013-wildcard-cert.txt (3269B) [raw]
1 # 013-wildcard-cert 2 3 _Thur Apr 28, 2022_ 4 5 I've been running two internal services for a while: 6 7 - lists.garbash.com -- mailing list archive 8 - irc.garbash.com -- [gamja](https://git.sr.ht/~emersion/gamja) IRC client 9 (and [soju](https://soju.im) bouncer) 10 11 Because we're not using split DNS (hosting our own DNS server for 12 clients on the VPN), these are kept internal only by having the public 13 DNS have the internal IP addresses: 14 15 $ host irc.garbash.com 16 irc.garbash.com has address 10.6.6.1 17 18 This works great, except it becomes harder to obtain a TLS certificate. 19 My favorite way to get a TLS certificate on OpenBSD is acme-client(8), 20 which is in base and works out of the box but does not support dns-01 21 ACME challenges required for wildcard certs. As such, all sites requiring 22 certs need to be publicly accessible for HTTP challenges. 23 24 It would have been OK to serve over plain HTTP (in the sense that the 25 services are served over a wireguard tunnel, so they're already encrypted), 26 but browsers only allow desktop notifications for HTTPS sites, so to get 27 notifications for `gamja`, I needed a wildcard cert. 28 29 The wildcard cert turned out to be not too hard. For a couple months I 30 used [`uacme`](https://github.com/ndilieto/uacme) because it was in ports, 31 but getting the client to update our DNS in Linode wasn't supported in 32 the upstream project (as far I can tell). So for a couple times I actually 33 ran the tool with manual DNS mode--updating the TXT records by hand myself. 34 35 This clearly isn't sustainable (mostly because it requires remembering every 36 couple months to redo it), so I moved to [`acme.sh`](https://github.com/acmesh-official/acme.sh), 37 which, despite not being in ports, was super easy to install and use. 38 39 To get the new certs, I created a new user: 40 41 # adduser 42 ... acmesh, nologin, daemon, etc ... 43 44 Then I created a `certs` group so that all the services that need the certs 45 can read the certificates: 46 47 # addgroup certs 48 # usermod -G _soju certs 49 # usermod -G acmesh certs 50 51 I had to manually `chmod` some of the directories of `acme.sh` to allow 52 group-writable, and `chown` those directories to `acmesh:certs`. 53 54 Finally, installing the cert was as simple as: 55 56 $ export LINODE_V4_API_KEY=... 57 $ ./acme.sh --install -m alex@garbash.com # one time 58 $ ./acme.sh --issue --dns dns_linode_v4 --dnssleep 300 -d *.garbash.com 59 60 This installed the certs to `/home/acmesh/.acme.sh`. `httpd(8)` needs the 61 fullchain and private key: 62 63 64 server "lists.garbash.com" { 65 listen on * tls port 443 66 directory auto index 67 root "/htdocs/lists" 68 tls { 69 certificate "/home/acmesh/.acme.sh/*.garbash.com/fullchain.cer" 70 key "/home/acmesh/.acme.sh/*.garbash.com/*.garbash.com.key" 71 } 72 location "/.well-known/acme-challenge/*" { 73 root "/acme" 74 request strip 2 75 } 76 } 77 78 79 The final step is to modify the crontab to restart the services 80 when it runs successfully! Since this is running as the `acmesh` 81 user, I needed to give it permission to run the `rcctl` command 82 passwordless by adding the following to doas.conf: 83 84 permit nopass acmesh as root cmd /usr/sbin/rcctl args restart httpd 85 86 Adding the following to the crontab will cause it to run on success: 87 88 --reloadcmd '/usr/sbin/rcctl restart httpd' 89 90 Hopefully I won't need to think about this for a while!