hj/pleroma
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

docs openbsd: Fix nginx acme challenges, automatic certificate renewals in proper places

Browse source
This commit is contained in:
Phantasm 2024-11-24 23:43:55 +01:00
commit ee25acea6d
No known key found for this signature in database
GPG key ID: 2669E588BCC634C8
1 changed files with 19 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

27
docs/installation/openbsd_en.md
View file

@ -121,7 +121,7 @@ In another SSH session or a tmux window, check that it is working properly by ru
### Configuring acme-client ### Configuring acme-client
acme-client is used to get SSL/TLS certificates from Let's Encrypt. acme-client is used to get SSL/TLS certificates from Let's Encrypt.
Insert the following configuration in /etc/acme-client.conf and replace `example.tld` with your domain: Insert the following configuration in `/etc/acme-client.conf` and replace `example.tld` with your domain:
``` ```
# #
@ -150,12 +150,6 @@ Check the configuration:
# acme-client -n # acme-client -n
``` ```
Add auto-renewal by adding acme-client to `/etc/weekly.local`, replace `example.tld` with your domain:
```
echo "acme-client example.tld >> /etc/weekly.local
```
### Configuring the Web server ### Configuring the Web server
Pleroma supports two Web servers: Pleroma supports two Web servers:
@ -181,7 +175,8 @@ http {
... ...
server_name example.tld; # Replace with your domain server_name example.tld; # Replace with your domain
location ~ /.well-known/acme-challenge { location /.well-known/acme-challenge {
rewrite ^/.well-known/acme-challenge/(.*) /$1 break;
root /var/www/acme; root /var/www/acme;
} }
} }
@ -195,6 +190,12 @@ Start the nginx service and acquire certificates:
# acme-client example.tld # acme-client example.tld
``` ```
Add certificate auto-renewal by adding acme-client to `/etc/weekly.local`, replace `example.tld` with your domain:
```
# echo "acme-client example.tld && rcctl reload nginx" >> /etc/weekly.local
```
OpenBSD's default nginx configuration does not contain an include directive, which is typically used for multiple sites. OpenBSD's default nginx configuration does not contain an include directive, which is typically used for multiple sites.
Therefore, you will need to first create the required directory as follows: Therefore, you will need to first create the required directory as follows:
@ -246,6 +247,8 @@ If the configuration is correct, you can now enable and reload the nginx service
#### httpd #### httpd
***Skip this section when using nginx***
httpd will have two functions: httpd will have two functions:
* redirect requests trying to reach the instance over http to the https URL * redirect requests trying to reach the instance over http to the https URL
@ -275,6 +278,8 @@ If the configuration is correct, enable and start the `httpd` service:
#### relayd #### relayd
***Skip this section when using nginx***
relayd will be used as the reverse proxy sitting in front of pleroma. relayd will be used as the reverse proxy sitting in front of pleroma.
As root, copy `/home/_pleroma/pleroma/installation/openbsd/relayd.conf` to `/etc/relayd.conf`, or modify the existing one. As root, copy `/home/_pleroma/pleroma/installation/openbsd/relayd.conf` to `/etc/relayd.conf`, or modify the existing one.
@ -299,6 +304,12 @@ If the configuration is correct, enable and start the `relayd` service:
# rcctl start relayd # rcctl start relayd
``` ```
Add certificate auto-renewal by adding acme-client to `/etc/weekly.local`, replace `example.tld` with your domain:
```
# echo "acme-client example.tld && rcctl reload relayd" >> /etc/weekly.local
```
#### (Strongly recommended) serve media on another domain #### (Strongly recommended) serve media on another domain
Refer to the [Hardening your instance](../configuration/hardening.md) document on how to serve media on another domain. We STRONGLY RECOMMEND you to do this to minimize attack vectors. Refer to the [Hardening your instance](../configuration/hardening.md) document on how to serve media on another domain. We STRONGLY RECOMMEND you to do this to minimize attack vectors.