.Dd Created:2025-10-03|Updated:2025-10-06|
.de ocsi
\\$*
,
..
.de oxr
.ocsi .Xr \\$*
..
.de oit
.It
\\$*
..
.de obdi
.Bl -dash -compact
.oit \\$*
..
.de obdl
.Bd -literal -compact
\\$*
..
.de onote
.Bl -hang -compact
.oit \\$*
.El
..
.de ocomm
.Bl -diag -compact
.oit \\$*
.El
..
.de opsy
.Pp
.Sy - \\$*
..
.de obc
.Bl -column \\$*
..
.de obc2
.obc opt desc
..
.de obc3
.obc option arguments description
..
.Dt SSL oh
.Os OpenBSD 7.7|
.Nm ssl
.Nd configuration
.Sh GENERATION
.Bl -enum -compact
.oit If /etc/acme-client.conf does not exist:
.Dl cp /etc/examples/acme-client.conf /etc/
.oit Edit /etc/acme-client.conf
.Bl -enum -compact
.oit Comment the buypass sections.
.oit Change example.com to the corresponding domain.
.El
.oit Create the following directories if they are not present:
.obdl mkdir -p -m 700 /etc/acme
mkdir -p -m 700 /var/www/acme
mkdir -p -m 700 /etc/ssl/acme/private
.Ed
.oit Add the following to httpd.conf:
.obdl location "/.well-known/acme-challenge/*" {
	root "/acme"
	request strip 2
}
.Ed
.oit Verify httpd config and restart httpd:
.Dl httpd -n && rcctl restart httpd
.oit Run acme to create the certificate and key:
.Dl acme-client -v [SERVER].com
.oit Backup important files:
.Bl -dash -compact
.oit .Pa /etc/acme/letsencrypt-privkey.pem
.oit .Pa /etc/ssl/private/[SERVER].com.key
.oit .Pa /etc/ssl/[SERVER].com.fullchain.pem
.El
.oit Schedule renewal on cron as shown in man acme-client:
.Dl ~ * * * * acme-client [SERVER].com && rcctl reload httpd
.oit Update httpd.conf:
.obdl listen on egress tls port 443
tls {
	certificate "/etc/ssl/[SERVER].com.fullchain.pem"
	key "/etc/ssl/private/[SERVER].com.key"
}
.Ed
.oit Verify httpd config and restart httpd:
.Dl httpd -n && rcctl restart httpd
.El
.Sh EXAMPLE
.obdl server "[SERVER].com" {
        alias "www.[SERVER].com"
        listen on egress port 80
        listen on egress tls port 443
        location "/.well-known/acme-challenge/*" {
                root "/acme"
                request strip 2
        }
        root "/htdocs/[SERVER]"
        errdocs "/htdocs/[SERVER]/errors/"
        tls {
                certificate "/etc/ssl/[SERVER].com.fullchain.pem"
                key "/etc/ssl/private/[SERVER].com.key"
        }
}
.Ed
.Sh SEE ALSO
.oxr web oh
.Xr httpd oh
.opsy OpenBSD manpages:
.Xr acme-client 1
.El
.Ss links
.obc2
.It - Lk https://www.openbsdhandbook.com/services/webserver/ssl/ OpenBSD Handbook - httpd
.It - Lk https://romanzolotarev.com/openbsd/acme-client.html roman zolotarev - Enable HTTPS with acme-client(1) and Let's Encrypt on OpenBSD
.El
.Sh AUTHORS
.An -nosplit
.Xr ohazot oh |
.Xr about oh |
.Lk https://ohazot.com ohazot.com
.Aq Mt admin@ohazot.com