Thur Apr 28, 2022

I've been running two internal services for a while:

Because we're not using split DNS (hosting our own DNS server for clients on the VPN), these are kept internal only by having the public DNS have the internal IP addresses:

$ host irc.garbash.com
irc.garbash.com has address

This works great, except it becomes harder to obtain a TLS certificate. My favorite way to get a TLS certificate on OpenBSD is acme-client(8), which is in base and works out of the box but does not support dns-01 ACME challenges required for wildcard certs. As such, all sites requiring certs need to be publicly accessible for HTTP challenges.

It would have been OK to serve over plain HTTP (in the sense that the services are served over a wireguard tunnel, so they're already encrypted), but browsers only allow desktop notifications for HTTPS sites, so to get notifications for gamja, I needed a wildcard cert.

The wildcard cert turned out to be not too hard. For a couple months I used uacme because it was in ports, but getting the client to update our DNS in Linode wasn't supported in the upstream project (as far I can tell). So for a couple times I actually ran the tool with manual DNS mode--updating the TXT records by hand myself.

This clearly isn't sustainable (mostly because it requires remembering every couple months to redo it), so I moved to acme.sh, which, despite not being in ports, was super easy to install and use.

To get the new certs, I created a new user:

# adduser
... acmesh, nologin, daemon, etc ...

Then I created a certs group so that all the services that need the certs can read the certificates:

# addgroup certs
# usermod -G _soju certs
# usermod -G acmesh certs

I had to manually chmod some of the directories of acme.sh to allow group-writable, and chown those directories to acmesh:certs.

Finally, installing the cert was as simple as:

$ export LINODE_V4_API_KEY=...
$ ./acme.sh --install -m alex@garbash.com  # one time
$ ./acme.sh --issue --dns dns_linode_v4 --dnssleep 300 -d *.garbash.com

This installed the certs to /home/acmesh/.acme.sh. httpd(8) needs the fullchain and private key:

server "lists.garbash.com" {
	listen on * tls port 443
	directory auto index
	root "/htdocs/lists"
	tls {
		certificate "/home/acmesh/.acme.sh/*.garbash.com/fullchain.cer"
		key "/home/acmesh/.acme.sh/*.garbash.com/*.garbash.com.key"
	location "/.well-known/acme-challenge/*" {
		root "/acme"
		request strip 2

The final step is to modify the crontab to restart the services when it runs successfully! Since this is running as the acmesh user, I needed to give it permission to run the rcctl command passwordless by adding the following to doas.conf:

permit nopass acmesh as root cmd /usr/sbin/rcctl args restart httpd

Adding the following to the crontab will cause it to run on success:

--reloadcmd '/usr/sbin/rcctl restart httpd'

Hopefully I won't need to think about this for a while!