Tested on OpenBSD 6.4
To use Let's Encrypt as a certificate authority for TLS encryption add or update your CAA records for your domain.
example.com. 300 IN CAA 0 issue "letsencrypt.org"
www.example.com. 300 IN CAA 0 issue "letsencrypt.org"
To configure acme-client(1),
add these sections to /etc/acme-client.conf:
authority letsencrypt {
api url "https://acme-v01.api.letsencrypt.org/directory"
account key "/etc/ssl/private/letsencrypt.key"
}
domain www.example.com {
alternative names { example.com }
domain key "/etc/ssl/private/www.example.com.key"
domain certificate "/etc/ssl/www.example.com.crt"
domain full chain certificate "/etc/ssl/www.example.com.pem"
sign with letsencrypt
}
Create directories:
# mkdir -p -m 700 /etc/ssl/private # mkdir -p -m 755 /var/www/acme #
Update /etc/httpd.conf to handle verification requests from Let's
Encrypt. It should look like this:
server "www.example.com" {
listen on * port 80
root "/htdocs/www.example.com"
location "/.well-known/acme-challenge/*" {
root "/acme"
request strip 2
}
}
server "example.com" {
listen on * port 80
block return 301 "http://www.example.com$REQUEST_URI"
}
Check this configuration and restart httpd:
# httpd -n configuration ok # rcctl restart httpd httpd(ok) httpd(ok) #
Let's run acme-client to create new account and domain keys.
# acme-client -vAD www.example.com ... acme-client: /etc/ssl/www.example.com.crt: created acme-client: /etc/ssl/www.example.com.pem: created #
To renew certificates automatically edit the current crontab:
# crontab -e
Append this line:
0 0 * * * acme-client www.example.com && rcctl reload httpd
Save and exit:
crontab: installing new crontab #
Now we have the new certificate and domain key, so we can re-configure
httpd to handle HTTPS requests. Add two server sections to
/etc/httpd.conf for TLS. The result should look like this:
server "www.example.com" {
listen on * tls port 443
root "/htdocs/www.example.com"
tls {
certificate "/etc/ssl/www.example.com.pem"
key "/etc/ssl/private/www.example.com.key"
}
location "/.well-known/acme-challenge/*" {
root "/acme"
request strip 2
}
}
server "example.com" {
listen on * tls port 443
tls {
certificate "/etc/ssl/www.example.com.pem"
key "/etc/ssl/private/www.example.com.key"
}
block return 301 "https://www.example.com$REQUEST_URI"
}
server "www.example.com" {
listen on * port 80
root "/htdocs/www.example.com"
location "/.well-known/acme-challenge/*" {
root "/acme"
request strip 2
}
}
server "example.com" {
listen on * port 80
block return 301 "http://www.example.com$REQUEST_URI"
}
Test this configuration and restart httpd:
# httpd -n configuration ok # rcctl restart httpd httpd (ok) httpd (ok) #
To verify your setup run SSL server test.
Congratulation! Your website and its visitors are now secured.
Backup and remove the certificate
# mv /etc/ssl/www.example.com.crt /etc/ssl/www.example.com.crt.bak #
Add a new alternative name to /etc/acme-client.conf:
...
alternative names { example.com new.example.com }
...
Add a new server section to /etc/httpd.conf. Use the same certificate and key.
...
server "new.example.com" {
listen on * tls port 443
root "/htdocs/new.example.com"
tls {
certificate "/etc/ssl/www.example.com.pem"
key "/etc/ssl/private/www.example.com.key"
}
location "/.well-known/acme-challenge/*" {
root "/acme"
request strip 2
}
}
...
Request a new certificate with the new alternative new in it. Verify
httpd.conf and restart httpd(8):
# acme-client -vFAD www.example.com ... acme-client: /etc/ssl/www.example.com.crt: created acme-client: /etc/ssl/www.example.com.pem: created # httpd -n configuration ok # rcctl restart httpd httpd(ok) httpd(ok) #
Thanks to Tim Chase, Mischa Peters, and Ve Telko for reading drafts of this, to Reyk Floeter for httpd(8) and to Kristaps Dzonsons for acme-client(1).
© roman zolotarev