No Hair Github Pages
Setting up a mailserver on OpenBSD 6.9: TLS certificates
C. Get Let's Encrypt certificates
You can do this with certbot, but I found setting up renewals easier using the http client. In my case, I had already set up a placeholder webserver on the host that serves a static landing/ID page. That's not necessary as you can set up a web server on the mailhost that only handles the acme challenge and redirects all other requests. One note: smtpd does not support SAN certificates or SNI, so the certificate requested must be for the hostname of the mail server.
1. Configure httpd:
server "mail.example.com" {
listen on $ext_addr port $ext_HTTP_port
location "/.well-known/acme-challenge/*" {
root "/acme"
request strip 2
}
location * {
block return 302 "https://$HTTP_HOST$REQUEST_URI"
}
}That's it. Now check configuration (httpd -n) and start your httpd.
2. Configure acme-client: Add a stanza to acme-client.conf:
domain mail.example.com {
domain key "/etc/ssl/private/mail.example.com.key"
domain certificate "/etc/ssl/mail.example.com.crt"
domain full chain certificate "/etc/ssl/mail.example.com.fullchain.pem"
sign with letsencrypt
}3. Now generate certificates:
doas acme-client -v mail.example.comCheck if the new certificates are in /etc/ssl and keys in /etc/ssl/private.
3. Add to smtpd.conf: see below
4. set up cron job to renew:
doas crontab -e -u rootAdd:
30 0 * * * acme-client mail.example.com5. Add CCA records to your DNS records.
mail.example.com. CAA 0 issue "letsencrypt.org"Sources:
https://www.romanzolotarev.com/openbsd/acme-client.html
https://www.bsdhowto.ch/webserver.html
Next: Set up virtual users
Previous: DKIM & DMARC
Posted by Gordon, No Hair Github Pages, August 12, 2021
© nohair.net and the author
For comments, corrections, and addenda, email: gordon[AT]nohair.net