Since OpenBSD 5.9, the base system comes with acme-client: an open source implementation in C that requests a free HTTPS/TLS certificate from the Let’s Encrypt Certificate Authority. It is really simple to setup and even easier to use. And once your certificate is issued, a cronjob will ensure your website stays TLS encrypted for the remainder of its lifetime.

ACME Setup

Open the file /etc/acme-client.conf in your favourite editor and ensure both instances of the agreement url contain the most up-to-date link. Then provide the domain and any subdomains to be covered by the certificate, as well as specifying where to output the generated files, and where challenges should be sent to the web server:

# $OpenBSD: acme-client.conf,v 1.4 2017/03/22 11:14:14 benno Exp $
authority letsencrypt {
agreement url ""
api url ""
account key "/etc/acme/letsencrypt-privkey.pem"

authority letsencrypt-staging {
agreement url ""
api url ""
account key "/etc/acme/letsencrypt-staging-privkey.pem"

domain www.domain.tld {
alternative names { domain.tld sub1.domain.tld sub2.domain.tld sub3.domain.tld }
domain key "/etc/ssl/private/domain.tld.key"
domain certificate "/etc/ssl/domain.tld.crt"
domain full chain certificate "/etc/ssl/domain.tld.fullchain.pem"
sign with letsencrypt
challengedir "/var/www/htdocs/acme"

That finishes acme-client setup.

Web Server Configuration

Edit /etc/httpd.conf so that the web server is able to handle requests from Let’s Encrypt who will issue challenges that need to be processed to determine that you are in control of the domains that will be covered by the requested certificate:


server "domain.tld" {
      alias www.domain.tld
      listen on $ext_addr port 80

      location "/.well-known/acme-challenge/*" {
              root "/htdocs/acme"
              root strip 2

Lines 7 to 10 are all that is needed to handle requests from the Certificate Authority. Before restarting the daemon, make and bestow ownership to the web server the directory in httpd‘s chroot where challenges will be processed:

# mkdir /var/www/htdocs/acme
# chown -R www:www /var/www/htdocs/acme

That concludes server configuration.

Certificate Request

Before submitting the certificate signing request to Let’s Encrypt, ensure that any subdomains listed in acme-client.conf are properly setup with your registrar. That is, requests to sub.domain.tld will reach your web server:

# acme-client -vvAD www.domain.tld

A successful result will output the private key, public certificate, and full chain of trust into the ssl directory as specified in acme-client.conf:


Now you can setup your server to receive HTTPS/TLS requests.

Further Reading

  1. Let’s Encrypt Documentation
  2. OpenBSD acme-client Manual Page
  3. Official acme-client Site


comments powered by Disqus