This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
openbsd:acme-client [2020/03/29 06:18] net_wayfarer Fleshed out this page to contain examples on both successful and troubleshooting outcomes. Split the page into sections, and emphasised the need to set up httpd which is needed. |
openbsd:acme-client [2020/08/12 00:52] jrmu |
||
---|---|---|---|
Line 12: | Line 12: | ||
<code> | <code> | ||
authority letsencrypt { | authority letsencrypt { | ||
- | api url "https://acme-v01.api.letsencrypt.org/directory" | + | api url "https://acme-v02.api.letsencrypt.org/directory" |
account key "/etc/acme/letsencrypt-privkey.pem" | account key "/etc/acme/letsencrypt-privkey.pem" | ||
} | } | ||
Line 46: | Line 46: | ||
$ doas acme-client -Fv example.com | $ doas acme-client -Fv example.com | ||
</code> | </code> | ||
+ | |||
+ | ==== Troubleshooting ==== | ||
+ | If you run into errors, check to make sure: | ||
+ | |||
+ | * [[openbsd:nsd|DNS]] is configured properly. | ||
+ | * The [[openbsd:www:openhttpd|web server]] is configured properly. You **must** have a web server in order for the acme-client to work. (Don't be confused here if your web server seems not running in a web browser: the example config redirects all visits to the https port, that may not yet be working yet.) | ||
+ | * You have the proper permissions set on the folders in /var/www/. An example output would be, | ||
+ | <code> | ||
+ | $ ls -l /var | grep www | ||
+ | drwxr-xr-x 11 root daemon 512 Mar 28 05:28 www | ||
+ | $ ls -l /var/www | ||
+ | total 36 | ||
+ | drwxr-xr-x 2 root daemon 512 Mar 28 22:16 acme | ||
+ | drwxr-xr-x 2 root daemon 512 Mar 14 06:12 bin | ||
+ | drwx-----T 2 www daemon 512 Oct 12 12:34 cache | ||
+ | drwxr-xr-x 2 root daemon 512 Mar 14 06:12 cgi-bin | ||
+ | drwxr-xr-x 2 root daemon 512 Mar 14 06:03 conf | ||
+ | drwxr-xr-x 3 root daemon 512 Oct 12 12:34 htdocs | ||
+ | drwxr-xr-x 2 root daemon 512 Mar 29 00:00 logs | ||
+ | drwxr-xr-x 2 root daemon 512 Oct 12 12:34 run | ||
+ | </code> | ||
+ | * Your firewall is not configured to block Let's Encrypt certification verification process. Typically it will initiate a few servers to connect to port 80 on your server. | ||
==== Successful outcomes ==== | ==== Successful outcomes ==== | ||
Line 90: | Line 112: | ||
</code> | </code> | ||
- | ==== Troubleshooting ==== | + | ==== Common errors ==== |
- | If you run into errors, check to make sure: | + | |
+ | Do not request domains you don't own | ||
+ | If you change the domains, you need to move the cert and request again | ||
- | * [[openbsd:nsd|DNS]] is configured properly. You may be able to rectify this by simply adding hostnames to your /etc/hosts, such as: | ||
- | <code> | ||
- | ::1 localhost | ||
- | 127.0.0.1 localhost | ||
- | $ext_if $qualified_domain_name | ||
- | </code> | ||
- | Where $ext_if is the IP address of your server, and $qualified_domain_name is your qualified hostname. e.g. if $ext_if is 192.168.0.1 $qualified_domain_name is example.com, it would then be | ||
- | <code> | ||
- | ::1 localhost | ||
- | 127.0.0.1 localhost | ||
- | 192.168.0.1 example.com | ||
- | </code> | ||
- | * The [[openbsd:www:openhttpd|web server]] is configured properly. You **must** have a web server in order for the acme-client to work. | ||
- | * You have the proper permissions set on the folders in /var/www/. An example output would be, | ||
- | <code> | ||
- | $ ls -l /var | grep www | ||
- | drwxr-xr-x 11 root daemon 512 Mar 28 05:28 www | ||
- | $ ls -l /var/www | ||
- | total 36 | ||
- | drwxr-xr-x 2 root daemon 512 Mar 28 22:16 acme | ||
- | drwxr-xr-x 2 root daemon 512 Mar 14 06:12 bin | ||
- | drwx-----T 2 www daemon 512 Oct 12 12:34 cache | ||
- | drwxr-xr-x 2 root daemon 512 Mar 14 06:12 cgi-bin | ||
- | drwxr-xr-x 2 root daemon 512 Mar 14 06:03 conf | ||
- | drwxr-xr-x 3 root daemon 512 Oct 12 12:34 htdocs | ||
- | drwxr-x--- 2 root www 512 Mar 28 05:28 letsencrypt | ||
- | drwxr-xr-x 2 root daemon 512 Mar 29 00:00 logs | ||
- | drwxr-xr-x 2 root daemon 512 Oct 12 12:34 run | ||
- | </code> | ||
- | * Your firewall is not configured to block Let's Encrypt certification verification process. Typically it will initiate a few servers to connect to port 80 on your server. |