Home   Back

OpenBSD Server Configuration

This page is mostly for my own reference regarding the configuration and management of servers running OpenBSD.


Table Of Contents





Set Up Web Server With HTTPS

Install the required packages

# pkg_add certbot

Preparation

Make sure you have a static IP address

# cat /etc/hostname.$INTERFACE_NAME

It should have something like the following, if it doesn't then add it:

inet $STATIC_IP $SUBNET_MASK

Ensure that the defaut gateway for the system is set by checking, there should be just a single IP address in the file:

# cat /etc/mygate

Ensure that you have DNS servers set by checking:

# cat /etc/resolv.conf

It should have something like the following:

lookup file bind
    nameserver $IP_ADDRESS
    nameserver $IP_ADDRESS

Configure httpd Configuration File

Edit the config file

# vi /etc/httpd.conf

Copy or write the following into the file (Capital variables are the ones YOU should fill in when you copy this):

ext_ip="$IP_ADDRESS"

    types {
            include "/usr/share/misc/mime.types"
    }

    server "$YOUR_DOMAIN" {
            listen on $ext_ip port 80
            root "/$ROOT_DIRECTORY"
    }

Create the root directory you specified above

# mkdir /var/www/$ROOT_DIRECTORY

Reload the httpd service. If you get a "(failed)", then there is something wrong with your config file you just made so check it again

# rcctl restart httpd

Creating The Certificates

Make sure the DNS records for your domain are pointing to your server and issue the certbot command to obtain a certificate:

# certbot certonly --webroot -w /var/www/$ROOT_DIRECTORY -d $YOUR_DOMAIN

Go through the questions it prompts you and if you see a "Congratulations!" message at the end then it was successful.

Reflect the key files in the httpd config file:

# vi /etc/httpd.conf

Ensure your config file looks the same as this (You don't have to fill in the "$SERVER_NAME" or "$REQUEST_URI", just literally copy those into the config file):

ext_ip="$IP_ADDRESS"

    types {
            include "/usr/share/misc/mime.types"
    }

    server "$YOUR_DOMAIN" {
            listen on $ext_addr port 80
            block return 301 "https://$SERVER_NAME$REQUEST_URI"
    }
    server "$YOUR_DOMAIN" {
            listen on $ext_addr tls port 443
            tls {
                    certificate     "/etc/letsencrypt/live/$YOUR_DOMAIN/fullchain.pem"
                    key             "/etc/letsencrypt/live/$YOUR_DOMAIN/privkey.pem"
            }
            root "/ROOT_DIRECTORY"
    }

Reload the httpd service. If you get a "(failed)", then there is something wrong with your config file you just made so check it again

# rcctl restart httpd

Automatically Renew Certificates

Edit the root's crontab

# crontab -e

Add the following line to check if any certificates can be renewed every 15 days at 5am

0 5 */15 * *   certbot renew