using an IP and appending the port to name of the cert/key. I tried to make it work for 2 hours and failed.

   Now for what I meant. There's a config option in relayd, that allows it to search for certs/keys with a name instead of the IP. You just have to use a somewhat non-standard file extension for the fullchain certificate (something.crt instead of something.pem). It specifically has to be the fullchain certificate, otherwise any client won't be able to verify the CA that signed your certificate as it is not included.

   To simplify it even more, setup acme-client like the screenshot and then tell relayd to use that name you chose in that config with this option in the protocol declaration. File extension must not be included.

   Or alternatively wait a week and I'll commit the updated relayd/httpd config along with the updated docs on how to set it up. I just have to write a redirect for serving media on a subdomain and a forward based on HTTP headers. It's nearly done.