On 2026-07-06, Rémi Borfigat <[email protected]> wrote:
> I’m setting up an IRC bouncer (soju) and I need relayd to take care of \
> TLS. I’m using this wiki [1] as a helper to write my relayd.conf. For \
> the *tls keypair* option, I need to specify a different certificate \
> file path since my acme-client creates a fullchain certificate at \
> /etc/ssl/example.com.fullchain.pem. So I wrote at line 2 relayd.conf: \
>
> ```
> tls keypair mydomain.tld cert "/etc/ssl/mydomain.tld.fullchain.pem"
> ```

That isn't what the wiki page you looked at suggests.

The relayd.conf(5) manual for the version of relayd in 7.9 says

             keypair name
                     The relay will attempt to look up a private key in
                     /etc/ssl/private/name:port.key and a public certificate
                     in /etc/ssl/name:port.crt, where port is the specified
                     port that the relay listens on.  If these files are not
                     present, the relay will continue to look in
                     /etc/ssl/private/name.key and /etc/ssl/name.crt.  This
                     option can be specified multiple times for TLS Server
                     Name Indication.  If not specified, a keypair will be
                     loaded using the specified IP address of the relay as
                     name.  See ssl(8) for details about TLS server
                     certificates.

                     An optional OCSP staple file will be used during TLS
                     handshakes with this server if it is found as a non-empty
                     file in /etc/ssl/name:port.ocsp or /etc/ssl/name.ocsp.
                     The file should contain a DER-format OCSP response
                     retrieved from an OCSP server for the certificate in use,
                     and can be created using ocspcheck(8).

> When I check the configuration with relayd -n, I got a syntax error at \
> that line. I don’t get why when I look at the man page, the syntax \
> seems correct.

... the syntax with "cert [filename]" was not added until after 7.9.

>
> Then, I tried the default by converting my .pem file with openssl to \
> /etc/ssl/mydomain.tld.crt, and removing the cert option of the tls \
> keypair line. This time no syntax error, but relayd fails on startup \
> and the log says fatal in ca: ca_launch: cert PEM_read_bio_X509.
>
> How can I make relayd to use my initial .pem file?
>
> I’m running OpenBSD 7.9 on amd64.

either use -current, or rename / copy the pem file. there is no need to
convert anything.

> [1] 
> https://codeberg.org/emersion/soju/src/branch/master/contrib/openbsd-relayd.md
>
>


-- 
Please keep replies on the mailing list.

Reply via email to