September 12, 2019

Intro: Basic webserver on OpenBSD is intended as my personal space for self-documentation and notes.

As of writing, this is a fresh install of OpenBSD 6.5, hosted on vultr, running OpenBSD’s httpd, and using Hugo to render pages from markdown.

In this document I will describe the initial setup and getting httpd running with https.


First off, vultr does an automated install of OpenBSD, so you have to specify your installurl:

echo '' > /etc/installurl
pkg_add -uU


We’ll start off with just a basic http server, so we can bootstrap with LetsEncrypt via ACME

cat <<\EOF > /etc/httpd.conf
server "" {
	listen on egress port 80
#	listen on egress tls port 443

#	tls certificate "/etc/ssl/"
#	tls key "/etc/ssl/private/"
#	hsts

	root "/htdocs/"

	location "/.well-known/acme-challenge/*" {
		root "acme"
		request strip 2
types {
	include "/usr/share/misc/mime.types"


Next we’ll have to tell OpenBSD we want to have httpd started automatically and have it use our configuration in /etc/httpd.conf:

rcctl enable httpd
rcctl set httpd flags "-f /etc/httpd.conf"
rcctl start httpd

Now let’s go ahead and set up acme-client to generate a certificate and request signing via LetsEncrypt:

pkg_add acme-client

cat <<\EOF > /etc/acme-client.conf
authority letsencrypt {
        api url ""
        account key "/etc/acme/letsencrypt-privkey.pem"

authority letsencrypt-staging {
        api url ""
        account key "/etc/acme/letsencrypt-staging-privkey.pem"

domain {
        alternative names { }
        domain key "/etc/ssl/private/"
        domain certificate "/etc/ssl/"
        domain full chain certificate "/etc/ssl/"
        sign with letsencrypt

acme-client -ADFf /etc/acme-client.conf

Assuming everything has gone right so far, it’s probably a good idea to automate certificate renewals:

cat <<\EOF > /etc/monthly.local
acme-client -Ff /etc/acme-client.conf && \
/etc/rc.d/httpd restart

chmod 750 /etc/monthly.local

From here you should be able to uncomment the lines in httpd.conf and restart rcctl restart httpd to have a working https-enabled webserver.