From 81429bfe92bbbbff1a5dae66db0bdb652143b439 Mon Sep 17 00:00:00 2001 From: Dante Catalfamo Date: Wed, 17 Jun 2020 17:00:25 -0400 Subject: Add image to openbsd letsencrypt post --- content/posts/letsencrypt-on-openbsd.org | 118 -------------------- content/posts/letsencrypt-on-openbsd/index.org | 120 +++++++++++++++++++++ .../letsencrypt-on-openbsd/openbsd letsencrypt.png | Bin 0 -> 62340 bytes 3 files changed, 120 insertions(+), 118 deletions(-) delete mode 100644 content/posts/letsencrypt-on-openbsd.org create mode 100644 content/posts/letsencrypt-on-openbsd/index.org create mode 100644 content/posts/letsencrypt-on-openbsd/openbsd letsencrypt.png (limited to 'content/posts') diff --git a/content/posts/letsencrypt-on-openbsd.org b/content/posts/letsencrypt-on-openbsd.org deleted file mode 100644 index 155042e..0000000 --- a/content/posts/letsencrypt-on-openbsd.org +++ /dev/null @@ -1,118 +0,0 @@ -#+TITLE: Let's Encrypt on OpenBSD -#+DATE: 2020-06-16T22:56:27-04:00 -#+DRAFT: false -#+DESCRIPTION: Setting up acme-client on OpenBSD -#+TAGS[]: openbsd httpd letsencrypt acme-client -#+KEYWORDS[]: openbsd httpd letsencrypt acme-client -#+SLUG: -#+SUMMARY: - -So I have an OpenBSD server serving a static website using -=httpd=. I've been thinking for a while I should add an SSL -certificate, but never got around to it because it was just a small -hobby website and it didn't require any real attention. - -Today while watching one of the OpenBSD tutorials at BSDCan, I thought -it was finally time. Since configuring everything else in OpenBSD is -so easy, this must be easy too, right? - -These were the only changes I had to make to my =httpd.conf= to get -=acme-client= to work. This is described in the =acme-client= man -page. -#+BEGIN_SRC diff ---- httpd.conf -+++ httpd.conf.new -@@ -1,4 +1,19 @@ - server "lambda.cx" { - listen on * port 80 - root "/htdocs/lambda.cx" -+ location "/.well-known/acme-challenge/*" { -+ root "/acme" -+ request strip 2 -+ } -+} -#+END_SRC - -After that, I reloaded =httpd= with ~rcctl reload httpd~ - -I then copies the example config from =/etc/examples/acme-client.conf= -to =/etc/acme-client=. This is what the modifications to the example I -made look like. - -#+BEGIN_SRC diff ---- acme-client.conf -+++ acme-client.conf.new -@@ -1,19 +1,19 @@ - # - # $OpenBSD: acme-client.conf,v 1.2 2019/06/07 08:08:30 florian Exp $ - # - authority letsencrypt { - api url "https://acme-v02.api.letsencrypt.org/directory" - account key "/etc/acme/letsencrypt-privkey.pem" - } - - authority letsencrypt-staging { - api url "https://acme-staging-v02.api.letsencrypt.org/directory" - account key "/etc/acme/letsencrypt-staging-privkey.pem" - } - --domain example.com { -- alternative names { secure.example.com } -- domain key "/etc/ssl/private/example.com.key" -- domain full chain certificate "/etc/ssl/example.com.fullchain.pem" -+domain lambda.cx { -+ # alternative names { www.lambda.cx } -+ domain key "/etc/ssl/private/lambda.cx.key" -+ domain full chain certificate "/etc/ssl/lambda.cx.fullchain.pem" - sign with letsencrypt - } -#+END_SRC - -It's a pretty small change. I have the alternative name line commented -out because I only have =lambda.cx= pointing at my server and not -=www.lambda.cx=. Although if I did I would un-comment it. I could also -add sub-domains like =sub.lambda.cx= in that area separated by a -space. - -After that I just had to run ~acme-client -v lambda.cx~ (-v for -verbosity) and it generated the certificates. - -Then I added a =crontab= entry (using =crontab -e=) to run once a day -at a random time and reload =httpd=. - -#+BEGIN_SRC -~ ~ * * * acme-client lambda.cx && rcctl reload httpd -#+END_SRC - -Finally to use the new certificates I added the following lines to my -=httpd.conf=. - -#+BEGIN_SRC diff ---- httpd.conf -+++ httpd.conf.new -@@ -1,8 +1,21 @@ - server "lambda.cx" { - listen on * port 80 - root "/htdocs/lambda.cx" - location "/.well-known/acme-challenge/*" { - root "/acme" - request strip 2 - } - } -+ -+server "lambda.cx" { -+ listen on * tls port 443 -+ tls { -+ certificate "/etc/ssl/lambda.cx.fullchain.pem" -+ key "/etc/ssl/private/lambda.cx.key" -+ } -+ root "/htdocs/lambda.cx" -+ location "/.well-known/acme-challenge/*" { -+ root "/acme" -+ request strip 2 -+ } -+} -#+END_SRC - -I reloaded httpd with ~rcctl reload httpd~ and that was it, working -certificate! diff --git a/content/posts/letsencrypt-on-openbsd/index.org b/content/posts/letsencrypt-on-openbsd/index.org new file mode 100644 index 0000000..dfcbff3 --- /dev/null +++ b/content/posts/letsencrypt-on-openbsd/index.org @@ -0,0 +1,120 @@ +#+TITLE: Let's Encrypt on OpenBSD +#+DATE: 2020-06-16T22:56:27-04:00 +#+DRAFT: false +#+DESCRIPTION: Setting up acme-client on OpenBSD +#+TAGS[]: openbsd httpd letsencrypt acme-client +#+KEYWORDS[]: openbsd httpd letsencrypt acme-client +#+SLUG: +#+SUMMARY: + +[[file:openbsd%20letsencrypt.png]] + +So I have an OpenBSD server serving a static website using +=httpd=. I've been thinking for a while I should add an SSL +certificate, but never got around to it because it was just a small +hobby website and it didn't require any real attention. + +Today while watching one of the OpenBSD tutorials at BSDCan, I thought +it was finally time. Since configuring everything else in OpenBSD is +so easy, this must be easy too, right? + +These were the only changes I had to make to my =httpd.conf= to get +=acme-client= to work. This is described in the =acme-client= man +page. +#+BEGIN_SRC diff +--- httpd.conf ++++ httpd.conf.new +@@ -1,4 +1,19 @@ + server "lambda.cx" { + listen on * port 80 + root "/htdocs/lambda.cx" ++ location "/.well-known/acme-challenge/*" { ++ root "/acme" ++ request strip 2 ++ } ++} +#+END_SRC + +After that, I reloaded =httpd= with ~rcctl reload httpd~ + +I then copies the example config from =/etc/examples/acme-client.conf= +to =/etc/acme-client=. This is what the modifications to the example I +made look like. + +#+BEGIN_SRC diff +--- acme-client.conf ++++ acme-client.conf.new +@@ -1,19 +1,19 @@ + # + # $OpenBSD: acme-client.conf,v 1.2 2019/06/07 08:08:30 florian Exp $ + # + authority letsencrypt { + api url "https://acme-v02.api.letsencrypt.org/directory" + account key "/etc/acme/letsencrypt-privkey.pem" + } + + authority letsencrypt-staging { + api url "https://acme-staging-v02.api.letsencrypt.org/directory" + account key "/etc/acme/letsencrypt-staging-privkey.pem" + } + +-domain example.com { +- alternative names { secure.example.com } +- domain key "/etc/ssl/private/example.com.key" +- domain full chain certificate "/etc/ssl/example.com.fullchain.pem" ++domain lambda.cx { ++ # alternative names { www.lambda.cx } ++ domain key "/etc/ssl/private/lambda.cx.key" ++ domain full chain certificate "/etc/ssl/lambda.cx.fullchain.pem" + sign with letsencrypt + } +#+END_SRC + +It's a pretty small change. I have the alternative name line commented +out because I only have =lambda.cx= pointing at my server and not +=www.lambda.cx=. Although if I did I would un-comment it. I could also +add sub-domains like =sub.lambda.cx= in that area separated by a +space. + +After that I just had to run ~acme-client -v lambda.cx~ (-v for +verbosity) and it generated the certificates. + +Then I added a =crontab= entry (using =crontab -e=) to run once a day +at a random time and reload =httpd=. + +#+BEGIN_SRC +~ ~ * * * acme-client lambda.cx && rcctl reload httpd +#+END_SRC + +Finally to use the new certificates I added the following lines to my +=httpd.conf=. + +#+BEGIN_SRC diff +--- httpd.conf ++++ httpd.conf.new +@@ -1,8 +1,21 @@ + server "lambda.cx" { + listen on * port 80 + root "/htdocs/lambda.cx" + location "/.well-known/acme-challenge/*" { + root "/acme" + request strip 2 + } + } ++ ++server "lambda.cx" { ++ listen on * tls port 443 ++ tls { ++ certificate "/etc/ssl/lambda.cx.fullchain.pem" ++ key "/etc/ssl/private/lambda.cx.key" ++ } ++ root "/htdocs/lambda.cx" ++ location "/.well-known/acme-challenge/*" { ++ root "/acme" ++ request strip 2 ++ } ++} +#+END_SRC + +I reloaded httpd with ~rcctl reload httpd~ and that was it, working +certificate! diff --git a/content/posts/letsencrypt-on-openbsd/openbsd letsencrypt.png b/content/posts/letsencrypt-on-openbsd/openbsd letsencrypt.png new file mode 100644 index 0000000..f805be0 Binary files /dev/null and b/content/posts/letsencrypt-on-openbsd/openbsd letsencrypt.png differ -- cgit v1.2.3