.Dd Created:$Mdocdate$
.Dt ohazot_ssl
.Tg back_to_top
.Bd -literal -compact
       _                    _   
  ___ | |__   __ _ _______ | |_ 
 / _ \\| '_ \\ / _` |_  / _ \\| __|
| (_) | | | | (_| |/ / (_) | |_ 
 \\___/|_| |_|\\__,_/___\\___/ \\__|
                                
.Ed
.Tg menu
.Bl -column ".Sy ohazot " ".Sy ohazot " ".Sy ohazot "
.It Xr ohazot oh Ta |
.Xr docs oh Ta |
.Xr about oh Ta 
.El
.Dd Created:2025-10-03|Updated:2025-10-06
.Dt ohazot_ssl
.Os OpenBSD
.Nm ssl
.Nd configuration
.Sh GENERATION
.Sx back_to_top

.Bl -enum -compact
.It
If /etc/acme-client.conf does not exist:
.Bd -literal -compact
cp /etc/examples/acme-client.conf /etc/
.Ed
.It
Edit /etc/acme-client.conf
.Bl -enum -compact
.It
Comment the buypass sections.
.It
Change example.com to the corresponding domain.
.El
.It
Create the following directories if they are not present:
.Bd -literal -compact
mkdir -p -m 700 /etc/acme
mkdir -p -m 700 /var/www/acme
mkdir -p -m 700 /etc/ssl/acme/private
.Ed
.It
Add the following to httpd.conf:
.Bd -literal -compact
location "/.well-known/acme-challenge/*" {
	root "/acme"
	request strip 2
}
.Ed
.It
Verify httpd config and restart httpd:
.Bd -literal -compact
httpd -n && rcctl restart httpd
.Ed
.It
Run acme to create the certificate and key:
.Bd -literal -compact
acme-client -v [SERVER].com
.Ed
.It
Backup important files:
.Bl -bullet -compact
.It
.Pa /etc/acme/letsencrypt-privkey.pem
.It
.Pa /etc/ssl/private/[SERVER].com.key
.It
.Pa /etc/ssl/[SERVER].com.fullchain.pem
.El
.It
Schedule renewal on cron as shown in man acme-client:
.Bd -literal -compact
~ * * * * acme-client [SERVER].com && rcctl reload httpd
.Ed
.It
Update httpd.conf:
.Bd -literal -compact
listen on egress tls port 443
tls {
	certificate "/etc/ssl/[SERVER].com.fullchain.pem"
	key "/etc/ssl/private/[SERVER].com.key"
}
.Ed
.It
Verify httpd config and restart httpd:
.Bd -literal -compact
httpd -n && rcctl restart httpd
.Ed
.El
.Sh EXAMPLE
.Sx back_to_top

.Bd -literal -compact
server "[SERVER].com" {
        alias "www.[SERVER].com"
        listen on egress port 80
        listen on egress tls port 443
        location "/.well-known/acme-challenge/*" {
                root "/acme"
                request strip 2
        }
        root "/htdocs/[SERVER]"
        errdocs "/htdocs/[SERVER]/errors/"
        tls {
                certificate "/etc/ssl/[SERVER].com.fullchain.pem"
                key "/etc/ssl/private/[SERVER].com.key"
        }
}
.Ed
.Sh SEE ALSO
.Sx back_to_top

.Xr httpd oh
.Ss OpenBSD manpages
.Xr acme-client 1
.Ss links
.Bl -bullet -compact
.It
.Lk https://www.openbsdhandbook.com/services/webserver/ssl/ OpenBSD Handbook - httpd
.El
.Ss files
.In ssl.oh
.Sh AUTHORS
.Sx back_to_top

.An -nosplit
.Xr ohazot oh |
.Xr about oh |
.Lk https://ohazot.com ohazot.com
.Aq Mt admin@ohazot.com