Select LetsEncrypt Client for OpenBSD6.0

Greetings! This is a quick piece on where to get a client for LetsEncrypt on OpenBSD6.0.

I had to tackle this today and wanted to capture as much as I remember to make it useful. This is what I remember:

EDIT: I had to change the prompts for the commands listed because pound char is a tag

Getting the Client:
We are going to install a package from OpenBSD repository in Boulder, CO

1.) From the shell as root: you have to set your PKG_PATH

  • export PKG_PATH=http://ftp3.usa.openbsd.org/pub/OpenBSD/6.0/packages/amd64(replace with your architecture)

2.) Make sure it can connect to the repository

  • pkg_info rt
    If it returns with something useful - great - it works.

3.) Now we install LetsEncrypt client

  • pkg_add certbot
    This will add a handful of additional programs

4.) Next we need to get our cert going for our webserver
PLEASE NOTE - I use Reyk Floeter’s excellent -httpd- server in the base package of OpenBSD. In the past I’ve used both Apache and NGINX when OpenBSD included them in the base package. Following OpenBSD through web servers was a big jump I made years ago and I’m happy I did - ok enough about me
We need to edit your /etc/httpd.conf file with nano or vi

  • nano /etc/httpd.conf
    Change/Add these lines:
    server “example.com” {
    listen on * tls port 443

      tls certificate "/etc/letsencrypt/live/example.com/fullchain.pem"
      tls key "/etc/letsencrypt/live/example.com/privkey.pem"
    
      root "/htdocs"
    

}

Don’t forget to save (ctrl-o in nano) (:wq in vi)

5.) We are ready to request our certificate.
First we stop the webserver because the script will fail due to port 443 being used

  • /etc/rc.d/httpd stop
    Next we request our cert from LetsEncrypt
  • certbot certonly -d example.com
    With a little luck - It should come back with some success.

The keys should be in place but we’ll look to be sure (you are logged in as root, aren’t you?)

  • ls -l /etc/letsencrypt/live
    You should see a folder with the domain name example.com - that’s good enough

Out of habit I always check the webserver config before starting

  • httpd -n

Lastly, restart the webserver

  • /etc/rc.d/httpd start

If it starts - then go to another browser or tab and navigate to https://example.com

I hope this works for you.

We’ll see how my renewing cron job works - I may post an update one day.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.