September 12, 2019

Intro: Basic webserver on OpenBSD

polynomial.space is intended as my personal space for self-documentation and notes.

As of writing, this is a fresh install of OpenBSD 6.5, hosted on vultr, running OpenBSD’s httpd, and using Hugo to render pages from markdown.

In this document I will describe the initial setup and getting httpd running with https.


\

First off, vultr does an automated install of OpenBSD, so you have to specify your installurl:

echo 'https://ftp.openbsd.org/pub/OpenBSD' > /etc/installurl
pkg_add -uU

\

We’ll start off with just a basic http server, so we can bootstrap with LetsEncrypt via ACME

cat <<\EOF > /etc/httpd.conf
server "polynomial.space" {
	listen on egress port 80
#	listen on egress tls port 443

#	tls certificate "/etc/ssl/polynomial.space.fullchain.pem"
#	tls key "/etc/ssl/private/polynomial.space.space.key"
#	hsts

	root "/htdocs/polynomial.space/public"

	location "/.well-known/acme-challenge/*" {
		root "acme"
		request strip 2
	}
}
types {
	include "/usr/share/misc/mime.types"
}
EOF

\

Next we’ll have to tell OpenBSD we want to have httpd started automatically and have it use our configuration in /etc/httpd.conf:

rcctl enable httpd
rcctl set httpd flags "-f /etc/httpd.conf"
rcctl start httpd

Now let’s go ahead and set up acme-client to generate a certificate and request signing via LetsEncrypt:

pkg_add acme-client

cat <<\EOF > /etc/acme-client.conf
authority letsencrypt {
        api url "https://acme-v01.api.letsencrypt.org/directory"
        account key "/etc/acme/letsencrypt-privkey.pem"
}

authority letsencrypt-staging {
        api url "https://acme-staging.api.letsencrypt.org/directory"
        account key "/etc/acme/letsencrypt-staging-privkey.pem"
}

domain polynomial.space {
        alternative names { www.polynomial.space }
        domain key "/etc/ssl/private/polynomial.space.key"
        domain certificate "/etc/ssl/polynomial.space.crt"
        domain full chain certificate "/etc/ssl/polynomial.space.fullchain.pem"
        sign with letsencrypt
}
EOF

acme-client -ADFf /etc/acme-client.conf polynomial.space

Assuming everything has gone right so far, it’s probably a good idea to automate certificate renewals:

cat <<\EOF > /etc/monthly.local
#!/bin/sh
acme-client -Ff /etc/acme-client.conf polynomial.space && \
/etc/rc.d/httpd restart
EOF

chmod 750 /etc/monthly.local

From here you should be able to uncomment the lines in httpd.conf and restart rcctl restart httpd to have a working https-enabled webserver.