Solved TLS on obhttpd (OpenBSD httpd)

H

hephaestus

Hi!
I'm trying to add tls support to obhttpd.

i've used acme.sh for issuing a certificate for my domain:

Code: 
# change ownership temporarily to user:acme group:acme
chown acme:acme /usr/local/www/your-web-site-dir

su acme
acme.sh --issue -d www.example.com -w /usr/local/www/your-web-site-dir

# restore ownership back to whatever user it was.
chown www:www /usr/local/www/your-web-site-dir

Then install them:

Code: 
mkdir -p /usr/local/etc/obhttpd/ssl/www.example.com/

touch /usr/local/etc/obhttpd/ssl/www.example.com/fullchain.cer

touch /usr/local/etc/obhttpd/ssl/www.example.com/www.example.com.key

touch /usr/local/etc/obhttpd/ssl/www.example.com/www.example.com.cer

chown -R acme:acme /usr/local/etc/obhttpd/ssl/www.example.com


# run the script as user “acme”

su acme

acme.sh --install-cert -d www.example.com \

--cert-file /usr/local/etc/nginx/ssl/www.example.com/www.example.com.cer \

--key-file  /usr/local/etc/nginx/ssl/www.example.com/www.example.com.key  \

--fullchain-file /usr/local/etc/nginx/ssl/www.example.com/fullchain.cer


After that i've edit the configuration of obhttpd in /usr/local/etc/obhttpd:

Code: 
chroot "/usr/local/www:


server "www.example.com" {
  listen on * tls port 443
  root "/htdocs/example.com"
  tls {
    certificate "/usr/local/etc/obhttpd/ssl/www.example.com/fullchain.pem"
    key "/usr/local/etc/obhttpd/ssl/www.example.com/www.example.com.key"
  }
  location "/.well-known/acme-challenge/*" {
    root "/acme"
    request strip 2
  }
}

But when i try to start obhttpd with:

Code: 
# obhttpd -d -v

i got this error:

Code: 
/usr/local/etc/obhttpd.conf:13: server "www.example.com": failed to load public/private keys

Am i missing something?
 
Are you really installing the certificate to the nginx directory and then trying to load it from a different place?

Also, you may be able to get away with creating an acme owned .well-known directory inside the website rather than changing owners back and forward.

Also, I usually just use the --home option to acme and load the certs from there rather than copying them all over the place.
 
My usual trick is to copy the path from the config and paste it onto an ls/cat/etc command. Easy way to make absolutely sure the path in config actually is the right file.

Assuming acme actually did get and install the certs (again easily checked by actually verifying the key/cert files are there), it seems most likely just an error accessing them.
 
usdmatt said:
My usual trick is to copy the path from the config and paste it onto an ls/cat/etc command. Easy way to make absolutely sure the path in config actually is the right file.

Assuming acme actually did get and install the certs (again easily checked by actually verifying the key/cert files are there), it seems most likely just an error accessing them.
Click to expand...
Yeah i guess it's an error about accessing them.
I'm actually trying to self-host my website, so it's the 1st time i go through this.

I've just create a jail, install obhttpd, edit the config in /usr/local/etc/obhttpd.conf ( it works fine without tls ), and put some test html in /usr/local/www/htdocs/example.com/...

Maybe it's a problem about permissions..
 
usdmatt said:
My usual trick is to copy the path from the config and paste it onto an ls/cat/etc command. Easy way to make absolutely sure the path in config actually is the right file.

Assuming acme actually did get and install the certs (again easily checked by actually verifying the key/cert files are there), it seems most likely just an error accessing them.
Click to expand...
I've made some progress. Now i get this error:

Code: 
startup
server_tls_init: failed to initialise tls
server_tls_init: failed to initialise tls
server_tls_init: failed to initialise tls
 
You must log in or register to reply here.
Back
Top