rset(1) : Formulas

Let's Encrypt

Setup on OpenBSD

domain scriptedconfiguration.org {
    alternative names { www.scriptedconfiguration.org }
    domain key "/etc/ssl/private/scriptedconfiguration.org.key"
    domain certificate "/etc/ssl/scriptedconfiguration.org.crt"
    domain full chain certificate "/etc/ssl/scriptedconfiguration.org.fullchain.pem"
    sign with letsencrypt
}

Next create a minimal httpd configuration for the challenge that letsencrypt.org. This is a bootstrap stage and will be replaced by a more complete configuration after we have the keys for TLS

server "default" {
    listen on egress port 80

    location "/.well-known/acme-challenge/*" {
        root "/acme"
        root strip 2
    }
}

types {
    include "/usr/share/misc/mime.types"
}

Finally the ''rset'' script

execute_with=doas

acme_client:
    [ -f "/etc/ssl/acme/private/privkey.pem" ] && exit
    ./rinstall wiki/acme-httpd.conf /etc/httpd.conf
    rcctl restart -f httpd
    ./rinstall wiki/acme-client.conf /etc/acme-client.conf
    acme-client -vAD scriptedconfiguration.org

Once the cert is generated a subsequent rule can go ahead an replace /etc/httpd.conf with a config that includes the tls keys

   # httpd.conf
   listen on * tls port 443

   tls {
       key "/etc/ssl/private/scriptedconfiguration.org.key"
       certificate "/etc/ssl/scriptedconfiguration.org.crt"
   }

Last updated on September 12, 2018