So I have an OpenBSD server serving a static website using
httpd(8). I've been thinking for a while I should add an SSL
certificate, but never got around to it because it was just a small
hobby website and it didn't require any real attention.
Today while watching one of the OpenBSD tutorials at BSDCan, I thought it was finally time. Since configuring everything else in OpenBSD is so easy, this must be easy too, right?
These were the only changes I had to make to my httpd.conf to get
acme-client to work. This is described in acme-client(1).
--- httpd.conf
+++ httpd.conf.new
@@ -1,4 +1,19 @@
server "lambda.cx" {
listen on * port 80
root "/htdocs/lambda.cx"
+ location "/.well-known/acme-challenge/*" {
+ root "/acme"
+ request strip 2
+ }
}
After that, I reloaded httpd with rcctl reload httpd
I then copied the example config from /etc/examples/acme-client.conf
to /etc/acme-client. This is what the modifications to the example I
made look like.
--- acme-client.conf
+++ acme-client.conf.new
@@ -1,19 +1,19 @@
#
# $OpenBSD: acme-client.conf,v 1.2 2019/06/07 08:08:30 florian Exp $
#
authority letsencrypt {
api url "https://acme-v02.api.letsencrypt.org/directory"
account key "/etc/acme/letsencrypt-privkey.pem"
}
authority letsencrypt-staging {
api url "https://acme-staging-v02.api.letsencrypt.org/directory"
account key "/etc/acme/letsencrypt-staging-privkey.pem"
}
-domain example.com {
- alternative names { secure.example.com }
- domain key "/etc/ssl/private/example.com.key"
- domain full chain certificate "/etc/ssl/example.com.fullchain.pem"
+domain lambda.cx {
+ # alternative names { www.lambda.cx }
+ domain key "/etc/ssl/private/lambda.cx.key"
+ domain full chain certificate "/etc/ssl/lambda.cx.fullchain.pem"
sign with letsencrypt
}
It's a pretty small change. I have the alternative name line commented
out because I only have lambda.cx pointing at my server and not
www.lambda.cx. Although if I did I would un-comment it. I could also
add sub-domains like sub.lambda.cx in that area separated by a
space.
After that I just had to run acme-client -v lambda.cx (-v for
verbosity) and it generated the certificates.
Then I added a crontab entry (using crontab -e) to run once a day
at a random time and reload httpd.
~ ~ * * * acme-client lambda.cx && rcctl reload httpd
Finally to use the new certificates I added the following lines to my
httpd.conf.
--- httpd.conf
+++ httpd.conf.new
@@ -1,8 +1,21 @@
server "lambda.cx" {
listen on * port 80
root "/htdocs/lambda.cx"
location "/.well-known/acme-challenge/*" {
root "/acme"
request strip 2
}
}
+
+server "lambda.cx" {
+ listen on * tls port 443
+ tls {
+ certificate "/etc/ssl/lambda.cx.fullchain.pem"
+ key "/etc/ssl/private/lambda.cx.key"
+ }
+ root "/htdocs/lambda.cx"
+ location "/.well-known/acme-challenge/*" {
+ root "/acme"
+ request strip 2
+ }
+}
I reloaded httpd with rcctl reload httpd and that was it, working
certificate!