OpenBSD 6.2.
precisely as summarised by Scott, however to overcome some pitfalls, full
details to get TLS working for your domain www.example.com as follows.
1. Configure httpd.conf to work with your domain example.com as follows:
# vi /etc/httpd.conf
# $OpenBSD: httpd.conf,v 1.17 2017/04/16 08:50:49
ajacoutot Exp $
#
# Macros
#
ext_addr="*"
#
# Global Options
#
# prefork 3
#
# Servers
#
# A minimal default server
server "default" {
listen on $ext_addr port 80
}
# A minimal www.example.com server
server "www.example.com" {
alias "example.com"
listen on $ext_addr port 80
root "/htdocs/www.example.com"
location "/.well-known/acme-challenge/*" {
root "/acme"
root strip 2
directory no auto index
}
}
# Include MIME types instead of the built-in ones
types {
include "/usr/share/misc/mime.types"
}
2. Create root folder for the domain and start httpd server to effect
changes:
# mkdir /var/www/htdocs/www.example.com
# vi /etc/rc.conf.local
httpd_flags=
# rcctl enable httpd
# rcctl start httpd
httpd(ok)</pre>
3. Configure acme-client for your domain www.example.com domain:
# vi /etc/acme-client.conf
#
# $OpenBSD: acme-client.conf,v 1.4 2017/03/22
11:14:14 benno Exp $
#
authority letsencrypt {
agreement url "
https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf";
api url "
https://acme-v01.api.letsencrypt.org/directory";
account key
"/etc/acme/letsencrypt-privkey.pem"
}
authority letsencrypt-staging {
agreement url "
https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf";
api url "
https://acme-staging.api.letsencrypt.org/directory";
account key
"/etc/acme/letsencrypt-staging-privkey.pem"
}
domain www.example.com {
alternative names { example.com }
domain key "/etc/ssl/private/example.com.key"
domain certificate "/etc/ssl/example.com.crt"
domain full chain certificate
"/etc/ssl/example.com.fullchain.pem"
sign with letsencrypt
}
4. Attempt to get the certificates:
#acme-client -vvAD www.example.com
......................................................
acme-client: https://acme-v01.api.letsencrypt.org/acme/new-reg: bad HTTP:
400
acme-client: transfer buffer: [{ "type": "urn:acme:error:malformed",
"detail": "Provided agreement URL [https://lecuments/LE-SA
-v1.2-November-15-2017.pdf]", "status": 400 }] (267 bytes)
acme-client: bad exit: netproc(71944): 1
5. The agreement URL needs to be updated(replaced) with the one provided in
the error message above:
# vi /etc/acme-client.conf
#
#
# $OpenBSD: acme-client.conf,v 1.4 2017/03/22
11:14:14 benno Exp $
#
authority letsencrypt {
# agreement url "
https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf";
agreement url "
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf";
api url "
https://acme-v01.api.letsencrypt.org/directory";
account key
"/etc/acme/letsencrypt-privkey.pem"
}
authority letsencrypt-staging {
# agreement url "
https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf";
agreement url "
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf";
api url "
https://acme-staging.api.letsencrypt.org/directory";
account key
"/etc/acme/letsencrypt-staging-privkey.pem"
}
domain www.example.com {
alternative names { example.com }
domain key
"/etc/ssl/private/example.com.key"
domain certificate
"/etc/ssl/example.com.crt"
domain full chain certificate
"/etc/ssl/example.com.fullchain.pem"
sign with letsencrypt
}
6. Attempt to get the certificates:
# acme-client -vvAD www.example.com
...................................................
acme-client: https://acme-v01.api.letsencrypt.org/acme/new-authz: bad HTTP:
403
acme-client: transfer buffer: [{ "type": "urn:acme:error:unauthorized",
"detail": "No registration exists matching
ded key", "status": 403 }] (120 bytes)
acme-client: bad exit: netproc(51628): 1
7. Remove the existing domain key and account key:
# rm /etc/ssl/private/example.com.key
# rm /etc/acme/letsencrypt-privkey.pem
8. Get the Certificates:
# acme-client -vvAD www.example.com
.................................................
acme-client: /etc/ssl/example.com.crt: created
acme-client: /etc/ssl/example.com.fullchain.pem: created
9. Verify certificates were installed
# ls -l /etc/ssl
10. Finally, configure Httpd for TLS for your domain www.example.com.
# vi /etc/httpd.conf
# $OpenBSD: httpd.conf,v 1.17 2017/04/16 08:50:49
ajacoutot Exp $
#
# Macros
#
ext_addr="*"
#
# Global Options
#
# prefork 3
#
# Servers
#
# A minimal default server
server "default" {
listen on $ext_addr port 80
}
# This block redirects port 80 traffic to port
443; all the actual
# options can go underneath the block containing
tls details.
server "www.example.com" {
alias "example.com"
listen on $ext_addr port 80
block return 301 "https://
$SERVER_NAME$REQUEST_URI"
}
server "www.example.com" {
alias "example.com"
listen on $ext_addr tls port 443
hsts
tls certificate
"/etc/ssl/example.com.fullchain.pem"
tls key "/etc/ssl/private/example.com.key"
root "/htdocs/www.example.com"
location "/.well-known/acme-challenge/*" {
root "/acme"
root strip 2
directory no auto index
}
}
# Include MIME types instead of the built-in ones
types {
include "/usr/share/misc/mime.types"
}
11. Restart the server and test on browser<pre>
# rcctl restart httpd
httpd(ok)
httpd(ok)
https://www.openbsd.org/support.html#Kenya
On Wed, Dec 20, 2017 at 2:17 AM, Scott Nicholas <scott.nicho...@scottn.us>
wrote:
> On Tue, Dec 19, 2017 at 3:26 AM, ?? ?? <rdansdml....@outlook.com> wrote:
> > Hello, I am very new to all these things, and wanted to have ssl for my
> own server (Openbsd6.2, Openbsd httpd, Openbsd acme-client), which will be
> my first ssl, other than previous self-signed one.
> >
> > Previously, to create a website, I followed some blog posts and created
> self-signed ssl (http://thecyberrecce.net/2017/01/15/secure-webservers-
> with-openbsd-6-0-setting-up-httpd-mariadb-and-php/), and as the site was
> somehow ready so I wanted to have the Letsencrypt ssl on the site,
> replacing the existing self-signed one.
> > After reading man pages, documentations, and blog posts, (but I don't
> understand much really) I did just almost the same as others stated in
> their blogs (httpd.conf, acme-client.conf and then the command), using
> "acme-client -vvAD example.com" command. But I got an error ("provided
> agreement URL doesn't match" or similar), and then tried several times
> again while making changes (e.g deleting self-signed crt, etc...)
> > but I still get an error: "no registration exists matching provided key".
> >
> > Could anyone help me know what the error means or give any advice to me?
>
> I just had this happen. acme-client saved an account key but since the
> TOS needed updated, the account wasn't created. I imagine you updated
> the agreement url? This is the new one:
>
> agreement url "https://letsencrypt.org/documents/LE-SA-v1.2-November-
> 15-2017.pdf"
>
> Delete your account key so it makes a new one. It's in the location below:
>
> account key "/etc/acme/letsencrypt-privkey.pem"
>
> then run acme-client again.
>
> > Also this is my second time writing to a "mailing list", and at the
> first time I couln't send a reply to say thank you to the reply that sent
> to me as I don't know how to reply. So I'd be really grateful for kindly
> letting me know that as well.
> >
> > Would really appreciate any help.
> >
> >
>
>
