Let's encrypt on OpenBSD in 5 minutes

Author: Solène

Date: 20 January 2017

Tags: security openbsd70 openbsd

NILLet's encrypt is a free service which provides free SSL

certificates. It is fully automated and there are a few tools to

generate your certificates with it. In the following lines, I will

just explain how to get a certificate in a few minutes. You can find

more informations on [Let's Encrypt website](https://letsencrypt.org).

To make it simple, the tool we will use will generate some keys on the

computer, send a request to Let's Encrypt service which will use http

challenging (there are also dns and another one kind of challenging)

to see if you really own the domain for which you want the

certificate. If the challenge process is ok, you have the certificate.

**Please, if you don't understand the following commands, don't type

it.**

While the following is right for OpenBSD, it may change slightly for

others systems. Acme-client is part of the base system, you can read

the man page acme-client(1).

Prepare your http server

For each certificate you will ask a certificate, you will be

challenged for each domain on the port 80. A file must be available in

a path under "/.well-known/acme-challenge/".

You must have this in your **httpd** config file. If you use another

web server, you need to adapt.

server "mydomain.com" {

root "/empty"

listen on * port 80

location "/.well-known/acme-challenge/*" {

root { "/acme/" , request strip 2 }

}

}

The `request strip 2` part is IMPORTANT. (I've lost 45 minutes figuring

out why root "/acme/" wasn't working.)

Prepare the folders

As stated in acme-client man page and if you don't need to change the

path. You can do the following commands with root privileges :

mkdir /var/www/acme

mkdir -p /etc/ssl/acme/private /etc/acme

chmod 0700 /etc/ssl/acme/private /etc/acme

Request the certificates

As root, in the acme-client sources folder, type the following the

generate the certificates. The verbose flag is interesting and you

will see if the challenging step work. If it doesn't work, you should

try manually to get a file like with the same path tried from Let's

encrypt, and try again the command when you succeed.

$ acme-client -vNn mydomain.com www.mydomain.com mail.mydomain.com

Use the certificates

Now, you can use your SSL certificates for your mail server, imap

server, ftp server, http server.... There is a little drawback, if you

generate certificates for a lot of domains, they are all written in

the certificate. This implies that if someone visit one page, look at

the certificate, this person will know every domain you have under

SSL. I think that it's possible to ask every certificate independently

but you will have to play with acme-client flags and make some kind of

scripts to automatize this.

Certificate file is located at **/etc/ssl/acme/fullchain.pem** and

contains the full certification chain (as its name is explicit). And

the private key is located at **/etc/ssl/acme/private/privkey.pem**.

Restart the service with the certificate.

Renew certificates

Certificates are valid for 3 months. Just type

./acme-client mydomain.com www.mydomain.com mail.mydomain.com

Restart your ssl services.

EASY !