rset(1) : Formulas

Let's Encrypt

We start with acme-client.conf

authority letsencrypt {
        api url ""
        account key "/etc/acme/letsencrypt-privkey.pem"

authority letsencrypt-staging {
        api url ""
        account key "/etc/acme/letsencrypt-staging-privkey.pem"

domain {
    alternative names { }
    domain key "/etc/ssl/private/"
    domain certificate "/etc/ssl/"
    domain full chain certificate "/etc/ssl/"
    sign with letsencrypt

Next create a minimal httpd configuration for the challenge that This is a bootstrap stage and will be replaced by a more complete configuration after we have the keys for TLS

server "default" {
    listen on egress port 80

    location "/.well-known/acme-challenge/*" {
        root "/acme"
        root strip 2

types {
    include "/usr/share/misc/mime.types"

The content for rset to run can now be instructed like so


    [ -f "/etc/ssl/acme/private/privkey.pem" ] && exit
    ./rinstall www/acme-httpd.conf /etc/httpd.conf
    rcctl restart -f httpd
    ./rinstall www/acme-client.conf /etc/acme-client.conf

Once the cert is generated a subsequent rule can go ahead an replace /etc/httpd.conf with a config that includes the tls keys

   # httpd.conf
   listen on * tls port 443

   tls {
       key "/etc/ssl/private/"
       certificate "/etc/ssl/"

Last updated on March 26, 2020