_ _ ___ | |__ __ _ _______ | |_ / _ \| '_ \ / _` |_ / _ \| __| | (_) | | | | (_| |/ / (_) | |_ \___/|_| |_|\__,_/___\___/ \__|
| ohazot | docs | links | dev | conf | txt |
| es | en |
| mdoc file |
| search |
ssl —
configuration
GENERATION
- If /etc/acme-client.conf does not exist:
cp /etc/examples/acme-client.conf /etc/ - Edit /etc/acme-client.conf
- Comment the buypass sections.
- Change example.com to the corresponding domain.
- Create the following directories if they are not present:
mkdir -p -m 700 /etc/acme mkdir -p -m 700 /var/www/acme mkdir -p -m 700 /etc/ssl/acme/private
- Add the following to httpd.conf:
location /.well-known/acme-challenge/* { root "/acme" request strip 2 } - Verify httpd config and restart httpd:
httpd -n && rcctl restart httpd - Run acme to create the certificate and key:
acme-client -v [SERVER].com - Backup important files:
- /etc/acme/letsencrypt-privkey.pem
- /etc/ssl/private/[SERVER].com.key
- /etc/ssl/[SERVER].com.fullchain.pem
- Schedule renewal on cron as shown in man acme-client:
~ * * * * acme-client [SERVER].com && rcctl reload httpd - Update httpd.conf:
listen on egress tls port 443 tls { certificate "/etc/ssl/[SERVER].com.fullchain.pem" key "/etc/ssl/private/[SERVER].com.key" } - Verify httpd config and restart httpd:
httpd -n && rcctl restart httpd
EXAMPLE
server [SERVER].com {
alias "www.[SERVER].com"
listen on egress port 80
listen on egress tls port 443
location "/.well-known/acme-challenge/*" {
root "/acme"
request strip 2
}
root "/htdocs/[SERVER]"
errdocs "/htdocs/[SERVER]/errors/"
tls {
certificate "/etc/ssl/[SERVER].com.fullchain.pem"
key "/etc/ssl/private/[SERVER].com.key"
}
}
SEE ALSO
- OpenBSD manpages: acme-client(1)
links
| - OpenBSD Handbook - httpd |
| - roman zolotarev - Enable HTTPS with acme-client(1) and Let's Encrypt on OpenBSD |