From b18f8a0970fce67019033657f2a23498e0225a3a Mon Sep 17 00:00:00 2001 From: Dante Catalfamo Date: Thu, 18 Jun 2020 01:28:57 -0400 Subject: Rename posts content directory to post --- content/post/letsencrypt-on-openbsd/index.org | 122 ++++++++++++++++++++++++++ 1 file changed, 122 insertions(+) create mode 100644 content/post/letsencrypt-on-openbsd/index.org (limited to 'content/post/letsencrypt-on-openbsd/index.org') diff --git a/content/post/letsencrypt-on-openbsd/index.org b/content/post/letsencrypt-on-openbsd/index.org new file mode 100644 index 0000000..556404b --- /dev/null +++ b/content/post/letsencrypt-on-openbsd/index.org @@ -0,0 +1,122 @@ +#+TITLE: Let's Encrypt on OpenBSD +#+DATE: 2020-06-16T22:56:27-04:00 +#+DRAFT: false +#+DESCRIPTION: Setting up acme-client on OpenBSD +#+TAGS[]: openbsd httpd letsencrypt acme-client +#+KEYWORDS[]: openbsd httpd letsencrypt acme-client +#+SLUG: +#+SUMMARY: + +#+ATTR_HTML: :alt Let's Encrypt OpenBSD +#+ATTR_HTML: :title Let's Encrypt OpenBSD +[[file:openbsd%20letsencrypt.png]] + +So I have an OpenBSD server serving a static website using +=httpd=. I've been thinking for a while I should add an SSL +certificate, but never got around to it because it was just a small +hobby website and it didn't require any real attention. + +Today while watching one of the OpenBSD tutorials at BSDCan, I thought +it was finally time. Since configuring everything else in OpenBSD is +so easy, this must be easy too, right? + +These were the only changes I had to make to my =httpd.conf= to get +=acme-client= to work. This is described in the =acme-client= man +page. +#+BEGIN_SRC diff +--- httpd.conf ++++ httpd.conf.new +@@ -1,4 +1,19 @@ + server "lambda.cx" { + listen on * port 80 + root "/htdocs/lambda.cx" ++ location "/.well-known/acme-challenge/*" { ++ root "/acme" ++ request strip 2 ++ } + } +#+END_SRC + +After that, I reloaded =httpd= with ~rcctl reload httpd~ + +I then copied the example config from =/etc/examples/acme-client.conf= +to =/etc/acme-client=. This is what the modifications to the example I +made look like. + +#+BEGIN_SRC diff +--- acme-client.conf ++++ acme-client.conf.new +@@ -1,19 +1,19 @@ + # + # $OpenBSD: acme-client.conf,v 1.2 2019/06/07 08:08:30 florian Exp $ + # + authority letsencrypt { + api url "https://acme-v02.api.letsencrypt.org/directory" + account key "/etc/acme/letsencrypt-privkey.pem" + } + + authority letsencrypt-staging { + api url "https://acme-staging-v02.api.letsencrypt.org/directory" + account key "/etc/acme/letsencrypt-staging-privkey.pem" + } + +-domain example.com { +- alternative names { secure.example.com } +- domain key "/etc/ssl/private/example.com.key" +- domain full chain certificate "/etc/ssl/example.com.fullchain.pem" ++domain lambda.cx { ++ # alternative names { www.lambda.cx } ++ domain key "/etc/ssl/private/lambda.cx.key" ++ domain full chain certificate "/etc/ssl/lambda.cx.fullchain.pem" + sign with letsencrypt + } +#+END_SRC + +It's a pretty small change. I have the alternative name line commented +out because I only have =lambda.cx= pointing at my server and not +=www.lambda.cx=. Although if I did I would un-comment it. I could also +add sub-domains like =sub.lambda.cx= in that area separated by a +space. + +After that I just had to run ~acme-client -v lambda.cx~ (-v for +verbosity) and it generated the certificates. + +Then I added a =crontab= entry (using =crontab -e=) to run once a day +at a random time and reload =httpd=. + +#+BEGIN_SRC +~ ~ * * * acme-client lambda.cx && rcctl reload httpd +#+END_SRC + +Finally to use the new certificates I added the following lines to my +=httpd.conf=. + +#+BEGIN_SRC diff +--- httpd.conf ++++ httpd.conf.new +@@ -1,8 +1,21 @@ + server "lambda.cx" { + listen on * port 80 + root "/htdocs/lambda.cx" + location "/.well-known/acme-challenge/*" { + root "/acme" + request strip 2 + } + } ++ ++server "lambda.cx" { ++ listen on * tls port 443 ++ tls { ++ certificate "/etc/ssl/lambda.cx.fullchain.pem" ++ key "/etc/ssl/private/lambda.cx.key" ++ } ++ root "/htdocs/lambda.cx" ++ location "/.well-known/acme-challenge/*" { ++ root "/acme" ++ request strip 2 ++ } ++} +#+END_SRC + +I reloaded httpd with ~rcctl reload httpd~ and that was it, working +certificate! -- cgit v1.2.3