rset(1) : Formulas

Let's Encrypt

We start with acme-client.conf

authority letsencrypt {
        api url "https://acme-v02.api.letsencrypt.org/directory"
        account key "/etc/acme/letsencrypt-privkey.pem"
}

authority letsencrypt-staging {
        api url "https://acme-staging-v02.api.letsencrypt.org/directory"
        account key "/etc/acme/letsencrypt-staging-privkey.pem"
}

domain scriptedconfiguration.org {
    alternative names { www.scriptedconfiguration.org }
    domain key "/etc/ssl/private/scriptedconfiguration.org.key"
    domain certificate "/etc/ssl/scriptedconfiguration.org.crt"
    domain full chain certificate "/etc/ssl/scriptedconfiguration.org.fullchain.pem"
    sign with letsencrypt
}

Next create a minimal httpd configuration for the challenge that letsencrypt.org. This is a bootstrap stage and will be replaced by a more complete configuration after we have the keys for TLS

server "default" {
    listen on egress port 80

    location "/.well-known/acme-challenge/*" {
        root "/acme"
        root strip 2
    }
}

types {
    include "/usr/share/misc/mime.types"
}

The content for rset to run can now be instructed like so

execute_with=doas

acme_client:
    [ -f "/etc/ssl/acme/private/privkey.pem" ] && exit
    ./rinstall www/acme-httpd.conf /etc/httpd.conf
    rcctl restart -f httpd
    ./rinstall www/acme-client.conf /etc/acme-client.conf
    acme-client scriptedconfiguration.org

Once the cert is generated a subsequent rule can go ahead an replace /etc/httpd.conf with a config that includes the tls keys

   # httpd.conf
   listen on * tls port 443

   tls {
       key "/etc/ssl/private/scriptedconfiguration.org.key"
       certificate "/etc/ssl/scriptedconfiguration.org.crt"
   }

Last updated on March 26, 2020