Thank you very much for this in-depth explanation. Appreciate your kind and valuable reply.
I just noticed that restarting the httpd server is included in the examples section of the acme-client man page too! https://man.openbsd.org/acme-client.1 Unfortunately didn't pay the necessary attention up to now :( Thank you On Tue, Feb 16, 2021 at 8:21 PM Janne Johansson <icepic...@gmail.com> wrote: > Den tis 16 feb. 2021 kl 18:50 skrev Teno Deuter <gvg...@googlemail.com>: > >> after "rcctl reload httpd" everything works well. Thank you very much. >> >> I'm running this configuration since early 6.8 and I don't think that I >> was >> restarting the server! That's why I got now surprised. >> > > All TLS-services that chroot do so in order to make the serving part not > be able to affect (or read) the secret keys when they are running. > > https(8) on openbsd is very much like that. You do not want a > misconfiguration to suddenly make httpd serve the key-file over the web. > > This in turn means, that if you replace the key file on disk, the running > httpd will not be able to read the new key, and hence not be able to start > using it, > which is why you need to make a full restart for it to be able to read the > key at startup, then drop privileges and lock itself into a chroot so it no > longer > can read this (and other!) key material. > > The script that does the renewals with acme should check if the cert was > renewed and restart httpd if so. > If you look closely at the manpage, you will see that the return code from > running acme-client is made so > that you can see if it renewed the cert or not, and can easily base script > decisions on it. > > -- > May the most significant bit of your life be positive. >
