1 files changed, 115 insertions, 0 deletions
diff --git a/content/posts/letsencrypt-on-openbsd.org b/content/posts/letsencrypt-on-openbsd.org
new file mode 100644
index 0000000..7b99aad
--- /dev/null
+++ b/content/posts/letsencrypt-on-openbsd.org
@@ -0,0 +1,115 @@
+#+TITLE: Letsencrypt on Openbsd
+#+DATE: 2020-06-16T22:56:27-04:00
+#+DRAFT: false
+#+DESCRIPTION: Setting up acme-client on OpenBSD
+#+TAGS[]: openbsd httpd
+#+KEYWORDS:
+#+SLUG:
+#+SUMMARY:
+
+   So I have an OpenBSD server serving a static website using
+   =httpd=. I've been thinking for a while I should add an SSL
+   certificate, but never got around to it because it was just a small
+   hobby website and it didn't require any real attention.
+
+   Today while watching one of the OpenBSD tutorials at BSDCan, I
+   thought it was finally time. Since configuring everything else in
+   OpenBSD is so easy, this must be easy too, right?
+
+   These were the only changes I had to make to my =httpd.conf= to get
+   =acme-client= to work. This is described in the =acme-client= man page.
+   #+BEGIN_SRC diff
+--- httpd.conf	Thu Jun  4 19:36:34 2020
++++ httpd.conf.new	Thu Jun  4 19:36:21 2020
+@@ -1,4 +1,19 @@
+ server "lambda.cx" {
+   listen on * port 80
+   root "/htdocs/lambda.cx"
++  location "/.well-known/acme-challenge/*" {
++    root "/acme"
++    request strip 2
++  }
++}
+   #+END_SRC
+
+   After that, I reloaded =httpd= with ~rcctl reload httpd~
+
+   I then copies the example config from
+   =/etc/examples/acme-client.conf= to =/etc/acme-client=. This is
+   what the modifications to the example I made look like.
+   #+BEGIN_SRC diff
+--- acme-client.conf	Thu Jun  4 19:40:29 2020
++++ acme-client.conf.new	Thu Jun  4 19:36:03 2020
+@@ -1,19 +1,19 @@
+ #
+ # $OpenBSD: acme-client.conf,v 1.2 2019/06/07 08:08:30 florian Exp $
+ #
+ authority letsencrypt {
+ 	api url "https://acme-v02.api.letsencrypt.org/directory"
+ 	account key "/etc/acme/letsencrypt-privkey.pem"
+ }
+
+ authority letsencrypt-staging {
+ 	api url "https://acme-staging-v02.api.letsencrypt.org/directory"
+ 	account key "/etc/acme/letsencrypt-staging-privkey.pem"
+ }
+
+-domain example.com {
+-	alternative names { secure.example.com }
+-	domain key "/etc/ssl/private/example.com.key"
+-	domain full chain certificate "/etc/ssl/example.com.fullchain.pem"
++domain lambda.cx {
++	# alternative names { www.lambda.cx }
++	domain key "/etc/ssl/private/lambda.cx.key"
++	domain full chain certificate "/etc/ssl/lambda.cx.fullchain.pem"
+ 	sign with letsencrypt
+ }
+   #+END_SRC
+
+   It's a pretty small change. I have the alternative name line
+   commented out because I only have =lambda.cx= pointing at my server
+   and not =www.lambda.cx=. Although if I did I would un-comment it. I
+   could also add sub-domains like =sub.lambda.cx= in that area
+   separated by a space.
+
+   After that I just had to run ~acme-client -v lambda.cx~ (-v for
+   verbosity) and it generated the certificates.
+
+   Then I added a =crontab= entry to run once a day at a random time
+   and reload =httpd=.
+   #+BEGIN_SRC
+~	~	*	*	*	acme-client lambda.cx && rcctl reload httpd
+   #+END_SRC
+
+   Finally to use the new certificates I added the following lines to my
+   =httpd.conf=.
+
+   #+BEGIN_SRC diff
+--- httpd.conf	Thu Jun  4 19:52:53 2020
++++ httpd.conf.new	Thu Jun  4 19:52:01 2020
+@@ -1,8 +1,21 @@
+ server "lambda.cx" {
+   listen on * port 80
+   root "/htdocs/lambda.cx"
+   location "/.well-known/acme-challenge/*" {
+     root "/acme"
+     request strip 2
+   }
+ }
++
++server "lambda.cx" {
++  listen on * tls port 443
++  tls {
++    certificate "/etc/ssl/lambda.cx.fullchain.pem"
++    key "/etc/ssl/private/lambda.cx.key"
++  }
++  root "/htdocs/lambda.cx"
++  location "/.well-known/acme-challenge/*" {
++    root "/acme"
++    request strip 2
++  }
++}
+  #+END_SRC
+
+  I reloaded httpd with ~rcctl reload httpd~ and that was it, working
+  certificate!