Let's Encrypt OpenBSD

So I have an OpenBSD server serving a static website using httpd(8). I've been thinking for a while I should add an SSL certificate, but never got around to it because it was just a small hobby website and it didn't require any real attention.

Today while watching one of the OpenBSD tutorials at BSDCan, I thought it was finally time. Since configuring everything else in OpenBSD is so easy, this must be easy too, right?

These were the only changes I had to make to my httpd.conf to get acme-client to work. This is described in acme-client(1).

--- httpd.conf
+++ httpd.conf.new
@@ -1,4 +1,19 @@
 server "lambda.cx" {
   listen on * port 80
   root "/htdocs/lambda.cx"
+  location "/.well-known/acme-challenge/*" {
+    root "/acme"
+    request strip 2
+  }
 }

After that, I reloaded httpd with rcctl reload httpd

I then copied the example config from /etc/examples/acme-client.conf to /etc/acme-client. This is what the modifications to the example I made look like.

--- acme-client.conf
+++ acme-client.conf.new
@@ -1,19 +1,19 @@
 #
 # $OpenBSD: acme-client.conf,v 1.2 2019/06/07 08:08:30 florian Exp $
 #
 authority letsencrypt {
 	api url "https://acme-v02.api.letsencrypt.org/directory"
 	account key "/etc/acme/letsencrypt-privkey.pem"
 }

 authority letsencrypt-staging {
 	api url "https://acme-staging-v02.api.letsencrypt.org/directory"
 	account key "/etc/acme/letsencrypt-staging-privkey.pem"
 }

-domain example.com {
-	alternative names { secure.example.com }
-	domain key "/etc/ssl/private/example.com.key"
-	domain full chain certificate "/etc/ssl/example.com.fullchain.pem"
+domain lambda.cx {
+	# alternative names { www.lambda.cx }
+	domain key "/etc/ssl/private/lambda.cx.key"
+	domain full chain certificate "/etc/ssl/lambda.cx.fullchain.pem"
 	sign with letsencrypt
 }

It's a pretty small change. I have the alternative name line commented out because I only have lambda.cx pointing at my server and not www.lambda.cx. Although if I did I would un-comment it. I could also add sub-domains like sub.lambda.cx in that area separated by a space.

After that I just had to run acme-client -v lambda.cx (-v for verbosity) and it generated the certificates.

Then I added a crontab entry (using crontab -e) to run once a day at a random time and reload httpd.

~	~	*	*	*	acme-client lambda.cx && rcctl reload httpd

Finally to use the new certificates I added the following lines to my httpd.conf.

--- httpd.conf
+++ httpd.conf.new
@@ -1,8 +1,21 @@
 server "lambda.cx" {
   listen on * port 80
   root "/htdocs/lambda.cx"
   location "/.well-known/acme-challenge/*" {
     root "/acme"
     request strip 2
   }
 }
+
+server "lambda.cx" {
+  listen on * tls port 443
+  tls {
+    certificate "/etc/ssl/lambda.cx.fullchain.pem"
+    key "/etc/ssl/private/lambda.cx.key"
+  }
+  root "/htdocs/lambda.cx"
+  location "/.well-known/acme-challenge/*" {
+    root "/acme"
+    request strip 2
+  }
+}

I reloaded httpd with rcctl reload httpd and that was it, working certificate!