Let's Encrypt and ACME

Ingo Hofmann

2018-07-02 20:27

Today is server maintenance time! I upgraded from 6.1 to 6.3 a couple of days ago and was, again, pleasantly surprised by the elegance of OpenBSD. While thinking about how to continue with OpenSMTP and reading up on the respective posts, I decided to start with the necessary SSL/TSL stuff first. The way to go these days seems to be Let's Encrypt and ACME.

I tried following the instructions on atomicobject, but the tools were significantly updated. The article is still a good read but at the end of the day, the man pages came to the rescue (as usual). The key tool is the excellent acme-client. The following worked for me (in a nutshell), but please go ahead and check the man-pages before messing with your system.

TL;DR

Update /etc/httpd.conf to contain the acme challenge section
Uncomment last section in /etc/acme-client.conf and change to your domain
Run acme-client -vAD example.com and acme-client -vD example.com
Update /etc/httpd.conf to enable TLS, don't forget to reload httpd
Add acme-client example.com to some crontab

--verbose

Start out with acme-client to get a general understanding of what's going on. The following needs to be added to the appropriate place in httpd.conf:

location "/.well-known/acme-challenge/*" {
    root "/acme"
    request strip 2
}

in order to allow acme-client to communicate with the httpd, which in turn proves that you own the domain you're claiming the keys for. The domain section needs to be setup in acme-client.conf. The stock config is pretty much self-explanatory, just uncomment and replace example.com with your actual domain. Next run

# acme-client -vAD example.com

to initialize the new account, and

# acme-client -vD example.com

to request the actual certificates. I put the following into my /etc/daily.local:

acme-client foo.bar && rcctl reload httpd

to check for expired certs on the daily cron run and update them if necessary. Finally, change your httpd.conf to look something like this, to make use of your newly created certificates:

server "example.com" {
    alias "www.example.com"
    alias "secure.example.com"
    listen on $ext_addr port 80
    listen on $ext_addr tls port 443
    tls certificate "/etc/ssl/example.com.fullchain.pem"
    tls key "/etc/ssl/private/example.com.key"
    location "/.well-known/acme-challenge/*" {
        root "/acme"
        request strip 2
    }
    root "/htdocs"
}

Thanks to everyone who made letsencrypt possible. It feels like someone put a sane user-interface on top of SSL/TLS after only 20 years.