From ca9c86e6409c7636d856ee883138f93a257b1ed4 Mon Sep 17 00:00:00 2001 From: Dante Catalfamo Date: Thu, 18 Jun 2020 16:03:22 -0400 Subject: Try rearranging files for ease of use with `easy-hugo` --- content/post/letsencrypt-on-openbsd/index.org | 122 -------------------------- 1 file changed, 122 deletions(-) delete mode 100644 content/post/letsencrypt-on-openbsd/index.org (limited to 'content/post/letsencrypt-on-openbsd/index.org') diff --git a/content/post/letsencrypt-on-openbsd/index.org b/content/post/letsencrypt-on-openbsd/index.org deleted file mode 100644 index 556404b..0000000 --- a/content/post/letsencrypt-on-openbsd/index.org +++ /dev/null @@ -1,122 +0,0 @@ -#+TITLE: Let's Encrypt on OpenBSD -#+DATE: 2020-06-16T22:56:27-04:00 -#+DRAFT: false -#+DESCRIPTION: Setting up acme-client on OpenBSD -#+TAGS[]: openbsd httpd letsencrypt acme-client -#+KEYWORDS[]: openbsd httpd letsencrypt acme-client -#+SLUG: -#+SUMMARY: - -#+ATTR_HTML: :alt Let's Encrypt OpenBSD -#+ATTR_HTML: :title Let's Encrypt OpenBSD -[[file:openbsd%20letsencrypt.png]] - -So I have an OpenBSD server serving a static website using -=httpd=. I've been thinking for a while I should add an SSL -certificate, but never got around to it because it was just a small -hobby website and it didn't require any real attention. - -Today while watching one of the OpenBSD tutorials at BSDCan, I thought -it was finally time. Since configuring everything else in OpenBSD is -so easy, this must be easy too, right? - -These were the only changes I had to make to my =httpd.conf= to get -=acme-client= to work. This is described in the =acme-client= man -page. -#+BEGIN_SRC diff ---- httpd.conf -+++ httpd.conf.new -@@ -1,4 +1,19 @@ - server "lambda.cx" { - listen on * port 80 - root "/htdocs/lambda.cx" -+ location "/.well-known/acme-challenge/*" { -+ root "/acme" -+ request strip 2 -+ } - } -#+END_SRC - -After that, I reloaded =httpd= with ~rcctl reload httpd~ - -I then copied the example config from =/etc/examples/acme-client.conf= -to =/etc/acme-client=. This is what the modifications to the example I -made look like. - -#+BEGIN_SRC diff ---- acme-client.conf -+++ acme-client.conf.new -@@ -1,19 +1,19 @@ - # - # $OpenBSD: acme-client.conf,v 1.2 2019/06/07 08:08:30 florian Exp $ - # - authority letsencrypt { - api url "https://acme-v02.api.letsencrypt.org/directory" - account key "/etc/acme/letsencrypt-privkey.pem" - } - - authority letsencrypt-staging { - api url "https://acme-staging-v02.api.letsencrypt.org/directory" - account key "/etc/acme/letsencrypt-staging-privkey.pem" - } - --domain example.com { -- alternative names { secure.example.com } -- domain key "/etc/ssl/private/example.com.key" -- domain full chain certificate "/etc/ssl/example.com.fullchain.pem" -+domain lambda.cx { -+ # alternative names { www.lambda.cx } -+ domain key "/etc/ssl/private/lambda.cx.key" -+ domain full chain certificate "/etc/ssl/lambda.cx.fullchain.pem" - sign with letsencrypt - } -#+END_SRC - -It's a pretty small change. I have the alternative name line commented -out because I only have =lambda.cx= pointing at my server and not -=www.lambda.cx=. Although if I did I would un-comment it. I could also -add sub-domains like =sub.lambda.cx= in that area separated by a -space. - -After that I just had to run ~acme-client -v lambda.cx~ (-v for -verbosity) and it generated the certificates. - -Then I added a =crontab= entry (using =crontab -e=) to run once a day -at a random time and reload =httpd=. - -#+BEGIN_SRC -~ ~ * * * acme-client lambda.cx && rcctl reload httpd -#+END_SRC - -Finally to use the new certificates I added the following lines to my -=httpd.conf=. - -#+BEGIN_SRC diff ---- httpd.conf -+++ httpd.conf.new -@@ -1,8 +1,21 @@ - server "lambda.cx" { - listen on * port 80 - root "/htdocs/lambda.cx" - location "/.well-known/acme-challenge/*" { - root "/acme" - request strip 2 - } - } -+ -+server "lambda.cx" { -+ listen on * tls port 443 -+ tls { -+ certificate "/etc/ssl/lambda.cx.fullchain.pem" -+ key "/etc/ssl/private/lambda.cx.key" -+ } -+ root "/htdocs/lambda.cx" -+ location "/.well-known/acme-challenge/*" { -+ root "/acme" -+ request strip 2 -+ } -+} -#+END_SRC - -I reloaded httpd with ~rcctl reload httpd~ and that was it, working -certificate! -- cgit v1.2.3