IRCNow

This is an old revision of the document!


In order to provide proper TLS for your services, you will need a certificate signed by a trusted certificate authority (CA). The easiest option for now is to use the Let's Encrypt client by acme-client.

First, copy the /etc/examples/acme-client.conf template:

$ doas cp /etc/examples/acme-client.conf /etc/acme-client.conf
authority letsencrypt {
        api url "https://acme-v01.api.letsencrypt.org/directory"
        account key "/etc/acme/letsencrypt-privkey.pem"
}

authority letsencrypt-staging {
        api url "https://acme-staging.api.letsencrypt.org/directory"
        account key "/etc/acme/letsencrypt-staging-privkey.pem"
}

domain example.com {
        alternative names { secure.example.com }
        domain key "/etc/ssl/private/example.com.key"
        domain full chain certificate "/etc/ssl/example.com.fullchain.pem"
        sign with letsencrypt
}

Replace example.com with your domain. If you didn't use any alternative names, in the past, having:

alternative names { }

would cause issues. So, if you have no alternative names, I recommend you comment that line out as follows:

#        alternative names { secure.example.com }

Now, run acme-client:

$ doas acme-client -Fv example.com

If you run into errors, check to make sure:

  1. DNS is configured properly.
  2. The web server is configured properly.
  3. You have the proper permissions set on the folders in /var/www/