_                    _
  ___ | |__   __ _ _______ | |_
 / _ \| '_ \ / _` |_  / _ \| __|
| (_) | | | | (_| |/ / (_) | |_
 \___/|_| |_|\__,_/___\___/ \__|
sslconfiguration

back_to_top

  1. If /etc/acme-client.conf does not exist: 
    cp /etc/examples/acme-client.conf /etc/
  2. Edit /etc/acme-client.conf
    1. Comment the buypass sections.
    2. Change example.com to the corresponding domain.
  3. Create the following directories if they are not present: 
    mkdir -p -m 700 /etc/acme
mkdir -p -m 700 /var/www/acme
mkdir -p -m 700 /etc/ssl/acme/private
  4. Add the following to httpd.conf: 
    location "/.well-known/acme-challenge/*" {
	root "/acme"
	request strip 2
}
  5. Verify httpd config and restart httpd: 
    httpd -n && rcctl restart httpd
  6. Run acme to create the certificate and key: 
    acme-client -v [SERVER].com
  7. Backup important files:
    • /etc/acme/letsencrypt-privkey.pem
    • /etc/ssl/private/[SERVER].com.key
    • /etc/ssl/[SERVER].com.fullchain.pem
  8. Schedule renewal on cron as shown in man acme-client: 
    ~ * * * * acme-client [SERVER].com && rcctl reload httpd
  9. Update httpd.conf: 
    listen on egress tls port 443
tls {
	certificate "/etc/ssl/[SERVER].com.fullchain.pem"
	key "/etc/ssl/private/[SERVER].com.key"
}
  10. Verify httpd config and restart httpd: 
    httpd -n && rcctl restart httpd

back_to_top

server "[SERVER].com" {
        alias "www.[SERVER].com"
        listen on egress port 80
        listen on egress tls port 443
        location "/.well-known/acme-challenge/*" {
                root "/acme"
                request strip 2
        }
        root "/htdocs/[SERVER]"
        errdocs "/htdocs/[SERVER]/errors/"
        tls {
                certificate "/etc/ssl/[SERVER].com.fullchain.pem"
                key "/etc/ssl/private/[SERVER].com.key"
        }
}

back_to_top

httpd

acme-client(1)

<ssl.oh>

back_to_top

ohazot | about | ohazot.com <admin@ohazot.com>

Created:2025-10-03|Updated:2025-10-06 OpenBSD