Creating a Let's Encrypt certificate on NetBSD

Supposing you want to host a static pages site or your blog generated with Hugo on bozotic, but need a certificate for HTTPS, given that HTTP is almost dead and buried, here a tutorial on how to do it on NetBSD.

First, install acmesh with pkgin: pkgin install acmesh

After that, the command acme.sh will be available. Do all of the following as root (su root).

Subscribe to Let’s Encrypt using the client, only a email is necessary:

NBSDCore# acme.sh --register-account -m xxx@babadibabadum.com
[Fri Jun 28 04:16:36 UTC 2024] No EAB credentials found for ZeroSSL, let's get one
[Fri Jun 28 04:16:37 UTC 2024] Registering account: https://acme.zerossl.com/v2/DV90
[Fri Jun 28 04:16:39 UTC 2024] Registered
[Fri Jun 28 04:16:39 UTC 2024] ACCOUNT_THUMBPRINT='alsdjfakljsflçkjklçasjdflkjal'

Done that, assure that your web server is executing, and the folder where the files are read by it has write permission. On NetBSD, this folder is /var/www by default. This step is important, because the acme protocol call for a temporary file that will be saved on it, that will be read by the certification authority to assure that you are really the owner of the domain name being used.

If your web server is bozotic, execute it as:

/usr/libexec/httpd -b -H -X /var/www

Now execute acme.sh, changing the command line to your domain and the folder used by your web server:

NBSDCore# acme.sh --issue -d sample.com -w /var/www
[Fri Jun 28 18:34:49 UTC 2024] Using CA: https://acme.zerossl.com/v2/DV90
[Fri Jun 28 18:34:49 UTC 2024] Single domain='sample.com'
[Fri Jun 28 18:34:49 UTC 2024] Getting domain auth token for each domain
[Fri Jun 28 18:34:52 UTC 2024] Getting webroot for domain='sample.com'
[Fri Jun 28 18:34:52 UTC 2024] Verifying: sample.com
[Fri Jun 28 18:34:53 UTC 2024] Processing, The CA is processing your order, please just wait. (1/30)
[Fri Jun 28 18:34:57 UTC 2024] Success
[Fri Jun 28 18:34:57 UTC 2024] Verify finished, start to sign.
[Fri Jun 28 18:34:57 UTC 2024] Lets finalize the order.
[Fri Jun 28 18:34:57 UTC 2024] Le_OrderFinalize='https://acme.zerossl.com/v2/DV90/order/jdddf4S08Mc5-O9LFqIjCo0g/finalize'
[Fri Jun 28 18:34:58 UTC 2024] Order status is processing, lets sleep and retry.
[Fri Jun 28 18:34:58 UTC 2024] Retry after: 15
[Fri Jun 28 18:35:14 UTC 2024] Polling order status: https://acme.zerossl.com/v2/DV90/order/jdddf4S08Mc5-O9LFqIjCo0g
[Fri Jun 28 18:35:15 UTC 2024] Downloading cert.
[Fri Jun 28 18:35:15 UTC 2024] Le_LinkCert='https://acme.zerossl.com/v2/DV90/cert/-IjHlkji4IK5Fa60u1Z77FlqghbA'
[Fri Jun 28 18:35:16 UTC 2024] Cert success.
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
[Fri Jun 28 18:35:16 UTC 2024] Your cert is in: /root/.acme.sh/sample.com_ecc/sample.com.cer
[Fri Jun 28 18:35:16 UTC 2024] Your cert key is in: /root/.acme.sh/sample.com_ecc/sample.com.key
[Fri Jun 28 18:35:16 UTC 2024] The intermediate CA cert is in: /root/.acme.sh/sample.com_ecc/ca.cer
[Fri Jun 28 18:35:16 UTC 2024] And the full chain certs is there: /root/.acme.sh/sample.com_ecc/fullchain.cer

Now, create a cron job to schedule a automatic certificate renewal:

NBSDCore# acme.sh --install-cronjob

And with that, it’s done. The certificate will be generated and saved at /root/.acme.sh/sample.com_ecc/, where “sample.com” is your domain name.