New lightweight Let's Encrypt client

For Developers
21

Thanks and sorry, but I still don't understand. I have read the section multiple times and can't find any clue where to download missing ualpn binary file needed for tls-alpn-01 challenge.

At the end of the "UALPN(1) Manual Page" I can read that "This file is part of uacme."
I expected ualpn to be included in the uacme openwrt package but it's not.

Can it be related to this buildbot issue https://githubhelp.com/ndilieto/uacme/issues/23
or the correct way includes installing some related package first ( mbedtls-util, libmbedtls12 or libuhttpd-mbedtls )?
I use very few additional openwrt packages so maybe I don't understand correctly the relations between them. Sorry if my question is too dumb.

22

See the GitHub repository for uacme...

It's all there.

23

For whatever reason, the maintainer of the openwrt uacme package decided to configure it without ualpn. Maybe you should contact them.

https://git.openwrt.org/?p=feed/packages.git;a=blob;f=net/uacme/Makefile;h=55ce59f81144f54617ceb0bf0aeeb468b1e5e48c;hb=refs/heads/openwrt-21.02#l67

2 Likes
24

Thanks for the confirmation uacme package is incomplete.
Unfortunately I don't know how to properly contact openwrt devs and ask them for fixing the package.

I'm not happy because wanted to test your solution after several tries to use acme script for my scenario. My acme complementary script based on dynamic webserver stop+changing params+restart haven't proven very stable so I'm still looking for a better solution :slight_smile:

25

Did you see this? https://github.com/acmesh-official/acme.sh/blob/master/dnsapi/dns_freedns.sh

Linked from https://freedns.afraid.org/faq/#17

26

Thanks a lot man, will definitely check it out.
I remember few years ago (when I started with acme) update of DNS records was strictly limited to top level (paid) freedns domains.
If the script works now also for free subdomains it could be the best solution for me. :slight_smile:

27

After quick (manual curl string) test it seems that nothing has changed in the meantime in freedns policy regarding TXT records updates in DNS.
"Creation of records beginning with '_' are presently restricted to the domain owner" :frowning:

So I'm back to start, will experiment with uacme for a while and probably create an issue on openwrt github for the developers regarding uacme package to support challenge on port 443.

28

That shouldn't be difficult...

PKG_MAINTAINER:=Lucian Cristian <lucian.cristian@gmail.com>
2 Likes
29

Quite busy these days, so can't promise any fixing..

30

Please take your time, it's not urgent...
I really like your complementary script run-uacme supporting http-01 challenge on openwrt, seems very nice&clean. If you succeed to add support for tls-alpn-01 challenge, it will be perfect :ok_hand:

I would not push this but my stupid ISP is blocking port 80 because of some security hole in his routers so http-01 is not working for me.

31

@ndilieto updated mbedtls to 2.28.0 but on mips I get

uacme.c: In function 'alt_parse':
uacme.c:1335:36: warning: comparison of integer expressions of different signedness: 'long int' and 'unsigned int' [-Wsign-compare]
 1335 |     if (*endptr == 0 && l > 0 && l < UINT_MAX) {
      |                                    ^
mv -f .deps/uacme-read-file.Tpo .deps/uacme-read-file.Po
mv -f .deps/uacme-msg.Tpo .deps/uacme-msg.Po
mv -f .deps/ualpn-log.Tpo .deps/ualpn-log.Po
mv -f .deps/uacme-curlwrap.Tpo .deps/uacme-curlwrap.Po
mv -f .deps/ualpn-base64.Tpo .deps/ualpn-base64.Po
mv -f .deps/uacme-base64.Tpo .deps/uacme-base64.Po
mv -f .deps/uacme-json.Tpo .deps/uacme-json.Po
mv -f .deps/uacme-uacme.Tpo .deps/uacme-uacme.Po
{standard input}: Assembler messages:
{standard input}:1114: Error: opcode not supported on this processor: mips2 (mips2) `sync'
{standard input}:1125: Error: opcode not supported on this processor: mips2 (mips2) `sync'
{standard input}:1131: Error: opcode not supported on this processor: mips2 (mips2) `sync'
{standard input}:1139: Error: opcode not supported on this processor: mips2 (mips2) `sync'
{standard input}:2242: Error: opcode not supported on this processor: mips2 (mips2) `sync'
mv -f .deps/uacme-crypto.Tpo .deps/uacme-crypto.Po
mipsel-openwrt-linux-musl-gcc  -Wall -Wextra -pedantic -fno-strict-aliasing -Os -pipe -mno-branch-likely -mips32r2 -mtune=24kc -fno-caller-saves -fno-plt -fhonour-copts -Wno-error=unused-but-set-variable -Wno-error=unused-result -msoft-float -mips16 -minterlink-mips16 -fmacro-prefix-map=/home/build/erx/build_dir/target-mipsel_24kc_musl/uacme-upstream-1.7.1=uacme-upstream-1.7.1 -Wformat -Werror=format-security -fstack-protector -D_FORTIFY_SOURCE=1 -Wl,-z,now -Wl,-z,relro  -L/home/build/erx/staging_dir/target-mipsel_24kc_musl/usr/lib  -L/home/build/erx/staging_dir/toolchain-mipsel_24kc_gcc-11.2.0_musl/usr/lib -L/home/build/erx/staging_dir/toolchain-mipsel_24kc_gcc-11.2.0_musl/lib -znow -zrelro -Wl,--gc-sections,--as-needed   -o uacme uacme-uacme.o uacme-base64.o uacme-crypto.o uacme-curlwrap.o uacme-json.o uacme-msg.o uacme-read-file.o -lcurl  -lmbedtls -lmbedx509 -lmbedcrypto
{standard input}:3618: Error: opcode not supported on this processor: mips2 (mips2) `sync'
{standard input}:3644: Error: opcode not supported on this processor: mips2 (mips2) `sync'
{standard input}:4117: Error: opcode not supported on this processor: mips2 (mips2) `sync'
{standard input}:4187: Error: opcode not supported on this processor: mips2 (mips2) `sync'
{standard input}:4247: Error: opcode not supported on this processor: mips2 (mips2) `sync'
{standard input}:4266: Error: opcode not supported on this processor: mips2 (mips2) `sync'
{standard input}:4295: Error: opcode not supported on this processor: mips2 (mips2) `sync'
{standard input}:4313: Error: opcode not supported on this processor: mips2 (mips2) `sync'
{standard input}:6897: Error: opcode not supported on this processor: mips2 (mips2) `sync'
{standard input}:7027: Error: opcode not supported on this processor: mips2 (mips2) `sync'
{standard input}:8406: Error: opcode not supported on this processor: mips2 (mips2) `sync'
{standard input}:8654: Error: opcode not supported on this processor: mips2 (mips2) `sync'
{standard input}:9361: Error: opcode not supported on this processor: mips2 (mips2) `sync'
make[4]: *** [Makefile:612: libev/ev.o] Error 1
make[4]: *** Waiting for unfinished jobs....
mv -f .deps/ualpn-ualpn.Tpo .deps/ualpn-ualpn.Po
make[4]: Leaving directory '/home/build/erx/build_dir/target-mipsel_24kc_musl/uacme-upstream-1.7.1'

on arm it compiles, do I have to enable something more on mbedtls ?

32

Looks like libev has a bug on MIPS. You probably need to patch it similarly

https://www.mail-archive.com/libev@lists.schmorp.de/msg02166.html

Edit: I see that openwrt has also its own libev package, which may already be patched. You might be better off adding that as a dependency of uacme, so that the configure script will prefer it to the libev sources included in uacme's distribution.

Edit2: I checked openwrt's libev, and it is built using PKG_USE_MIPS16:=0. You can either add that to uacme, or declare libev as a dependency. I think the latter is better, so you save space if other packages already need libev.

33

I guess I'll add PKG_USE_MIPS16:=0, as libev is used only by a few packages, both options seems to be ok

34

If you use uacme's local libev, it will be linked statically and will not be usable by any other package. That is why it is preferable to add libev as a dependency.

35

I'll see how is the space usage with static linking or dynamic for overall flash

36

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.