Using Let's Encrypt on OpenBSD 6.1

Last Updated: Thu, Dec 28, 2017
BSD Security
Archived content

This article is outdated and may not work correctly for current operating systems or software.

There is no longer a need for anyone to have to create their own SSL Certificates because now you can get your own free, valid SSL certificate from Let's Encrypt. This certificate is only domain validated so it should not be used for eCommerce. The certificate issued by Let's Encrypt can be valid for primary and sub domains that you specify, but Let's Encrypt does not yet support wildcard certificates. OpenBSD includes a Let's Encrypt client called acme-client.

NOTE: Please remember to replace example.org with your domain.

Configure the /etc/acme-client.conf configuration file.

# cd /etc

# vi acme-client.conf

Add the following to the file. The domain full chain certificate contains the Let's Encrypt SSL chain, which is useful for validation. Here, we will use the full chain in place of the domain certificate.

domain example.org {

    alternative names { www.example.org webmail.example.org }

    domain key "/etc/ssl/private/example.org.key"

    domain certificate "/etc/ssl/example.org.cert"

    domain full chain certificate "/etc/ssl/example.org.fullchain.cert"

    sign with letsencrypt

}

Configure and start httpd.conf. The acme-client uses a webserver to perform its challenges to verify the validity of the domain. These challenges must be successful in order for a valid, signed certificate to be issued.

server "default" {

    listen on port 80

    root "/htdocs"

    directory index index.html



    location "/.well-known/acme-challenge/*" {

        root {"/acme", strip 2}

    }

}



# rcctl start httpd

Type acme-client -ADv example.org. you should now have a valid SSL certificate. It will be valid for 90 days before you will have to run acme-client again to get the certificate reissued.

If you get any errors, make certain that you have port 80 open on your firewall. You will need a DNS A record that resolves example.org to the IP address of your Vultr instance.

# echo 'pass in on egress inet proto tcp from any to port 80 flags S/SA modulate state' >> /etc/pf.conf

# pfctl -f /etc/pf.conf

Want to contribute?

You could earn up to $600 by adding new articles.