Title : Nginx and acme-client on OpenBSD
Author: Solène
Date  : 04 July 2019
Tags  : openbsd68 openbsd nginx automation

I write this blog post as I spent too much time setting up nginx and
SSL on OpenBSD with acme-client, due to nginx being chrooted and not
stripping path and not doing it easily.

First, you need to set up **/etc/acme-client.conf** correctly. Here is
mine for the domain ports.perso.pw:

    authority letsencrypt {
            api url "https://acme-v02.api.letsencrypt.org/directory"
            account key "/etc/acme/letsencrypt-privkey.pem"
    domain ports.perso.pw {
            domain key "/etc/ssl/private/ports.key"
            domain full chain certificate "/etc/ssl/ports.fullchain.pem"
            sign with letsencrypt

**This example is for OpenBSD 6.6 (which is current when I write this)
because of Let's encrypt API URL. If you are running 6.5 or 6.4,
replace v02 by v01 in the api url**

Then, you have to configure nginx this way, the most important part in
the following configuration file is the location block handling
acme-challenge request. Remember that nginx is in chroot /var/www so
the path to acme directory is `acme`.

    http {
        include       mime.types;
        default_type  application/octet-stream;
        index         index.html index.htm;
        keepalive_timeout  65;
        server_tokens off;
        upstream backendurl {
            server unix:tmp/plackup.sock;
        server {
          listen       80;
          server_name ports.perso.pw;
          access_log logs/access.log;
          error_log  logs/error.log info;
          root /htdocs/;
          location /.well-known/acme-challenge/ {
              rewrite ^/.well-known/acme-challenge/(.*) /$1 break;
              root /acme;
          location / {
              return 301 https://$server_name$request_uri;
        server {
          listen 443 ssl;
          server_name ports.perso.pw;
          access_log logs/access.log;
          error_log logs_error.log info;
          root /htdocs/;
          ssl_certificate /etc/ssl/ports.fullchain.pem;
          ssl_certificate_key /etc/ssl/private/ports.key;
          ssl_protocols TLSv1.1 TLSv1.2;
          ssl_prefer_server_ciphers on;
          ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";

          [... stuff removed ...]

That's all! I wish I could have find that on the Internet so I share
it here.