Let’s Encrypt Apache using OpenBSD

  2017-08-23      321 words, 2 minutes

• acme
• acme-client
• apache
• apache httpd
• certificate
• free certificate
• https
• lets encrypt
• openbsd
• ssl

The other day, I discovered that my StartSSL certificate was not trustable anymore. That caused one of my vhost to display the Your connection is not secure alert page. Here’s how I switched to Let’s Encrypt using Apache 2.4 and OpenBSD 6.1.

The great news is that OpenBSD ships with the acme-client(1). This tool will allow us to generate and maintain valid certicates.

Prepare Apache HTTP Server

Let’s Encrypt infrastructure will ensure that you own the domain you’re generating certificates for. This is done by exchanging temporary files via HTTP. It is automagic and done during the ACME dialog. The only thing to do is to enable a web directory on the server using the certificate.

# vi /etc/apache2/httpd.conf
(...)
  Alias "/.well-known/acme-challenge" "/acme"
  <Directory "/acme">
    Options -Indexes
    AllowOverride all
    Require all granted
  </Directory>
(...)

# /etc/rc.d/apache2 restart
apache2(ok)
apache2(ok)

Configure and run the ACME client

Reading the manpage leads to a straight forward procedure. Just configure the acme-client and generate the keys and certificates.

# vi /etc/acme-client.conf
domain YOURDOMAIN.TLD {
        alternative names { www.YOURDOMAIN.TLD other.YOURDOMAIN.TLD }
        domain key "/etc/ssl/private/YOURDOMAIN.TLD.key"
        domain certificate "/etc/ssl/YOURDOMAIN.TLD.crt"
        domain full chain certificate "/etc/ssl/YOURDOMAIN.TLD.fullchain.pem"
        sign with letsencrypt
        challengedir "/var/www/acme"
}

# acme-client -vAD YOURDOMAIN.TLD
acme-client: /etc/acme/letsencrypt-privkey.pem: generated RSA account key
acme-client: /etc/ssl/private/YOURDOMAIN.TLD.key: generated RSA domain key
acme-client: https://acme-v01.api.letsencrypt.org/directory: directories
(...)
acme-client: /etc/ssl/YOURDOMAIN.TLD.crt: created
acme-client: /etc/ssl/YOURDOMAIN.TLD.fullchain.pem: created

From this point, we have the SSL certificates and private key.

Use the TLS

The Apache server has to be configured to use the new certificate. Not difficult:

# vi /etc/apache2/httpd.conf
(...)
SSLCertificateFile "/etc/ssl/YOURDOMAIN.TLD.crt"
SSLCertificateKeyFile "/etc/ssl/private/YOURDOMAIN.TLD.key"
SSLCertificateChainFile "/etc/ssl/YOURDOMAIN.TLD.fullchain.pem"
(...)

# /etc/rc.d/apache2 restart
apache2(ok)
apache2(ok)

And that’s all. Brand new valid certificate ahead. Yeeha!

Automatic certificate renew

Seems the certificate has a one month lifetime. To renew it, use the acme-client(1). In my crontab, I added:

# Let's Encrypt SSL certificates
0 4 * * * sleep $((RANDOM \% 60)) && /usr/sbin/acme-client YOURDOMAIN.TLD && echo "Let's Encrypt certificates (YOURDOMAIN.TLD) renewed!" && /etc/rc.d/apache2 restart