Title : Let's encrypt on OpenBSD in 5 minutes
Author: Solène
Date : 20 January 2017
Tags : security openbsd66 openbsd
Let's encrypt is a free service which provides free SSL
certificates. It is fully automated and there are a few tools to
generate your certificates with it. In the following lines, I will
just explain how to get a certificate in a few minutes. You can find
more informations on [Let's Encrypt website](https://letsencrypt.org).
To make it simple, the tool we will use will generate some keys on the
computer, send a request to Let's Encrypt service which will use http
challenging (there are also dns and another one kind of challenging)
to see if you really own the domain for which you want the
certificate. If the challenge process is ok, you have the certificate.
**Please, if you don't understand the following commands, don't type
While the following is right for OpenBSD, it may change slightly for
others systems. Acme-client is part of the base system, you can read
the man page acme-client(1).
## Prepare your http server
For each certificate you will ask a certificate, you will be
challenged for each domain on the port 80. A file must be available in
a path under "/.well-known/acme-challenge/".
You must have this in your **httpd** config file. If you use another
web server, you need to adapt.
server "mydomain.com" {
root "/empty"
The `request strip 2` part is IMPORTANT. (I've lost 45 minutes figuring
out why root "/acme/" wasn't working.)
## Prepare the folders
As stated in acme-client man page and if you don't need to change the
path. You can do the following commands with root privileges :
# mkdir /var/www/acme
# mkdir -p /etc/ssl/acme/private /etc/acme
# chmod 0700 /etc/ssl/acme/private /etc/acme
## Request the certificates
As root, in the acme-client sources folder, type the following the
generate the certificates. The verbose flag is interesting and you
will see if the challenging step work. If it doesn't work, you should
try manually to get a file like with the same path tried from Let's
encrypt, and try again the command when you succeed.
$ acme-client -vNn mydomain.com www.mydomain.com mail.mydomain.com
## Use the certificates
Now, you can use your SSL certificates for your mail server, imap
server, ftp server, http server.... There is a little drawback, if you
generate certificates for a lot of domains, they are all written in
the certificate. This implies that if someone visit one page, look at
the certificate, this person will know every domain you have under
SSL. I think that it's possible to ask every certificate independently
but you will have to play with acme-client flags and make some kind of
scripts to automatize this.
Certificate file is located at **/etc/ssl/acme/fullchain.pem** and
contains the full certification chain (as its name is explicit). And
the private key is located at **/etc/ssl/acme/private/privkey.pem**.
Restart the service with the certificate.
## Renew certificates
Certificates are valid for 3 months. Just type
./acme-client mydomain.com www.mydomain.com mail.mydomain.com
Restart your ssl services