Title: Nginx and acme-client on OpenBSD

	Title: Nginx and acme-client on OpenBSD
	Author: Solène
	Date: 04 July 2019
	Tags: openbsd nginx automation
	Description:

	I write this blog post as I spent too much time setting up nginx and
	SSL on OpenBSD with acme-client, due to nginx being chrooted and not
	stripping path and not doing it easily.

	First, you need to set up /etc/acme-client.conf correctly. Here is
	mine for the domain ports.perso.pw:

	authority letsencrypt {
	api url "https://acme-v02.api.letsencrypt.org/directory"
	account key "/etc/acme/letsencrypt-privkey.pem"
	}

	domain key "/etc/ssl/private/ports.key"
	domain full chain certificate
	"/etc/ssl/ports.fullchain.pem"
	sign with letsencrypt
	}

	**This example is for OpenBSD 6.6 (which is current when I write this)
	because of Let's encrypt API URL. If you are running 6.5 or 6.4,
	replace v02 by v01 in the api url**

	Then, you have to configure nginx this way, the most important part in
	the following configuration file is the location block handling
	acme-challenge request. Remember that nginx is in chroot /var/www so
	the path to acme directory is `acme`.


	http {
	include mime.types;
	default_type application/octet-stream;
	index index.html index.htm;
	keepalive_timeout 65;
	server_tokens off;

	server unix:tmp/plackup.sock;
	}

	listen 80;
	server_name ports.perso.pw;

	error_log logs/error.log info;


	rewrite ^/.well-known/acme-challenge/(.*) /$1 break;
	root /acme;
	}

	return 301 https://$server_name$request_uri;
	}
	}

	listen 443 ssl;
	server_name ports.perso.pw;
	access_log logs/access.log;
	error_log logs_error.log info;
	root /htdocs/;

	ssl_certificate_key /etc/ssl/private/ports.key;
	ssl_protocols TLSv1.1 TLSv1.2;
	ssl_prefer_server_ciphers on;
	ssl_ciphers
	"EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";

	[... stuff removed ...]
	}



	That's all! I wish I could have find that on the Internet so I share
	it here.