 |
Title: Let's encrypt on OpenBSD in 5 minutes |
|
Author: Solène |
|
Date: 20 January 2017 |
|
Tags: security openbsd70 openbsd |
|
Description: |
|
|
|
Let's encrypt is a free service which provides free SSL |
|
certificates. It is fully automated and there are a few tools to |
|
generate your certificates with it. In the following lines, I will |
|
just explain how to get a certificate in a few minutes. You can find |
|
more informations on [Let's Encrypt website](https://letsencrypt.org). |
|
|
|
To make it simple, the tool we will use will generate some keys on the |
|
computer, send a request to Let's Encrypt service which will use http |
|
challenging (there are also dns and another one kind of challenging) |
|
to see if you really own the domain for which you want the |
|
certificate. If the challenge process is ok, you have the certificate. |
|
|
|
**Please, if you don't understand the following commands, don't type |
|
it.** |
|
|
|
While the following is right for OpenBSD, it may change slightly for |
|
others systems. Acme-client is part of the base system, you can read |
|
the man page acme-client(1). |
|
|
|
|
|
## Prepare your http server |
|
|
|
For each certificate you will ask a certificate, you will be |
|
challenged for each domain on the port 80. A file must be available in |
|
a path under "/.well-known/acme-challenge/". |
|
|
|
You must have this in your **httpd** config file. If you use another |
|
web server, you need to adapt. |
|
|
|
server "mydomain.com" { |
|
root "/empty" |
|
listen on * port 80 |
|
location "/.well-known/acme-challenge/*" { |
|
root { "/acme/" , request strip 2 } |
|
} |
|
} |
|
|
|
|
|
The `request strip 2` part is IMPORTANT. (I've lost 45 minutes figuring |
|
out why root "/acme/" wasn't working.) |
|
|
|
|
|
## Prepare the folders |
|
|
|
As stated in acme-client man page and if you don't need to change the |
|
path. You can do the following commands with root privileges : |
|
|
|
# mkdir /var/www/acme |
|
# mkdir -p /etc/ssl/acme/private /etc/acme |
|
# chmod 0700 /etc/ssl/acme/private /etc/acme |
|
|
|
## Request the certificates |
|
|
|
As root, in the acme-client sources folder, type the following the |
|
generate the certificates. The verbose flag is interesting and you |
|
will see if the challenging step work. If it doesn't work, you should |
|
try manually to get a file like with the same path tried from Let's |
|
encrypt, and try again the command when you succeed. |
|
|
|
$ acme-client -vNn mydomain.com www.mydomain.com mail.mydomain.com |
|
|
|
|
|
Now, you can use your SSL certificates for your mail server, imap |
|
server, ftp server, http server.... There is a little drawback, if you |
|
generate certificates for a lot of domains, they are all written in |
|
the certificate. This implies that if someone visit one page, look at |
|
the certificate, this person will know every domain you have under |
|
SSL. I think that it's possible to ask every certificate independently |
|
but you will have to play with acme-client flags and make some kind of |
|
scripts to automatize this. |
|
|
|
Certificate file is located at **/etc/ssl/acme/fullchain.pem** and |
|
contains the full certification chain (as its name is explicit). And |
|
the private key is located at **/etc/ssl/acme/private/privkey.pem**. |
|
|
|
Restart the service with the certificate. |
|
|
|
|
|
## Renew certificates |
|
|
|
Certificates are valid for 3 months. Just type |
|
|
|
./acme-client mydomain.com www.mydomain.com mail.mydomain.com |
|
|
|
|
|
EASY ! |
