chore: update docs

README.md

@@ -13,7 +13,7 @@ EV certificate from Digicert.
 * onion scratch-directory name changes:
   * was: `projects.d/tweep.d/abcdefghijklmnopqrstuvwxyza-v3.d/port-80.sock`
   * now: `projects.d/tweep.d/abcdefghijklmnopqrst-v3.d/port-80.sock`
-  * :warning: this means that some scratch directories may be are remade, 
+  * :warning: this means that some scratch directories may be are remade,
     so a full restart is advisable after updating
 * https certificate path-name changes
   * was: HTTPS certificate files used the full onion address
@@ -22,8 +22,8 @@ EV certificate from Digicert.
     PROJECTNAME:
     * `/projects.d/PROJECTNAME.d/ssl.d/ONIONADDRFIRST20CHAR-v3.onion.cert`
     * `/projects.d/PROJECTNAME.d/ssl.d/ONIONADDRFIRST20CHAR-v3.onion.pem`
-  * :warning: this means that you will need to rename pre-existing certificate 
-    `cert` and `pem` files after you update and reconfigure; 
+  * :warning: this means that you will need to rename pre-existing certificate
+    `cert` and `pem` files after you update and reconfigure;
   * :warning: **if you fail to do this you will experience "self-signed certificate" warnings**
 * if you are using 'multi' certificates (such as some Digicert EV) where a
   single certificate contains all SubjectAltNames for 2+ onion
@@ -40,6 +40,7 @@ If you have any issues, please reach out to @alecmuffett on Twitter, or log an i
 
 ## Primary Supported Platforms
 
+* k8s >= 1.21 on Ubuntu 22.04
 * Ubuntu 20.04LTS, Latest Updates
 * OSX Mojave with Homebrew, Latest Updates
 * Raspbian Stretch/Stretch-Lite, Latest Updates
@@ -55,6 +56,7 @@ NB: bugs should be reported through `Issues`, above.
 
 ### EOTK In the News
 
+* Oct 2022 [Reddit Onion Service Launch](https://www.reddit.com/r/redditsecurity/comments/yd6hqg/reddit_onion_service_launch/)
 * Apr 2021 [The Intercept launches onionsite using EOTK](https://theintercept.com/2021/04/28/tor-browser-onion/)
 * Oct 2020 [Brave browser launches onionsite using EOTK](https://brave.com/new-onion-service/)
 * Oct 2019 [BBC News launches 'dark web' Tor mirror](https://www.bbc.co.uk/news/technology-50150981)

docs.d/HOW-TO-INSTALL.md

@@ -70,7 +70,7 @@ After installation, you can do:
 * `./eotk start wikipedia`
 * `./eotk maps -a` # and connect to one of the onions you've created
 
-Be aware that you will suffer from HTTPS certificate errors 
+Be aware that you will suffer from HTTPS certificate errors
 until you buy a HTTPS certificate.
 
 # Creating HTTPS Certificates for Testing & Development
@@ -97,6 +97,9 @@ certificates. You can [install that certificate into your local copy
 of Tor Browser](/docs.d/ADDING-A-ROOT-CERTIFICATE-TO-TOR-BROWSER.md);
 of course it will not work for anyone else.
 
+Your `mkcert` root cert will be located at `~/.local/share/mkcert/rootCA.pem`
+for the user that ran `mkcert`.
+
 ## Visit `/hello-onion/` URLs
 
 The old solution was/is much more manual: EOTK will use OpenSSL to
@@ -120,19 +123,19 @@ See below.
 
 # Buying a HTTPS Certificate from a Certificate Authority
 
-If you choose to buy an Onion HTTPS certificate from (e.g.) HARICA, 
+If you choose to buy an Onion HTTPS certificate from (e.g.) HARICA,
 what will happen, and what will you need to do?
 
 ## You will need to create a CSR (Certificate Signing Request)
 
 I chose to buy:
 
-* a Server Certificate 
+* a Server Certificate
 * with Domain-Level (DV) Trust
 * with a reasonable duration
-* using the in-browser generated CSR 
+* using the in-browser generated CSR
 * using the ECDSA algorithm at 256 bits
-* **important:** remember the password! 
+* **important:** remember the password!
 * **important:** download the private key!
 
 The HARICA website provides an in-browser method of generating a CSR,
@@ -144,8 +147,8 @@ is offered, and keep it in a safe place.
 If you manually create the CSR on the server, you'll use the 'onionaddress.key' file generated by openssl.
 ## You will need to prove ownership of the site, to the CA
 
-For example: HARICA will tell you that you need to post 
-a secret key at a particular URL on your onion site; 
+For example: HARICA will tell you that you need to post
+a secret key at a particular URL on your onion site;
 the message will read something like:
 
 > Place the file FILENAME to http://ONIONADDRESS.onion/.well-known/pki-validation/
@@ -174,21 +177,21 @@ HARICA has a process of validation which involves generating an onion-csr. You w
 
 ### Optional: what if you have multiple Onion addresses?
 
-You can put multiple `path,value` strings into `ssl_proof_csv`, space-separated; 
+You can put multiple `path,value` strings into `ssl_proof_csv`, space-separated;
 use trailing backslashes to put entries onto separate lines:
 
 ```
 set ssl_proof_csv \
     /.well-known/pki-validation/key1,value1 \
     /.well-known/pki-validation/key2,value2 \
-    /.well-known/pki-validation/key3,value3    
+    /.well-known/pki-validation/key3,value3
 ```
 
 ### Optional: what if your multiple "proof" URLs all have the SAME pathname?
 
 The `ssl_proof_csv` hack works if all the proof URLs are
-different; but if Digicert (or whomever) were to give you the 
-same pathname (e.g. `/.well-known/pki-validation/fileauth.txt`) 
+different; but if Digicert (or whomever) were to give you the
+same pathname (e.g. `/.well-known/pki-validation/fileauth.txt`)
 for _all_ of the onions, what do you do?
 
 Answer: you use "splicing".  If you have onion addresses named
@@ -209,37 +212,82 @@ customise as necessary:
 ...then when you next `eotk config` and `eotk nxreload`, that code
 should be spliced into the correct configuration for each onion.
 
+### Optional: what if you need wildcards? What's the onion-csr process?
+
+If using HARICA and you need to use wildcards because you have subdomains
+on your onion site, you'll need to generate an onion-csr as proof of ownership.
+To do this you'll need the provided CSR nonce and Harica's [onion-csr](https://github.com/HARICA-official/onion-csr) tool
+pointed at the directory containing the hostname and hs_ed25519_public and secret key
+files. This should generate a CSR. Note, a Dockerfile is provided to mount
+your onion secrets directory in to generate.
+
+
 ## You will need to install the certificates for your project
 
-For each certificate, HARICA will offer you several files to download; 
-download the "PEM Bundle" file and copy it to your EOTK server. 
+For each certificate, HARICA will offer you several files to download;
+download the "PEM Bundle" file and copy it to your EOTK server.
 Also: copy the `privateKey.pem` file (mentioned above) to the EOTK server.
 
-Next, change Directory into `~/eotk/projects.d/PROJECTNAME.d/ssl.d`; 
+Next, change Directory into `~/eotk/projects.d/PROJECTNAME.d/ssl.d`;
 you should see your development certificates, which will look like:
 
+**This section updated for v3 onion addresses**
+
 ```
 $ ls
-ONIONADDRESS.onion.cert
-ONIONADDRESS.onion.pem
+ONIONADDRESS[:20]-v3.cert
+ONIONADDRESS[:20]-v3.pem
 ```
 
 There are two steps to installation:
 
-Step 1: copy the PEM Bundle file from HARICA, on top of `ONIONADDRESS.onion.cert`
+Step 1: copy the PEM Bundle file from HARICA, on top of `ONIONADDRESSTRUNCATED-v3.cert`
 
 Step 2: unlock and extract (or rename) the private key, by doing:
 
-`openssl ec -in privateKey.pem -out ONIONADDRESS.onion.pem`
+`openssl ec -in privateKey.pem -out ONIONADDRESSTRUNCATED-v3.pem`
 
-...and typing in the password that you chose during the CSR setup, earlier; 
-if you chose to use RSA as the algorithm, you will need to use 
+...and typing in the password that you chose during the CSR setup, earlier;
+if you chose to use RSA as the algorithm, you will need to use
 `openssl rsa ...` instead.
 
 If you manually created the CSR, then rename the 'onionaddress.key' file
-the CSR generated to 'onionaddress.onion.pem'.
+the CSR generated to 'ONIONADDRESSTRUNCATED-v3.pem'.
 
-Then: change directory back to the EOTK directory, 
+## You will need to add the 2015 CA cert for HARICA
+
+https://chris.partridge.tech/2022/untrusted-harica-onion-certificates/
+
+Append this certificate to the end of your HARICA issued certs to resolve their
+2021 root CA not being broadly available in OS device trust stores.
+
+```
+Subject: CN=HARICA TLS ECC Root CA 2021,O=Hellenic Academic and Research Institutions CA,C=GR
+Issuer: CN=Hellenic Academic and Research Institutions ECC RootCA 2015,O=Hellenic Academic and Research Institutions Cert. Authority,L=Athens,C=GR
+-----BEGIN CERTIFICATE-----
+MIIDezCCAwGgAwIBAgIQcWAnyIV6c1Qt71FsHC7rDzAKBggqhkjOPQQDAzCBqjEL
+MAkGA1UEBhMCR1IxDzANBgNVBAcTBkF0aGVuczFEMEIGA1UEChM7SGVsbGVuaWMg
+QWNhZGVtaWMgYW5kIFJlc2VhcmNoIEluc3RpdHV0aW9ucyBDZXJ0LiBBdXRob3Jp
+dHkxRDBCBgNVBAMTO0hlbGxlbmljIEFjYWRlbWljIGFuZCBSZXNlYXJjaCBJbnN0
+aXR1dGlvbnMgRUNDIFJvb3RDQSAyMDE1MB4XDTIxMDkwMjA3NDQzN1oXDTI5MDgz
+MTA3NDQzNlowbDELMAkGA1UEBhMCR1IxNzA1BgNVBAoMLkhlbGxlbmljIEFjYWRl
+bWljIGFuZCBSZXNlYXJjaCBJbnN0aXR1dGlvbnMgQ0ExJDAiBgNVBAMMG0hBUklD
+QSBUTFMgRUNDIFJvb3QgQ0EgMjAyMTB2MBAGByqGSM49AgEGBSuBBAAiA2IABDgI
+/rGgltJ6rK9JOtDA4MM7KKrxcm1lAEeIhPyaJmuqS7psBAqIXhfyVYf8MLA04jRY
+VxqEU+kw2anylnTDUR9YSTHMmE5gEYd103KUkE+bECUqqHgtvpBBWJAVcqeht6OC
+AScwggEjMA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgwFoAUtCILgpkkAQ6cu+QO
+/b/7lyCTmSowTwYIKwYBBQUHAQEEQzBBMD8GCCsGAQUFBzAChjNodHRwOi8vcmVw
+by5oYXJpY2EuZ3IvY2VydHMvSGFyaWNhRUNDUm9vdENBMjAxNS5jcnQwEQYDVR0g
+BAowCDAGBgRVHSAAMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATA9BgNV
+HR8ENjA0MDKgMKAuhixodHRwOi8vY3JsLmhhcmljYS5nci9IYXJpY2FFQ0NSb290
+Q0EyMDE1LmNybDAdBgNVHQ4EFgQUyRtTgRL+BNUW0aq8mm+3oJUZbsowDgYDVR0P
+AQH/BAQDAgGGMAoGCCqGSM49BAMDA2gAMGUCMQCPc45gQV6pCkMR4px3k+YnF0Mo
+DpXQ0+0lWz7fnplqgHn+qHmoKrE5Y/bcWucG6QQCMB/DIYjUTGAl5j07G7ZIuK3Q
+ehx68VPXTwvJ9tLbh9A9SkiBmJGpiHL7Rzfxa5CptQ==
+-----END CERTIFICATE-----
+```
+
+Then: change directory back to the EOTK directory,
 and do `eotk nxreload projectname`, and test it.
 
 # Configuring Start-On-Boot, And Logfile Compression
@@ -477,7 +525,7 @@ contributory factor to this issue.
 
 ##  OnionBalance And Load-Balancing
 
-*NEW FOR 2019:* 
+*NEW FOR 2019:*
 OnionBalance as-of June 2019 is an flaky piece of software which is
 hard to run on modern Linux because an stale python crypto library;
 more than 90% of Onion sites will not practically need it - or, not