‹ Home   ‹ Back

OpenBSD Server Configuration

This page is mostly for my own reference regarding the configuration and management of servers running OpenBSD.

Table Of Contents

• » Set Up Web Server With HTTPS

---

Set Up Web Server With HTTPS

Install the required packages

# pkg_add certbot

Preparation

Make sure you have a static IP address

# cat /etc/hostname.$INTERFACE_NAME

It should have something like the following, if it doesn't then add it:

inet $STATIC_IP $SUBNET_MASK

Ensure that the defaut gateway for the system is set by checking, there should be just a single IP address in the file:

# cat /etc/mygate

Ensure that you have DNS servers set by checking:

# cat /etc/resolv.conf

It should have something like the following:

lookup file bind
    nameserver $IP_ADDRESS
    nameserver $IP_ADDRESS

Configure httpd Configuration File

Edit the config file

# vi /etc/httpd.conf

Copy or write the following into the file (Capital variables are the ones YOU should fill in when you copy this):

ext_ip="$IP_ADDRESS"

    types {
            include "/usr/share/misc/mime.types"
    }

    server "$YOUR_DOMAIN" {
            listen on $ext_ip port 80
            root "/$ROOT_DIRECTORY"
    }

Create the root directory you specified above

# mkdir /var/www/$ROOT_DIRECTORY

Reload the httpd service. If you get a "(failed)", then there is something wrong with your config file you just made so check it again

# rcctl restart httpd

Creating The Certificates

Make sure the DNS records for your domain are pointing to your server and issue the certbot command to obtain a certificate:

# certbot certonly --webroot -w /var/www/$ROOT_DIRECTORY -d $YOUR_DOMAIN

Go through the questions it prompts you and if you see a "Congratulations!" message at the end then it was successful.

Reflect the key files in the httpd config file:

# vi /etc/httpd.conf

Ensure your config file looks the same as this (You don't have to fill in the "$SERVER_NAME" or "$REQUEST_URI", just literally copy those into the config file):

ext_ip="$IP_ADDRESS"

    types {
            include "/usr/share/misc/mime.types"
    }

    server "$YOUR_DOMAIN" {
            listen on $ext_addr port 80
            block return 301 "https://$SERVER_NAME$REQUEST_URI"
    }
    server "$YOUR_DOMAIN" {
            listen on $ext_addr tls port 443
            tls {
                    certificate     "/etc/letsencrypt/live/$YOUR_DOMAIN/fullchain.pem"
                    key             "/etc/letsencrypt/live/$YOUR_DOMAIN/privkey.pem"
            }
            root "/ROOT_DIRECTORY"
    }

Reload the httpd service. If you get a "(failed)", then there is something wrong with your config file you just made so check it again

# rcctl restart httpd

Automatically Renew Certificates

Edit the root's crontab

# crontab -e

Add the following line to check if any certificates can be renewed every 15 days at 5am

0 5 */15 * *   certbot renew