OpenBSD Web server setup

tags: bsd · tutorials

HTTPS

acme-client(1) lets us have HTTPS.

Create the certificate directories:

# mkdir -p -m 700 /etc/ssl/private
# mkdir -p -m 755 /var/www/acme

Edit /etc/acme-client.conf. Replace example.org with your domain.

authority letsencrypt {
	api url "https://acme-v02.api.letsencrypt.org/directory"
	account key "/etc/ssl/private/letsencrypt.key"
}

domain example.org {
	domain key "/etc/ssl/private/example.org.key"
	domain certificate "/etc/ssl/example.org.crt"
	domain full chain certificate "/etc/ssl/example.org.pem"
	sign with letsencrypt
}

httpd(8)

OpenBSD already ships with a web server: httpd. You need to specify the following things:

Create the website’s root directory. It should normally reside under /var/www/htdocs.

# mkdir -p /var/www/htdocs/example.org

The following configuration will suffice for now. With it you have HTTP and HTTPS for your website and it redirects HTTP to HTTPS automatically. If you want to learn more or see what other options and settings are available, read httpd.conf(5)’s man page. Inside /etc/httpd.conf we’ll write the following:

server "example.org" {
	listen on * port 80
	root "/htdocs/example.org"
	location "/.well-known/acme-challenge/*" {
		root "/acme"
		request strip 2
	}
	block return 301 "https://example.org$REQUEST_URI"
}

server "example.org" {
	listen on * tls port 443
	root "/htdocs/example.org"
	tls {
		certificate "/etc/ssl/example.org.pem"
		key "/etc/ssl/private/example.org.key"
	}
	location "/.well-known/acme-challenge/*" {
		root "/acme"
		request strip 2
	}
}

Generate the TLS certificates:

# acme-client -v example.org

Test to see if the configuration is correct:

# httpd -n

(Re)start the web server:

# rcctl restart httpd

Certificate renewal

TLS certificates expire after a few months so new certificates need to be generated when they expire. In order to avoid having to remember this and having to manually generate them, a cronjob will do it automatically:

# crontab -e

Append the following line:

0 0 * * * acme-client -v example.org && rcctl reload httpd