First of all, I did set up an acme-client(1) ssl cert a few months ago
before the acme-client.conf(5) file days, and it was stupidly,
jaw-droppingly simple, and it's renewed successfully, so yay man pages!
Now, I'm doing it again on a (-current) system serving up a few domains
on one IP address, so having to do SNI. Since it was so simple before,
why not https the thing?
Not so simple.
(I got it working, but I'm pretty sure I'm Doing It Wrong)
The man page for acme-client says "Before a certificate can be
requested, an account key needs to be created using the -A argument."
ok. So ...
# acme-client -A
acme-client: cannot stat /etc/ssl/private/holland-consulting.net.key:
No such file or directory
After much head-scratching, I found a commit message that indicated this
is the proper process:
# acme-client -A -D holland-consulting.net
tada! Worked! Produces three files:
/etc/ssl/private/holland-consulting.net.key
/etc/ssl/holland-consulting.net.chain.pem
/etc/ssl/holland-consulting.net.crt
(and going back and re-reading the man page again...I'm not seeing how I
was supposed to figure this out!)
So after much trial and error of what file goes where in httpd.conf, I
found this worked...almost:
server "holland-consulting.net" {
alias "www.holland-consulting.net"
listen on $ext_addr port 80
listen on $ext_addr tls port 443
tls certificate "/etc/ssl/holland-consulting.net.crt"
tls key "/etc/ssl/private/holland-consulting.net.key"
location "/.well-known/acme-challenge/*" {
root "/acme"
root strip 2
}
root "/hc.net"
}
httpd started, no errors logged, and the website came up with a valid
cert according to Chrome and Firefox on OpenBSD. Almost. A friend of
mine said he got a cert error, and after dismissing his machine or
browser as being horribly out of date, I pulled up my phone and saw the
same thing. Oops. A cert checker site confirmed that I was missing the
intermediate certificate. (and that's when the profanity began, and if
you deal with certs, you know what I mean, this is why I thought my
first use of acme-client was so fantastic...it just worked!).
So I looked at my (far less -current) functioning site, and saw only TWO
files were being generated...and one (named "fullchain.pem") had
basically the contents of the TWO /etc/ssh/ files for the domain, but
now, acme-client is generating two separate files.
So more head-scratching later, I put the contents of
holland-consulting.net.chain.pem at the END of
holland-consulting.net.crt, and ta-da, everything worked. (reversing
the order did NOT work).
# cat holland-consulting.net.chain.pem >>holland-consulting.net.crt
Almost happy!
EXCEPT ... when the cert is renewed, I'm pretty sure it will generate
separate files again, breaking the trust chain. And I'm pretty sure
that's not the way it is supposed to work.
So -- is there a way to add the intermediate cert to httpd.conf other
than concatenating the files? Am I doing something wrong? Or do I just
need to add the concatenation step to my refresh script?
Thanks!
Nick.
