LetsEncrypt on OpenBSD with acme-client and nginx
Introduction
See Enable HTTPS with acme-client(1) and Let’s Encrypt on OpenBSD and acme-client(1) for reference.
Installation notes
Create folders if the first time
mkdir -p -m 700 /etc/ssl/private
mkdir -p -m 755 /var/www/acme
Add the new domain to /etc/acme-client.conf
domain uniply.eu {
alternative names { www.uniply.eu }
domain key "/etc/ssl/private/uniply.eu.key"
domain certificate "/etc/ssl/uniply.eu.crt"
domain full chain certificate "/etc/ssl/uniply.eu.fullchain.pem"
sign with letsencrypt
challengedir "/var/www/acme"
}
Add the domain to nginx to be able to response to challenge from lets encrypt to prove ownership of the domain.
server {
listen 80;
server_name www.uniply.eu uniply.eu;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
server_name www.uniply.eu uniply.eu;
location ^~ /.well-known/acme-challenge/ {
alias /var/www/acme/;
}
}
Restart nginx.
rcctl restart nginx
Create the certificate using acme-client.
acme-client -v uniply.eu
Key and certificates should be created under /etc/ssl/private/ and /etc/ssl/.
Update HTTPS setup to make use of the newly created certificate. Replace previous configuration.
server {
listen 80;
server_name www.uniply.eu uniply.eu;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
server_name www.uniply.eu uniply.eu;
ssl_certificate /etc/ssl/uniply.eu.fullchain.pem;
ssl_certificate_key /etc/ssl/private/uniply.eu.key;
# intermediate configuration
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
# HSTS
add_header Strict-Transport-Security "max-age=63072000" always;
# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
# Google resolver
resolver. 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 10s;
location ^~ /.well-known/acme-challenge/ {
alias /var/www/acme/;
}
location / {
proxy_pass http://localhost:3009;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
Restart nginx.
rcctl restart nginx
Setup automatic certificate renewal in /etc/monthly.local
# renew lets encrypt certificate
acme-client uniply.eu && rcctl reload nginx
Test
Check out your domain at: https://www.ssllabs.com/ssltest/
TODO
- Switch to Letsencrypt
v2api
References
- Get an ‘A+’ in SSL Labs Server Test
- How to properly configure your nginx for TLS
- Mozilla SSL Configuration Generator