I do. As you probably saw when running SSL Labs test your intermediate chain is missing.
You probably just need to use the fullchain.pem file as your certificate in your server definition in OpenBSD httpd config
If you want help please show contents of /etc/httpd.conf
freakalicious# cat httpd.conf
prefork 5
types {
include "/usr/share/misc/mime.types"
}
server "freakalicious.us" {
listen on * port 80
location "/.well-known/acme-challenge/*" {
root "/acme"
request strip 2
}
location * {
block return 301 "https://$HTTP_HOST$REQUEST_URI"
}
}
server "freakalicious.us" {
listen on 127.0.0.1 port 8080
default type text/html
root "/htdocs/www_freakalicious"
location "/pub/*" {
directory auto index
}
}
Hmm. Where is the server definition for port 443?
Or, what system / server handles HTTPS requests?
Possibly here relayd(8) - OpenBSD manual pages
I’ve never actually used acme-client, httpd, or relayd that comes with OpenBSD.
relayd.conf:
freakalicious# cat relayd.conf
log state changes
log connection errors
prefork 5
table <httpd> { 127.0.0.1 }
table <radicale> { 127.0.0.1 }
http protocol "https" {
tls keypair "freakalicious.us"
return error
match request header set "X-Forwarded-For" value "$REMOTE_ADDR"
match request header set "X-Forwarded-By" value "$SERVER_ADDR:$SERVER_PORT"
# test in https://securityheaders.com
match response header remove "Server"
match response header append "Strict-Transport-Security" value "max-age=31536000"
match response header append "X-Frame-Options" value "SAMEORIGIN"
match response header append "X-XSS-Protection" value "1; mode=block"
match response header append "X-Content-Type-Options" value "nosniff"
match response header append "Referrer-Policy" value "strict-origin"
match response header append "Content-Security-Policy" value "default-src https: 'unsafe-inline'"
match response header append "Permissions-Policy" value "accelerometer=(none), camera=(none), geolocation=(none), gyroscope=(none), magnetometer=(none), microphone=(none), payment=(none), usb=(none)"
pass request quick header "Host" value "freakalicious.us" forward to <httpd>
pass request quick header "Host" value "dav.freakalicious.us" forward to <radicale>
}
relay "https" {
listen on 0.0.0.0 port 443 tls
protocol https
forward to <httpd> port 8080
forward to <radicale> port 5232
}
I haven't used OpenBSD httpd either but I was going by the docs found here (and my general knowledge): Secure Webserver (httpd+SSL) | OpenBSD Handbook
Alas, that may be poor advice.
I did find this which looks to fit this situation better
See the section about
However, there was one small issue, my SSL Labs score was now capped at a B, with the following explanatory message:
This server’s certificate chain is incomplete. Grade capped to B
No bueno, what to do? After some googling I found this blog post which pointed me in the right direction:
relaydlooks for certificate chains in/etc/ssl/private/name:port.keyand/etc/ssl/name:port.crt, falling back to/etc/ssl/private/name.keyand/etc/ssl/name.crtrespectively. My originalacme-client.confdid save the full chain with a.pemextension, whereas the.crtfile only contained the certificate for the specific domain. There probably would have been more elegant ways to solve this, but the easiest solution was to just store the full chain in the.crtfile as mentioned above:
domain full chain certificate "/etc/ssl/citizen428.net.crt"
Back to Me: In your case, in this last line for domain full chain certificate use the path and name to the fullchain.pem your ACME Client created.
Should be bueno 
thank you so much! I'll put in the work to figure this out.
@Bruce5051 thanks to you as well!
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.