SSL/TLS On OpenBSD httpd - TLS (transport layer security) is the successor of SSL (secure socket layer). TLS encrypts all of the data that is sent between you (the client) and a secure webserver. In this tutorial, I will show you how to get a free 90 day SSL certificate for your server from Let's Encrypt. They are still called SSL certificates even though we are going to be using TLS. If you would prefer a 1 year SSL certiicate, you will have to purchase one. Here, you are going to use OpenBSD's acme-client to generate the SSL certificate for your server. In addition to encrypting data between you and the server, a valid SSL certificate also guarantees that the site you are visiting is actually who they say they are.
So, let's get started. First thing we want to do is start up our webserver. Below is a simple initial configuration for /etc/httpd.conf before we start our SSL certificate signing request.
server "default" { listen on * port 80 location "/.well-known/acme-challenge/*" { root "/acme" root strip 2 } }
Next, you will want to start and enable your webserver to start automatically at boot.
# rcctl enable httpd # rcctl start httpd
Below is the contents that will configure your acme-client for generating an SSL ceritificate. Change the instances of openbsd.mywire.org (my site) to your domain name. You are going to save the contents in a file called /etc/acme-client.conf
authority letsencrypt { api url "https://acme-v02.api.letsencrypt.org/directory" account key "/etc/acme/letsencrypt-privkey.pem" } authority letsencrypt-staging { api url "https://acme-staging-v02.api.letsencrypt.org/directory" account key "/etc/acme/letsencrypt-staging-privkey.pem" } domain openbsd.mywire.org { alternative names { openbsd.mywire.org } domain key "/etc/ssl/private/openbsd.mywire.org.key" domain full chain certificate "/etc/ssl/openbsd.mywire.fullchain.pem" sign with letsencrypt }
Once your acme-client.conf is in place, you will generate your certs.
# acme-client yoursite.com
This is going to generate /etc/ssl/openbsd.mywire.fullchain.pem and /etc/ssl/private/openbsd.mywire.org.key. *IMPORTANT* Once the files are generated, you will have to chmod 600 /etc/ssl/private/openbsd.mywire.org.key. This is very important. Your private key will not be able to load if you miss this step.
Now that we have our certificate and key in place, we will configure httpd now to use our SSL certificate. Below is the contents that will go in /etc/httpd.conf
server "default" { listen on * tls port 443 tls { certificate "/etc/ssl/openbsd.mywire.fullchain.pem" key "/etc/ssl/private/openbsd.mywire.org.key" } root "/htdocs" directory index "index.html" location "/.well-known/acme-challenge/*" { request strip 2 root "/acme" } } server "default" { listen on * port 80 block return 301 "https://openbsd.mywire.org$REQUEST_URI" location "/.well-known/acme-challenge/*" { root "/acme" request strip 2 } }
This sets up httpd to use the SSL certificate on your secure server. The last block forwards requests for http;//yoursite.com on port 80 to https://yoursite.com on port 443.
# rcctl restart httpd
Here's a script to check your cert, or alternatively, if all you need is to check the expiration date of your cert, then the command below will get you that information.
# curl https://openbsd.mywire.org -vI --stderr - | grep expire
This concludes the tutorial. If everything has gone right, you will now have a secure TLS enabled website.