OpenBSD acme-client(1)
“acme-client is an Automatic Certificate Management Environment (ACME) client: it looks in its configuration for a domain section corresponding to the domain given as command line argument and uses that configuration to retrieve an X.509 certificate which can be used to provide domain name validation”
## first setup httpd well known acme location in "/etc/httpd.conf"
server "www.example.com" {
alias "example.com"
listen on * port 80
root "/htdocs/www.example.com"
location "/.well-known/acme-challenge/*" {
root "/acme"
request strip 2
}
}
## testing "httpd.conf" file
> httpd -nf /etc/httpd.conf
## start httpd forced
> rcctl -f start httpd
## enable httpd
> rcctl enable httpd
## create /etc/acme-client.conf
authority letsencrypt {
api url "https://acme-v02.api.letsencrypt.org/directory"
account key "/etc/acme/letsencrypt-privkey.pem"
}
authority letsencrypt-staging {
api url "https://acme-staging-v02.api.letsencrypt.org/directory"
account key "/etc/acme/letsencrypt-staging-privkey.pem"
}
domain example.com {
alternative names { secure.example.com }
domain key "/etc/ssl/private/example.com.key"
domain full chain certificate "/etc/ssl/example.com.fullchain.pem"
sign with letsencrypt
}
## create acme certificate
> acme-client -v www.example.com
Note: Certificates are default load from
/etc/ssl/private/server.key
/etc/ssl/server.crt
to load acme certificates we need to instruct httpd
where these stored
## configure "/etc/httpd.conf"
server "www.example.com" {
alias "example.com"
listen on * port 80
listen on * tls port 443
root "/htdocs/www.example.com"
tls certificate "/etc/ssl/acme/fullchain.pem"
tls key "/etc/ssl/acme/private/privkey.pem"
location "/.well-known/acme-challenge/*" {
root "/acme"
request strip 2
}
# this will redirect traffic to tls port 443
block return 301 "https://$SERVER_NAME$REQUEST_URI"
}
## we need to reload config for httpd
> rcctl reload httpd
so we want to make shure that we route every traffic over https with relayd
## add to /etc/relayd.conf
relay "proxyssl" {
listen on $gateway port https
protocol "httpproxy"
forward to <new-webserver> port https
}
to automatic renew our certificates we need to speak to daily(8)
(openbsd crontab)
## renew acme certificate every night
## edit crontab(8) to automate
~ * * * * acme-client example.com && rcctl reload httpd
as script
#!/bin/sh
acme-client example.com www.example.com
if [ $? -eq 0 ]
then
rcctl reload httpd
fi
25-09-2019