1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
|
#+TITLE: Let's Encrypt on OpenBSD
#+DATE: 2020-06-16T22:56:27-04:00
#+DRAFT: false
#+DESCRIPTION: Setting up acme-client on OpenBSD
#+TAGS[]: openbsd httpd letsencrypt acme-client
#+KEYWORDS[]: openbsd httpd letsencrypt acme-client
#+SLUG:
#+SUMMARY:
#+ATTR_HTML: :alt Let's Encrypt OpenBSD
#+ATTR_HTML: :title Let's Encrypt OpenBSD
[[file:openbsd%20letsencrypt.png]]
So I have an OpenBSD server serving a static website using
=httpd=. I've been thinking for a while I should add an SSL
certificate, but never got around to it because it was just a small
hobby website and it didn't require any real attention.
Today while watching one of the OpenBSD tutorials at BSDCan, I thought
it was finally time. Since configuring everything else in OpenBSD is
so easy, this must be easy too, right?
These were the only changes I had to make to my =httpd.conf= to get
=acme-client= to work. This is described in the =acme-client= man
page.
#+BEGIN_SRC diff
--- httpd.conf
+++ httpd.conf.new
@@ -1,4 +1,19 @@
server "lambda.cx" {
listen on * port 80
root "/htdocs/lambda.cx"
+ location "/.well-known/acme-challenge/*" {
+ root "/acme"
+ request strip 2
+ }
}
#+END_SRC
After that, I reloaded =httpd= with ~rcctl reload httpd~
I then copied the example config from =/etc/examples/acme-client.conf=
to =/etc/acme-client=. This is what the modifications to the example I
made look like.
#+BEGIN_SRC diff
--- acme-client.conf
+++ acme-client.conf.new
@@ -1,19 +1,19 @@
#
# $OpenBSD: acme-client.conf,v 1.2 2019/06/07 08:08:30 florian Exp $
#
authority letsencrypt {
api url "https://acme-v02.api.letsencrypt.org/directory"
account key "/etc/acme/letsencrypt-privkey.pem"
}
authority letsencrypt-staging {
api url "https://acme-staging-v02.api.letsencrypt.org/directory"
account key "/etc/acme/letsencrypt-staging-privkey.pem"
}
-domain example.com {
- alternative names { secure.example.com }
- domain key "/etc/ssl/private/example.com.key"
- domain full chain certificate "/etc/ssl/example.com.fullchain.pem"
+domain lambda.cx {
+ # alternative names { www.lambda.cx }
+ domain key "/etc/ssl/private/lambda.cx.key"
+ domain full chain certificate "/etc/ssl/lambda.cx.fullchain.pem"
sign with letsencrypt
}
#+END_SRC
It's a pretty small change. I have the alternative name line commented
out because I only have =lambda.cx= pointing at my server and not
=www.lambda.cx=. Although if I did I would un-comment it. I could also
add sub-domains like =sub.lambda.cx= in that area separated by a
space.
After that I just had to run ~acme-client -v lambda.cx~ (-v for
verbosity) and it generated the certificates.
Then I added a =crontab= entry (using =crontab -e=) to run once a day
at a random time and reload =httpd=.
#+BEGIN_SRC
~ ~ * * * acme-client lambda.cx && rcctl reload httpd
#+END_SRC
Finally to use the new certificates I added the following lines to my
=httpd.conf=.
#+BEGIN_SRC diff
--- httpd.conf
+++ httpd.conf.new
@@ -1,8 +1,21 @@
server "lambda.cx" {
listen on * port 80
root "/htdocs/lambda.cx"
location "/.well-known/acme-challenge/*" {
root "/acme"
request strip 2
}
}
+
+server "lambda.cx" {
+ listen on * tls port 443
+ tls {
+ certificate "/etc/ssl/lambda.cx.fullchain.pem"
+ key "/etc/ssl/private/lambda.cx.key"
+ }
+ root "/htdocs/lambda.cx"
+ location "/.well-known/acme-challenge/*" {
+ root "/acme"
+ request strip 2
+ }
+}
#+END_SRC
I reloaded httpd with ~rcctl reload httpd~ and that was it, working
certificate!
|
