Solved TLS on obhttpd (OpenBSD httpd)

hephaestus

Member


Messages: 22

Hi!
I'm trying to add tls support to obhttpd.

i've used acme.sh for issuing a certificate for my domain:

Code:
# change ownership temporarily to user:acme group:acme
chown acme:acme /usr/local/www/your-web-site-dir

su acme
acme.sh --issue -d www.example.com -w /usr/local/www/your-web-site-dir

# restore ownership back to whatever user it was.
chown www:www /usr/local/www/your-web-site-dir

Then install them:

Code:
mkdir -p /usr/local/etc/obhttpd/ssl/www.example.com/

touch /usr/local/etc/obhttpd/ssl/www.example.com/fullchain.cer

touch /usr/local/etc/obhttpd/ssl/www.example.com/www.example.com.key

touch /usr/local/etc/obhttpd/ssl/www.example.com/www.example.com.cer

chown -R acme:acme /usr/local/etc/obhttpd/ssl/www.example.com


# run the script as user “acme”

su acme

acme.sh --install-cert -d www.example.com \

--cert-file /usr/local/etc/nginx/ssl/www.example.com/www.example.com.cer \

--key-file  /usr/local/etc/nginx/ssl/www.example.com/www.example.com.key  \

--fullchain-file /usr/local/etc/nginx/ssl/www.example.com/fullchain.cer


After that i've edit the configuration of obhttpd in /usr/local/etc/obhttpd:

Code:
chroot "/usr/local/www:


server "www.example.com" {
  listen on * tls port 443
  root "/htdocs/example.com"
  tls {
    certificate "/usr/local/etc/obhttpd/ssl/www.example.com/fullchain.pem"
    key "/usr/local/etc/obhttpd/ssl/www.example.com/www.example.com.key"
  }
  location "/.well-known/acme-challenge/*" {
    root "/acme"
    request strip 2
  }
}

But when i try to start obhttpd with:

Code:
# obhttpd -d -v

i got this error:

Code:
/usr/local/etc/obhttpd.conf:13: server "www.example.com": failed to load public/private keys

Am i missing something?
 

usdmatt

Daemon

Reaction score: 588
Messages: 1,535

Are you really installing the certificate to the nginx directory and then trying to load it from a different place?

Also, you may be able to get away with creating an acme owned .well-known directory inside the website rather than changing owners back and forward.

Also, I usually just use the --home option to acme and load the certs from there rather than copying them all over the place.
 

usdmatt

Daemon

Reaction score: 588
Messages: 1,535

My usual trick is to copy the path from the config and paste it onto an ls/cat/etc command. Easy way to make absolutely sure the path in config actually is the right file.

Assuming acme actually did get and install the certs (again easily checked by actually verifying the key/cert files are there), it seems most likely just an error accessing them.
 
OP
H

hephaestus

Member


Messages: 22

My usual trick is to copy the path from the config and paste it onto an ls/cat/etc command. Easy way to make absolutely sure the path in config actually is the right file.

Assuming acme actually did get and install the certs (again easily checked by actually verifying the key/cert files are there), it seems most likely just an error accessing them.
Yeah i guess it's an error about accessing them.
I'm actually trying to self-host my website, so it's the 1st time i go through this.

I've just create a jail, install obhttpd, edit the config in /usr/local/etc/obhttpd.conf ( it works fine without tls ), and put some test html in /usr/local/www/htdocs/example.com/...

Maybe it's a problem about permissions..
 
OP
H

hephaestus

Member


Messages: 22

My usual trick is to copy the path from the config and paste it onto an ls/cat/etc command. Easy way to make absolutely sure the path in config actually is the right file.

Assuming acme actually did get and install the certs (again easily checked by actually verifying the key/cert files are there), it seems most likely just an error accessing them.
I've made some progress. Now i get this error:

Code:
startup
server_tls_init: failed to initialise tls
server_tls_init: failed to initialise tls
server_tls_init: failed to initialise tls
 
Top