Title: Nginx and acme-client on OpenBSD | |
Author: Solène | |
Date: 04 July 2019 | |
Tags: openbsd nginx automation | |
Description: | |
I write this blog post as I spent too much time setting up nginx and | |
SSL on OpenBSD with acme-client, due to nginx being chrooted and not | |
stripping path and not doing it easily. | |
First, you need to set up **/etc/acme-client.conf** correctly. Here is | |
mine for the domain ports.perso.pw: | |
authority letsencrypt { | |
api url "https://acme-v02.api.letsencrypt.org/directory" | |
account key "/etc/acme/letsencrypt-privkey.pem" | |
} | |
domain key "/etc/ssl/private/ports.key" | |
domain full chain certificate | |
"/etc/ssl/ports.fullchain.pem" | |
sign with letsencrypt | |
} | |
**This example is for OpenBSD 6.6 (which is current when I write this) | |
because of Let's encrypt API URL. If you are running 6.5 or 6.4, | |
replace v02 by v01 in the api url** | |
Then, you have to configure nginx this way, the most important part in | |
the following configuration file is the location block handling | |
acme-challenge request. Remember that nginx is in chroot /var/www so | |
the path to acme directory is `acme`. | |
http { | |
include mime.types; | |
default_type application/octet-stream; | |
index index.html index.htm; | |
keepalive_timeout 65; | |
server_tokens off; | |
server unix:tmp/plackup.sock; | |
} | |
listen 80; | |
server_name ports.perso.pw; | |
error_log logs/error.log info; | |
rewrite ^/.well-known/acme-challenge/(.*) /$1 break; | |
root /acme; | |
} | |
return 301 https://$server_name$request_uri; | |
} | |
} | |
listen 443 ssl; | |
server_name ports.perso.pw; | |
access_log logs/access.log; | |
error_log logs_error.log info; | |
root /htdocs/; | |
ssl_certificate_key /etc/ssl/private/ports.key; | |
ssl_protocols TLSv1.1 TLSv1.2; | |
ssl_prefer_server_ciphers on; | |
ssl_ciphers | |
"EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; | |
[... stuff removed ...] | |
} | |
That's all! I wish I could have find that on the Internet so I share | |
it here. |