Rename posts content directory to post

1 files changed, 122 insertions, 0 deletions

diff --git a/content/post/letsencrypt-on-openbsd/index.org b/content/post/letsencrypt-on-openbsd/index.org
new file mode 100644
index 0000000..556404b
--- /dev/null
+++ b/content/post/letsencrypt-on-openbsd/index.org
@@ -0,0 +1,122 @@
+#+TITLE: Let's Encrypt on OpenBSD
+#+DATE: 2020-06-16T22:56:27-04:00
+#+DRAFT: false
+#+DESCRIPTION: Setting up acme-client on OpenBSD
+#+TAGS[]: openbsd httpd letsencrypt acme-client
+#+KEYWORDS[]: openbsd httpd letsencrypt acme-client
+#+SLUG:
+#+SUMMARY:
+
+#+ATTR_HTML: :alt Let's Encrypt OpenBSD
+#+ATTR_HTML: :title Let's Encrypt OpenBSD
+[[file:openbsd%20letsencrypt.png]]
+
+So I have an OpenBSD server serving a static website using
+=httpd=. I've been thinking for a while I should add an SSL
+certificate, but never got around to it because it was just a small
+hobby website and it didn't require any real attention.
+
+Today while watching one of the OpenBSD tutorials at BSDCan, I thought
+it was finally time. Since configuring everything else in OpenBSD is
+so easy, this must be easy too, right?
+
+These were the only changes I had to make to my =httpd.conf= to get
+=acme-client= to work. This is described in the =acme-client= man
+page.
+#+BEGIN_SRC diff
+--- httpd.conf
++++ httpd.conf.new
+@@ -1,4 +1,19 @@
+ server "lambda.cx" {
+   listen on * port 80
+   root "/htdocs/lambda.cx"
++  location "/.well-known/acme-challenge/*" {
++    root "/acme"
++    request strip 2
++  }
+ }
+#+END_SRC
+
+After that, I reloaded =httpd= with ~rcctl reload httpd~
+
+I then copied the example config from =/etc/examples/acme-client.conf=
+to =/etc/acme-client=. This is what the modifications to the example I
+made look like.
+
+#+BEGIN_SRC diff
+--- acme-client.conf
++++ acme-client.conf.new
+@@ -1,19 +1,19 @@
+ #
+ # $OpenBSD: acme-client.conf,v 1.2 2019/06/07 08:08:30 florian Exp $
+ #
+ authority letsencrypt {
+ 	api url "https://acme-v02.api.letsencrypt.org/directory"
+ 	account key "/etc/acme/letsencrypt-privkey.pem"
+ }
+
+ authority letsencrypt-staging {
+ 	api url "https://acme-staging-v02.api.letsencrypt.org/directory"
+ 	account key "/etc/acme/letsencrypt-staging-privkey.pem"
+ }
+
+-domain example.com {
+-	alternative names { secure.example.com }
+-	domain key "/etc/ssl/private/example.com.key"
+-	domain full chain certificate "/etc/ssl/example.com.fullchain.pem"
++domain lambda.cx {
++	# alternative names { www.lambda.cx }
++	domain key "/etc/ssl/private/lambda.cx.key"
++	domain full chain certificate "/etc/ssl/lambda.cx.fullchain.pem"
+ 	sign with letsencrypt
+ }
+#+END_SRC
+
+It's a pretty small change. I have the alternative name line commented
+out because I only have =lambda.cx= pointing at my server and not
+=www.lambda.cx=. Although if I did I would un-comment it. I could also
+add sub-domains like =sub.lambda.cx= in that area separated by a
+space.
+
+After that I just had to run ~acme-client -v lambda.cx~ (-v for
+verbosity) and it generated the certificates.
+
+Then I added a =crontab= entry (using =crontab -e=) to run once a day
+at a random time and reload =httpd=.
+
+#+BEGIN_SRC
+~	~	*	*	*	acme-client lambda.cx && rcctl reload httpd
+#+END_SRC
+
+Finally to use the new certificates I added the following lines to my
+=httpd.conf=.
+
+#+BEGIN_SRC diff
+--- httpd.conf
++++ httpd.conf.new
+@@ -1,8 +1,21 @@
+ server "lambda.cx" {
+   listen on * port 80
+   root "/htdocs/lambda.cx"
+   location "/.well-known/acme-challenge/*" {
+     root "/acme"
+     request strip 2
+   }
+ }
++
++server "lambda.cx" {
++  listen on * tls port 443
++  tls {
++    certificate "/etc/ssl/lambda.cx.fullchain.pem"
++    key "/etc/ssl/private/lambda.cx.key"
++  }
++  root "/htdocs/lambda.cx"
++  location "/.well-known/acme-challenge/*" {
++    root "/acme"
++    request strip 2
++  }
++}
+#+END_SRC
+
+I reloaded httpd with ~rcctl reload httpd~ and that was it, working
+certificate!