IPv6 as the hostname?

[d47081]

Hello, I have following error by providing IPv6 address as the --hostname xxx:xxxx:xxxx:xxxx::xxxx

invalid domain character

In my case, there is no needs for domain name because using Yggdrasil address. But I must to setup TLS because of Gemini protocol dependency

[Johann150]

An IPv6 address is not a hostname (i.e. domain name), so the error message is correct.

The meaning of the --hostname flag is to check that the request was made to the right host. The flag is optional and if you do not pass it, agate will serve files for any hostname and assume it was correct. Not using the --hostname flag means you have to make a certificate yourself.

I'm not familiar with Yggdrasil so I'm not sure what the reason is for not using a hostname. I'm not sure if it is possible to have a certificate for an IP address, even if it is self signed. At least agate will definitely not generate one for you. So I think you might want to pick a DNS name anyway, if you can.

Alternatively you can come up with a TLS certificate on your own and place it in the certificates directory. See also the README file section on certificates, you would probably want to place the files directly in the certificate directory:

The certificates directory may directly contain a key and certificate pair, this is the default pair used if no other matching keys are present.

[d47081]

I can launch this server with IPv6 in CN

openssl req -x509 -newkey rsa:4096 -keyout key.rsa -out cert.pem -days 1 -nodes -subj "/CN=IP"

But I can't apply same certificates for Agate

[Johann150]

That command creates a key.rsa and cert.pem file which agate will not read, because it is looking for cert.der and key.der. Further, those files are encoded as PEM (text format, usually recognizable by starting with e.g. -----BEGIN CERTIFICATE-----, and file(1) identifies it as "ASCII text"), but agate uses the DER format (a binary format). This is also mentioned in the README file:

The certificate has to be a X.509 certificate in a DER format file [...].

You can change the certificate to be outputted in DER format by adding -outform DER. While there is also a -keyform DER option, it seem to be ignored on my system. Instead you can convert the key from PEM to DER using openssl too.

openssl req -x509 -newkey rsa:4096 -keyout key.rsa -out cert.der -outform DER -days 1 -nodes -subj "/CN=IP"
openssl pkey -in key.rsa -outform DER -out key.der

[d47081]

Thanks, generated new certificate with command above but solution with IPv6 in CN not works :/

"" 00 "TLS error" error:unexpected error: no server certificate chain resolved