Hosting Gemini Capsules via Yggdrasil

Root
Home
Back

Getting a Gemini capsule running on Yggdrasil was harder than I would have thought. The main complexity came from the fact that Gemini has mandatory TLS, combined with Yggdrasil predominantly being bare IPv6 addresses.

I suspect that this would have been no different than hosting a clearnet capsule had I been using Alfis to get an actual domain name, but I haven't set that up.

NOTE: This guide assumes the use of gmid as the server. I have no clue how this works (or doesn't) on any other server.

Prerequisites

This is NOT a guide to setting up Yggdrasil, nor for setting up gmid. I assume you already have a working Yggdrasil setup, as well as know how to run gmid for clearnet capsules.

Self-signed Certificates

First, we need to generate a certificate, as Gemini mandates the use of TLS. As Gemini prefers the use of self-signed certificates, that's what we'll be doing here. If you'd rather use a CA, be aware that many of them don't issue certificates for raw IP addresses.

Note: Apparently, LetsEncrypt has recently started rolling out support for issuing raw IP certificates, though it seems they're only allowed to live for less than a week. Not ideal.
Issuing our first IP Address Certificate

The gencert program provided with gmid doesn't seem to work with raw IP addresses; it just resuls in a SANS error. Thus, OpenSSL will be used directly. Replace $YGG_IPADDR below with your Yggdrasil address, and $CERTNAME with the filename for the certificate files:

YGGADDR="200::"
CERTNAME="yggdrasil"
openssl req -x509 -nodes -days 365                  \
   -keyout "${CERTNAME}.key" -out "${CERTNAME}.crt" \
   -subj "/CN=${YGGADDR}" -addext "subjectAltName = IP:${YGGADDR}"

Finally, move the resulting yggdrasil.key and yggdrasil.crt files to your preferred location. I put my gmid keys in /etc/ssl/gmid/.

Configuring gmid

On my clearnet capsule, I'd used a wildcard statement for the listen declaration, but apparently that doesn't fly here. Replace the wildcard with the same IP address as used in the server declaration part. Also, do not surround them with brackets.

Here's an example:

server "200::" {
    listen on 200:: port 1965

    root "/srv/gmi/yggsite"

    cert "/etc/ssl/gmid/yggdrasil.crt"
    key "/etc/ssl/gmid/yggdrasil.key"
}
Relevant GitHub discussion

Start up gmid and you should be able to connect!

As an aside, even though you can't put brackets in gmid's configuration, amfora won't work unless you DO put brackets into the URL:

amfora gemini://[200::]

I'm not sure if this is a problem with gmid or amfora, or how it works on other clients, but I figured I'd note it down here, because I spent an extra twenty minutes thinking this wasn't working just because I stopped using brackets on amfora after gmid told me to.