Title: Let's encrypt on OpenBSD in 5 minutes
Author: Solène
Date: 20 January 2017
Tags: security openbsd70 openbsd
Description:
Let's encrypt is a free service which provides free SSL
certificates. It is fully automated and there are a few tools to
generate your certificates with it. In the following lines, I will
just explain how to get a certificate in a few minutes. You can find
more informations on [Let's Encrypt website](https://letsencrypt.org).
To make it simple, the tool we will use will generate some keys on the
computer, send a request to Let's Encrypt service which will use http
challenging (there are also dns and another one kind of challenging)
to see if you really own the domain for which you want the
certificate. If the challenge process is ok, you have the certificate.
**Please, if you don't understand the following commands, don't type
it.**
While the following is right for OpenBSD, it may change slightly for
others systems. Acme-client is part of the base system, you can read
the man page acme-client(1).
## Prepare your http server
For each certificate you will ask a certificate, you will be
challenged for each domain on the port 80. A file must be available in
a path under "/.well-known/acme-challenge/".
You must have this in your **httpd** config file. If you use another
web server, you need to adapt.
server "mydomain.com" {
root "/empty"
listen on * port 80
location "/.well-known/acme-challenge/*" {
root { "/acme/" , request strip 2 }
}
}
The `request strip 2` part is IMPORTANT. (I've lost 45 minutes figuring
out why root "/acme/" wasn't working.)
## Prepare the folders
As stated in acme-client man page and if you don't need to change the
path. You can do the following commands with root privileges :
# mkdir /var/www/acme
# mkdir -p /etc/ssl/acme/private /etc/acme
# chmod 0700 /etc/ssl/acme/private /etc/acme
## Request the certificates
As root, in the acme-client sources folder, type the following the
generate the certificates. The verbose flag is interesting and you
will see if the challenging step work. If it doesn't work, you should
try manually to get a file like with the same path tried from Let's
encrypt, and try again the command when you succeed.
$ acme-client -vNn mydomain.com www.mydomain.com mail.mydomain.com
dataswamp.org:70 /~solene/article-acme-client:67: port field too long