Let's Encrypt and ACME

Today is server maintenance time! I upgraded from 6.1 to 6.3 a couple of days ago and was, again, pleasantly surprised by the elegance of OpenBSD. While thinking about how to continue with OpenSMTP and reading up on the respective posts, I decided to start with the necessary SSL/TSL stuff first. The way to go these days seems to be Let's Encrypt and ACME.

I tried following the instructions on atomicobject, but the tools were significantly updated. The article is still a good read but at the end of the day, the man pages came to the rescue (as usual). The key tool is the excellent acme-client. The following worked for me (in a nutshell), but please go ahead and check the man-pages before messing with your system.


  • Update /etc/httpd.conf to contain the acme challenge section
  • Uncomment last section in /etc/acme-client.conf and change to your domain
  • Run acme-client -vAD example.com and acme-client -vD example.com
  • Update /etc/httpd.conf to enable TLS, don't forget to reload httpd
  • Add acme-client example.com to some crontab


Start out with acme-client to get a general understanding of what's going on. The following needs to be added to the appropriate place in httpd.conf:

location "/.well-known/acme-challenge/*" {
    root "/acme"
    request strip 2

in order to allow acme-client to communicate with the httpd, which in turn proves that you own the domain you're claiming the keys for. The domain section needs to be setup in acme-client.conf. The stock config is pretty much self-explanatory, just uncomment and replace example.com with your actual domain. Next run

# acme-client -vAD example.com

to initialize the new account, and

# acme-client -vD example.com

to request the actual certificates. I put the following into my /etc/daily.local:

acme-client foo.bar && rcctl reload httpd

to check for expired certs on the daily cron run and update them if necessary. Finally, change your httpd.conf to look something like this, to make use of your newly created certificates:

server "example.com" {
    alias "www.example.com"
    alias "secure.example.com"
    listen on $ext_addr port 80
    listen on $ext_addr tls port 443
    tls certificate "/etc/ssl/example.com.fullchain.pem"
    tls key "/etc/ssl/private/example.com.key"
    location "/.well-known/acme-challenge/*" {
        root "/acme"
        request strip 2
    root "/htdocs"

Thanks to everyone who made letsencrypt possible. It feels like someone put a sane user-interface on top of SSL/TLS after only 20 years.