polynomial.space is intended as my personal space for self-documentation and notes.
As of writing, this is a fresh install of OpenBSD 6.5, hosted on vultr, running OpenBSD’s httpd, and using Hugo to render pages from markdown.
In this document I will describe the initial setup and getting httpd running with https.
\
First off, vultr does an automated install of OpenBSD, so you have to specify your installurl:
echo 'https://ftp.openbsd.org/pub/OpenBSD' > /etc/installurl
pkg_add -uU
\
We’ll start off with just a basic http server, so we can bootstrap with LetsEncrypt via ACME
cat <<\EOF > /etc/httpd.conf
server "polynomial.space" {
listen on egress port 80
# listen on egress tls port 443
# tls certificate "/etc/ssl/polynomial.space.fullchain.pem"
# tls key "/etc/ssl/private/polynomial.space.space.key"
# hsts
root "/htdocs/polynomial.space/public"
location "/.well-known/acme-challenge/*" {
root "acme"
request strip 2
}
}
types {
include "/usr/share/misc/mime.types"
}
EOF
\
Next we’ll have to tell OpenBSD we want to have httpd started automatically and have it use our configuration in /etc/httpd.conf
:
rcctl enable httpd
rcctl set httpd flags "-f /etc/httpd.conf"
rcctl start httpd
Now let’s go ahead and set up acme-client to generate a certificate and request signing via LetsEncrypt:
pkg_add acme-client
cat <<\EOF > /etc/acme-client.conf
authority letsencrypt {
api url "https://acme-v01.api.letsencrypt.org/directory"
account key "/etc/acme/letsencrypt-privkey.pem"
}
authority letsencrypt-staging {
api url "https://acme-staging.api.letsencrypt.org/directory"
account key "/etc/acme/letsencrypt-staging-privkey.pem"
}
domain polynomial.space {
alternative names { www.polynomial.space }
domain key "/etc/ssl/private/polynomial.space.key"
domain certificate "/etc/ssl/polynomial.space.crt"
domain full chain certificate "/etc/ssl/polynomial.space.fullchain.pem"
sign with letsencrypt
}
EOF
acme-client -ADFf /etc/acme-client.conf polynomial.space
Assuming everything has gone right so far, it’s probably a good idea to automate certificate renewals:
cat <<\EOF > /etc/monthly.local
#!/bin/sh
acme-client -Ff /etc/acme-client.conf polynomial.space && \
/etc/rc.d/httpd restart
EOF
chmod 750 /etc/monthly.local
From here you should be able to uncomment the lines in httpd.conf
and restart rcctl restart httpd
to have a working https-enabled webserver.