Title: Let's encrypt on OpenBSD in 5 minutes
       Author: Solène
       Date: 20 January 2017
       Tags: security openbsd70 openbsd
       Description: 
       
       Let's encrypt is a free service which provides free SSL
       certificates. It is fully automated and there are a few tools to
       generate your certificates with it. In the following lines, I will
       just explain how to get a certificate in a few minutes. You can find
       more informations on [Let's Encrypt website](https://letsencrypt.org).
       
       To make it simple, the tool we will use will generate some keys on the
       computer, send a request to Let's Encrypt service which will use http
       challenging (there are also dns and another one kind of challenging)
       to see if you really own the domain for which you want the
       certificate. If the challenge process is ok, you have the certificate.
       
       **Please, if you don't understand the following commands, don't type
       it.**
       
       While the following is right for OpenBSD, it may change slightly for
       others systems. Acme-client is part of the base system, you can read
       the man page acme-client(1).
       
       
       ## Prepare your http server
       
       For each certificate you will ask a certificate, you will be
       challenged for each domain on the port 80. A file must be available in
       a path under "/.well-known/acme-challenge/".
       
       You must have this in your **httpd** config file. If you use another
       web server, you need to adapt.
       
           server "mydomain.com" {
               root "/empty"
                   listen on * port 80
                   location "/.well-known/acme-challenge/*" {
                           root { "/acme/" , request strip 2 }
                   }
           }
       
       
       The `request strip 2` part is IMPORTANT. (I've lost 45 minutes figuring
       out why root "/acme/" wasn't working.)
       
       
       ## Prepare the folders
       
       As stated in acme-client man page and if you don't need to change the
       path. You can do the following commands with root privileges :
       
           # mkdir /var/www/acme
           # mkdir -p /etc/ssl/acme/private /etc/acme
           # chmod 0700 /etc/ssl/acme/private /etc/acme
       
       ## Request the certificates
       
       As root, in the acme-client sources folder, type the following the
       generate the certificates. The verbose flag is interesting and you
       will see if the challenging step work. If it doesn't work, you should
       try manually to get a file like with the same path tried from Let's
       encrypt, and try again the command when you succeed.
       
           $ acme-client -vNn mydomain.com www.mydomain.com mail.mydomain.com
       
       
       Now, you can use your SSL certificates for your mail server, imap
       server, ftp server, http server.... There is a little drawback, if you
       generate certificates for a lot of domains, they are all written in
       the certificate. This implies that if someone visit one page, look at
       the certificate, this person will know every domain you have under
       SSL. I think that it's possible to ask every certificate independently
       but you will have to play with acme-client flags and make some kind of
       scripts to automatize this.
       
       Certificate file is located at **/etc/ssl/acme/fullchain.pem** and
       contains the full certification chain (as its name is explicit). And
       the private key is located at **/etc/ssl/acme/private/privkey.pem**.
       
       Restart the service with the certificate.
       
       
       ## Renew certificates
       
       Certificates are valid for 3 months. Just type
       
           ./acme-client mydomain.com www.mydomain.com mail.mydomain.com
       
       
       EASY !