#+TITLE: Letsencrypt on Openbsd
#+DATE: 2020-06-16T22:56:27-04:00
#+DRAFT: false
#+DESCRIPTION: Setting up acme-client on OpenBSD
#+TAGS[]: openbsd httpd
#+KEYWORDS:
#+SLUG:
#+SUMMARY:

   So I have an OpenBSD server serving a static website using
   =httpd=. I've been thinking for a while I should add an SSL
   certificate, but never got around to it because it was just a small
   hobby website and it didn't require any real attention.

   Today while watching one of the OpenBSD tutorials at BSDCan, I
   thought it was finally time. Since configuring everything else in
   OpenBSD is so easy, this must be easy too, right?

   These were the only changes I had to make to my =httpd.conf= to get
   =acme-client= to work. This is described in the =acme-client= man page.
   #+BEGIN_SRC diff
--- httpd.conf	Thu Jun  4 19:36:34 2020
+++ httpd.conf.new	Thu Jun  4 19:36:21 2020
@@ -1,4 +1,19 @@
 server "lambda.cx" {
   listen on * port 80
   root "/htdocs/lambda.cx"
+  location "/.well-known/acme-challenge/*" {
+    root "/acme"
+    request strip 2
+  }
+}
   #+END_SRC

   After that, I reloaded =httpd= with ~rcctl reload httpd~

   I then copies the example config from
   =/etc/examples/acme-client.conf= to =/etc/acme-client=. This is
   what the modifications to the example I made look like.
   #+BEGIN_SRC diff
--- acme-client.conf	Thu Jun  4 19:40:29 2020
+++ acme-client.conf.new	Thu Jun  4 19:36:03 2020
@@ -1,19 +1,19 @@
 #
 # $OpenBSD: acme-client.conf,v 1.2 2019/06/07 08:08:30 florian Exp $
 #
 authority letsencrypt {
 	api url "https://acme-v02.api.letsencrypt.org/directory"
 	account key "/etc/acme/letsencrypt-privkey.pem"
 }

 authority letsencrypt-staging {
 	api url "https://acme-staging-v02.api.letsencrypt.org/directory"
 	account key "/etc/acme/letsencrypt-staging-privkey.pem"
 }

-domain example.com {
-	alternative names { secure.example.com }
-	domain key "/etc/ssl/private/example.com.key"
-	domain full chain certificate "/etc/ssl/example.com.fullchain.pem"
+domain lambda.cx {
+	# alternative names { www.lambda.cx }
+	domain key "/etc/ssl/private/lambda.cx.key"
+	domain full chain certificate "/etc/ssl/lambda.cx.fullchain.pem"
 	sign with letsencrypt
 }
   #+END_SRC

   It's a pretty small change. I have the alternative name line
   commented out because I only have =lambda.cx= pointing at my server
   and not =www.lambda.cx=. Although if I did I would un-comment it. I
   could also add sub-domains like =sub.lambda.cx= in that area
   separated by a space.

   After that I just had to run ~acme-client -v lambda.cx~ (-v for
   verbosity) and it generated the certificates.

   Then I added a =crontab= entry to run once a day at a random time
   and reload =httpd=.
   #+BEGIN_SRC
~	~	*	*	*	acme-client lambda.cx && rcctl reload httpd
   #+END_SRC

   Finally to use the new certificates I added the following lines to my
   =httpd.conf=.

   #+BEGIN_SRC diff
--- httpd.conf	Thu Jun  4 19:52:53 2020
+++ httpd.conf.new	Thu Jun  4 19:52:01 2020
@@ -1,8 +1,21 @@
 server "lambda.cx" {
   listen on * port 80
   root "/htdocs/lambda.cx"
   location "/.well-known/acme-challenge/*" {
     root "/acme"
     request strip 2
   }
 }
+
+server "lambda.cx" {
+  listen on * tls port 443
+  tls {
+    certificate "/etc/ssl/lambda.cx.fullchain.pem"
+    key "/etc/ssl/private/lambda.cx.key"
+  }
+  root "/htdocs/lambda.cx"
+  location "/.well-known/acme-challenge/*" {
+    root "/acme"
+    request strip 2
+  }
+}
  #+END_SRC

  I reloaded httpd with ~rcctl reload httpd~ and that was it, working
  certificate!