IRCNow

You are here: start » openbsd » acme-client

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
Last revision Both sides next revision
openbsd:acme-client [2019/11/10 12:05]
jrmu 		openbsd:acme-client [2020/08/12 00:50]
jrmu
Line 1: Line 1:
 In order to provide proper TLS for your services, you will need a certificate signed by a trusted certificate authority (CA). The easiest option for now is to use the Let's Encrypt client by acme-client. In order to provide proper TLS for your services, you will need a certificate signed by a trusted certificate authority (CA). The easiest option for now is to use the Let's Encrypt client by acme-client.
 +
 +==== Howto ====
 +You will need to set up a httpd server in order for the acme-client to work. It is recommended to use openhttpd, click [[openbsd:​www:​openhttpd|here]] to find out how to set up openhttpd.
  
 First, copy the /​etc/​examples/​acme-client.conf template: First, copy the /​etc/​examples/​acme-client.conf template:
Line 9: Line 12:
 <​code>​ <​code>​
 authority letsencrypt { authority letsencrypt {
-        api url "​https://​acme-v01.api.letsencrypt.org/​directory"​+        api url "​https://​acme-v02.api.letsencrypt.org/​directory"​
         account key "/​etc/​acme/​letsencrypt-privkey.pem"​         account key "/​etc/​acme/​letsencrypt-privkey.pem"​
 } }
Line 41: Line 44:
  
 <​code>​ <​code>​
-$ doas acme-client -AFDv example.com+$ doas acme-client -Fv example.com
 </​code>​ </​code>​
  
 +==== Troubleshooting ====
 If you run into errors, check to make sure: If you run into errors, check to make sure:
  
-  ​[[openbsd:​nsd|DNS]] is configured properly. +  ​[[openbsd:​nsd|DNS]] is configured properly.  
-  ​The [[openbsd:​openhttpd|web server]] is configured properly. +  ​The [[openbsd:www:​openhttpd|web server]] is configured properly. ​You **must** have a web server in order for the acme-client to work. (Don't be confused here if your web server seems not running in a web browser: the example config redirects all visits to the https port, that may not yet be working yet.) 
-  ​You have the proper permissions set on the folders in /var/www/+  ​You have the proper permissions set on the folders in /var/www/. An example output would be, 
 +<​code>​ 
 +$ ls -l /var | grep www 
 +drwxr-xr-x ​ 11 root     ​daemon ​    512 Mar 28 05:28 www 
 +$ ls -l /var/www 
 +total 36 
 +drwxr-xr-x ​ 2 root  daemon ​ 512 Mar 28 22:16 acme 
 +drwxr-xr-x ​ 2 root  daemon ​ 512 Mar 14 06:12 bin 
 +drwx-----T ​ 2 www   ​daemon ​ 512 Oct 12 12:34 cache 
 +drwxr-xr-x ​ 2 root  daemon ​ 512 Mar 14 06:12 cgi-bin 
 +drwxr-xr-x ​ 2 root  daemon ​ 512 Mar 14 06:03 conf 
 +drwxr-xr-x ​ 3 root  daemon ​ 512 Oct 12 12:34 htdocs 
 +drwxr-xr-x ​ 2 root  daemon ​ 512 Mar 29 00:00 logs 
 +drwxr-xr-x ​ 2 root  daemon ​ 512 Oct 12 12:34 run 
 +</​code>​ 
 +  * Your firewall is not configured to block Let's Encrypt certification verification process. Typically it will initiate a few servers to connect to port 80 on your server. 
 + 
 +==== Successful outcomes ==== 
 +A successful outcome would result in: 
 +  * A ASCII text file, suffixed with .key with your hostname in /​etc/​ssl/​private e.g. 
 +<​code>​ 
 +$ doas ls -l /​etc/​ssl/​private 
 +-r-------- ​ 1 root  wheel  3272 Mar 28 22:16 example.com.key 
 +</​code>​ 
 +  * A PEM certificate under /etc/ssl e.g. 
 +<​code>​ 
 +$ ls -l /​etc/​ssl/​*.pem 
 +-r--r--r-- ​ 1 root  wheel    3937 Mar 28 22:16 example.com.fullchain.pem 
 +</​code>​ 
 + 
 +It would have the following output of running acme-client,​ generating a certificate for example.com 
 +<​code>​ 
 +acme-client:​ /​etc/​ssl/​private/​example.com.key:​ generated RSA domain key 
 +acme-client:​ /​etc/​acme/​letsencrypt-privkey.pem:​ generated RSA account key 
 +acme-client:​ https://​acme-v02.api.letsencrypt.org/​directory:​ directories 
 +acme-client:​ acme-v02.api.letsencrypt.org:​ DNS: 172.65.32.248 
 +acme-client:​ 172.65.32.248:​ tls_close: EOF without close notify 
 +acme-client:​ 172.65.32.248:​ tls_close: EOF without close notify 
 +acme-client:​ dochngreq: https://​acme-v02.api.letsencrypt.org/​acme/​authz-v3/​3674632835 
 +acme-client:​ 172.65.32.248:​ tls_close: EOF without close notify 
 +acme-client:​ challenge, token: mylkLrPXTvdyiTbDDybKy7M-0JyqiBr0nOg8UXnJ0uDL,​ uri: https://​acme-v02.api.letsencrypt.org/​acme/​chall-v3/​3674632835/​-1tUXQ,​ status: 0 
 +acme-client:​ /​var/​www/​acme/​mylkLrPXTvdyiTbDDybKy7M-0JyqiBr0nOg8UXnJ0uDL:​ created 
 +acme-client:​ https://​acme-v02.api.letsencrypt.org/​acme/​chall-v3/​3674632835/​-1tUXQ:​ challenge 
 +acme-client:​ 172.65.32.248:​ tls_close: EOF without close notify 
 +acme-client:​ 172.65.32.248:​ tls_close: EOF without close notify 
 +acme-client:​ order.status 0 
 +acme-client:​ dochngreq: https://​acme-v02.api.letsencrypt.org/​acme/​authz-v3/​3674632835 
 +acme-client:​ 172.65.32.248:​ tls_close: EOF without close notify 
 +acme-client:​ challenge, token: mylkLrPXTvdyiTbDDybKy7M-0JyqiBr0nOg8UXnJ0uDL,​ uri: https://​acme-v02.api.letsencrypt.org/​acme/​chall-v3/​3674632835/​-1tUXQ,​ status: 2 
 +acme-client:​ 172.65.32.248:​ tls_close: EOF without close notify 
 +acme-client:​ order.status 1 
 +acme-client:​ https://​acme-v02.api.letsencrypt.org/​acme/​finalize/​81817869/​2815341474:​ certificate 
 +acme-client:​ 172.65.32.248:​ tls_close: EOF without close notify 
 +acme-client:​ 172.65.32.248:​ tls_close: EOF without close notify 
 +acme-client:​ order.status 3 
 +acme-client:​ https://​acme-v02.api.letsencrypt.org/​acme/​cert/​vxsJMODZOeZxwiuyq9Bz6jqgoRRRUak8ZQ3ob:​ certificate 
 +acme-client:​ 172.65.32.248:​ tls_close: EOF without close notify 
 +acme-client:​ /​etc/​ssl/​example.com.fullchain.pem:​ created 
 +</​code>​ 
 + 
 +==== Common errors ==== 
 + 
 +If you change the domains, you need to move the cert and request again 
Last modified: 2020/08/12 00:52
Except where otherwise noted, content on this wiki is licensed under the following license: IRCNow