OpenBSD Web server setup

HTTPS

acme-client(1) lets us have HTTPS.

Create the certificate directories:

	# mkdir -p -m 700 /etc/ssl/private
	# mkdir -p -m 755 /var/www/acme
	

Edit /etc/acme-client.conf; the configuration file. Replace mydomain with your domain.

	authority letsencrypt {
		api url "https://acme-v02.api.letsencrypt.org/directory"
		account key "/etc/ssl/private/letsencrypt.key"
	}

	domain mydomain.com {
		domain key "/etc/ssl/private/mydomain.com.key"
		domain certificate "/etc/ssl/mydomain.com.crt"
		domain full chain certificate "/etc/ssl/mydomain.com.pem"
		sign with letsencrypt
	}
	

httpd(8)

OpenBSD already ships with a web server: httpd. You need to specify the following things:

Create the website's root directory. It should normally reside under /var/www/htdocs.

	# mkdir -p /var/www/htdocs/mydomain.com
	

The following configuration will suffice for now. With it you have HTTP and HTTPS for your website and it redirects HTTP to HTTPS automatically. If you want to learn more or see what other options and settings are available, read the man page for httpd.conf. Inside /etc/httpd.conf we'll write the following:

	server "mydomain.com" {
		listen on * port 80
		root "/htdocs/mydomain.com"
		location "/.well-known/acme-challenge/*" {
			root "/acme"
			request strip 2
		}
		block return 301 "https://mydomain.com$REQUEST_URI"
	}

	server "mydomain.com" {
		listen on * tls port 443
		root "/htdocs/mydomain.com"
		tls {
			certificate "/etc/ssl/mydomain.com.pem"
			key "/etc/ssl/private/mydomain.com.key"
		}
		location "/.well-known/acme-challenge/*" {
			root "/acme"
			request strip 2
		}
	}
	

Test to see if the configuration is correct:

	# httpd -n
	

Generate the TLS certificates:

	# acme-client -v mydomain.com
	

(Re)start the web server:

	# rcctl restart httpd
	

Certificate renewal

TLS certificates expire after a few months so new certificates need to be generated when they expire. In order to avoid having to remember this and having to manually generate them, a cronjob will do it automatically:

	# crontab -e
	

Append the following line:

	0 0 * * * acme-client -v mydomain.com && rcctl reload httpd