Configure doas properly: OpenBSD doas

domain.ltd used in this doc should be replaced with your own domain.

Enable & Start httpd

The default OpenBSD web server httpd comes already installed and ready to use out of the box. It just has to be configured, very easily.

Create a new /etc/rc.conf.local, if it doesn't exist, and add these two lines:

pkg_scripts="httpd"
httpd_flags=""

Start httpd service:

doas /etc/rc.d/httpd start

If all goes well it'll output:

httpd(ok)

Install the Certbot Client

doas pkg_add certbot

Create the Cert Only

OpenBSD doesn't yet support automatic installation of Let's Encrypt certificates. You'll have to use the certonly command to obtain your certificate and configure the httpd service manually. The certbot tool does take care of installing the certificate into the proper default location.

Stop the httpd service:

doas /etc/rc.d/httpd stop

Obtain a new certificate by using the certonly built-in webserver.

(Note: only one or more certificates can be generated. The number depends on your individual needs such as the number of domains hosted. For a single domain two certificates should be generated to cover the main domain (domain.ltd) and the www subdomain (www.domain.ltd)).

doas certbot certonly --standalone -d domain.ltd

CLI Output:

openbsd$ doas certbot certonly --standalone -d domain.ltd
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): user@domain.ltd

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: N
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for domain.ltd
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/domain.ltd/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/domain.ltd/privkey.pem
   Your cert will expire on 2019-09-08. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

The above output indicates the certificate has been issued successfully.

Important two pieces of info to note are:

  Your certificate and chain have been saved at:
  /etc/letsencrypt/live/domain.ltd/fullchain.pem

  Your key file has been saved at:
  /etc/letsencrypt/live/domain.ltd/privkey.pem

These will be later used for manual httpd service configuration.

Automatic Renewal

Run a test before adding to cron:

doas certbot renew --dry-run

CLI output:

openbsd$ doas certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/domain.ltd.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator standalone, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for domain.ltd
Waiting for verification...
Cleaning up challenges


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/domain.ltd/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/domain.ltd/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.

Add a New cronjob

Add a scheduled cert renewal via a cronjob. It'll run twice a day and if no renewal is needed it won't renew.

crontab -e

and paste this:

# Certbot
0 0,12 * * * sleep $((RANDOM /% 2048)) && /usr/local/bin/certbot renew

Configure httpd

Add the following lines to /etc/httpd.conf under the "default" server section at the minimum:

server "default" {
        tls {
            key "/etc/letsencrypt/live/domain.ltd/privkey.pem"
            certificate "/etc/letsencrypt/live/domain.ltd/fullchain.pem"
    }
}

http to https Redirect

Add this line to /etc/httpd.conf under the server section where you want the redirect to apply:

listen on $ext_ip tls port 443 block return 301 "https://www.domain.ltd$REQUEST_URI"

It should look like this:

server "domain.ltd" {
        listen on $ext_ip tls port 443 block return 301 "https://www.domain.ltd$REQUEST_URI"
        tls {
            key "/etc/letsencrypt/live/domain.ltd/privkey.pem"
            certificate "/etc/letsencrypt/live/domain.ltd/fullchain.pem"
    }
}

Restart httpd:

doas /etc/rc.d/httpd restart

Fully Automated with Ansible

OpenBSD httpd web server, as descrbed in this document, can be set up, configured, and managed in a consistent matter with Ansible.

Download a the openbsd-httpd role from the following sources:

GitHub -

AnsibleGalaxy -


Published

Category

OpenBSD

Tags

Contact