If you are using OpenBSD, you probably know of acme-client. It is a simple acme client (Thank you Captain Obvious) designed with OpenBSD guidelines, meaning separation of powers in the process and so on.

But at present, this client can only work with one ACME authority : Let’s Encrypt, the original one. And actually it is a trouble because Let’s Encrypt provide TLS certificates to 55 % (as of June 2020). It is becoming more and more a Single Point of Failure.

One could hope that we would work using Dane but apparently it’s not for today. So let’s try using some alternative. There are some. The one I want to talk about is Buypass. It is a norwegian ACME authority. I think it can be interesting to look outside of the big players and outside of USA. Norway is one of the least corrupt countries on Earth, and a european one. So all in all, quite safe. And as I live in Denmark, that is Scandinavia, I think it makes sense that I use it for my websites.

Now, what are the troubles to use this CA?

Give your mail

First thing first, you cannot use acme-client right away. They have some requirements to register an ACME account that you cannot fullfill using OpenBSD’s acme-client. Notably “agree to their terms” and give your email.

So we’ll cheat a bit.

We’ll install certbot and register an account with it and use that account with acme-client !

doas pkg_add certbot

doas certbot register -m 'spamtrap@22decembre.eu' --agree-tos --server 'https://api.buypass.com/acme/directory'

Now you shall have an ACME account and private key for that. Next step…

Extract the key

Certbot shall have created an account certificate in /etc/letsencrypt/accounts/api.buypass.com/acme/directory/ account serial /private_key.json.

Yes, it’s long and complicated. And it’s Json. Because making your life hard is so much more interesting.

Now you shall extract the account key from the json.

Someone wrote a python2 script to do that.

You have to install python2 to use it. And modify the top line so that it uses this version. If you have an newer version or script, please mention it in comments.

doas pkg_add python

Choose Python 2 !

less conv.py

#!/usr/local/bin/python2
…

Now you can finally extract the key.

# Create a DER encoded private key
openssl asn1parse -noout -out private_key.der -genconf <(python2 conv.py private_key.json)
# Convert to PEM
openssl rsa -in buypass.key -inform der

You have to put the buypass.key obtained in /etc/acme/. You can also use that key on other OpenBSD machines you wish to have TLS on. And no tinkering with certbot for them.

Then configure your acme-client :

less /etc/acme-client.conf

authority buypass {
    api url "https://api.buypass.com/acme/directory"
    account key "/etc/acme/buypass.key"
}

domain some.domain.tld {
    domain key                      "/etc/ssl/acme/private/some.domain.tld.pem"
    domain full chain certificate   "/etc/ssl/acme/some.domain.tld-fullchain.pem"
    domain certificate              "/etc/ssl/acme/some.domain.tld.pem"
    sign with buypass
}

Next, we’ll have to setup the webserver.

No Tls connection

Buypass has a weird setup in that they provide long term TLS certificates for free but don’t follow TLS redirections in websites. Yeap, that’s confusing.

So, you have to authorize plain http, but in a very restrictive way. Here is it for Nginx :

server {
    listen 80;
    listen [::]:80;
    server_name some.domain.tld;

    location /.well-known/acme-challenge/ {
        rewrite ^/.well-known/acme-challenge/(.*) /$1 break;
        root /acme;
    }

    location / { return 301 https://$host$request_uri; }
 }

 server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name some.domain.tld;
 
    ## HSTS
    add_header Strict-Transport-Security "max-age=20000000" always;

    location /.well-known/acme-challenge/ {
      rewrite ^/.well-known/acme-challenge/(.*) /$1 break;
      root /acme;
    }
    …
    ssl_certificate      /etc/ssl/acme/some.domain.tld-fullchain.pem;
    ssl_certificate_key  /etc/ssl/acme/private/some.domain.tld.pem;
    
    ssl configuration
    …
    stuff
    …
    tons of stuff
 }

As you can see, I first accept plain http in the first place for the acme-challenge (with redirection to the challenge directory setup in acme-client.conf) and then right away, https redirection and later HSTS, that is mandatory permanent tls connection.

Finally, you shall be able to request a tls certificate from Buypass with acme-client, the OpenBSD way !

This setup is the one running on this server and on my PeerTube instance.