SSL(oh) LOCAL SSL(oh) ssl - configuration GENERATION 1. If /etc/acme-client.conf does not exist: cp /etc/examples/acme-client.conf /etc/ 2. Edit /etc/acme-client.conf 1. Comment the buypass sections. 2. Change example.com to the corresponding domain. 3. Create the following directories if they are not present: mkdir -p -m 700 /etc/acme mkdir -p -m 700 /var/www/acme mkdir -p -m 700 /etc/ssl/acme/private 4. Add the following to httpd.conf: location /.well-known/acme-challenge/* { root "/acme" request strip 2 } 5. Verify httpd config and restart httpd: httpd -n && rcctl restart httpd 6. Run acme to create the certificate and key: acme-client -v [SERVER].com 7. Backup important files: - /etc/acme/letsencrypt-privkey.pem - /etc/ssl/private/[SERVER].com.key - /etc/ssl/[SERVER].com.fullchain.pem 8. Schedule renewal on cron as shown in man acme-client: ~ * * * * acme-client [SERVER].com && rcctl reload httpd 9. Update httpd.conf: listen on egress tls port 443 tls { certificate "/etc/ssl/[SERVER].com.fullchain.pem" key "/etc/ssl/private/[SERVER].com.key" } 10. Verify httpd config and restart httpd: httpd -n && rcctl restart httpd EXAMPLE server [SERVER].com { alias "www.[SERVER].com" listen on egress port 80 listen on egress tls port 443 location "/.well-known/acme-challenge/*" { root "/acme" request strip 2 } root "/htdocs/[SERVER]" errdocs "/htdocs/[SERVER]/errors/" tls { certificate "/etc/ssl/[SERVER].com.fullchain.pem" key "/etc/ssl/private/[SERVER].com.key" } } SEE ALSO web(oh) , httpd(oh) - OpenBSD manpages: acme-client(1) links - OpenBSD Handbook - httpd: https://www.openbsdhandbook.com/services/webserver/ssl/ - roman zolotarev - Enable HTTPS with acme-client(1) and Let's Encrypt on OpenBSD: https://romanzolotarev.com/openbsd/acme-client.html AUTHORS ohazot(oh) | about(oh) | ohazot.com: https://ohazot.com OpenBSD 7.7| Created:2025-10-03|Updated:2025-10-06| SSL(oh)