💾 Archived View for perso.pw › blog › articles › nginx-acme.gmi captured on 2023-06-16 at 16:46:21. Gemini links have been rewritten to link to archived content

View Raw

More Information

⬅️ Previous capture (2023-05-24)

➡️ Next capture (2024-03-21)

-=-=-=-=-=-=-

Nginx and acme-client on OpenBSD

on Mastodon

I write this blog post as I spent too much time setting up nginx and

SSL on OpenBSD with acme-client, due to nginx being chrooted and not

stripping path and not doing it easily.

First, you need to set up **/etc/acme-client.conf** correctly. Here is

mine for the domain ports.perso.pw:

authority letsencrypt {

api url "https://acme-v02.api.letsencrypt.org/directory"

account key "/etc/acme/letsencrypt-privkey.pem"

}

domain ports.perso.pw {

domain key "/etc/ssl/private/ports.key"

domain full chain certificate "/etc/ssl/ports.fullchain.pem"

sign with letsencrypt

}

because of Let's encrypt API URL. If you are running 6.5 or 6.4,

replace v02 by v01 in the api url**

Then, you have to configure nginx this way, the most important part in

the following configuration file is the location block handling

acme-challenge request. Remember that nginx is in chroot /var/www so

the path to acme directory is `acme`.

http {

include mime.types;

default_type application/octet-stream;

index index.html index.htm;

keepalive_timeout 65;

server_tokens off;

upstream backendurl {

server unix:tmp/plackup.sock;

}

server {

listen 80;

server_name ports.perso.pw;

access_log logs/access.log;

error_log logs/error.log info;

root /htdocs/;

location /.well-known/acme-challenge/ {

rewrite ^/.well-known/acme-challenge/(.*) /$1 break;

root /acme;

}

location / {

return 301 https://$server_name$request_uri;

}

}

server {

listen 443 ssl;

server_name ports.perso.pw;

access_log logs/access.log;

error_log logs_error.log info;

root /htdocs/;

ssl_certificate /etc/ssl/ports.fullchain.pem;

ssl_certificate_key /etc/ssl/private/ports.key;

ssl_protocols TLSv1.1 TLSv1.2;

ssl_prefer_server_ciphers on;

ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";

[... stuff removed ...]

}

}

That's all! I wish I could have find that on the Internet so I share

it here.