SNI relayd support in 6.6

OpenBSD 6.6 now has support for SNI in ‘relayd,’ which is a welcome update for certain.

If you want to serve dynamic Erlang/OTP web apps, and offer TLS support to many domains, then this change was a needed one.

In a previous couple of posts — here and here — we configured our OpenBSD server for serving up our Erlang app, so just for completeness, we will go through the needed changes, here.

Configuration

relayd.conf can now take an additional definition in the ‘httpsfilter’ block as follows:

...

### 6.6 SNI support
tls keypair foobar.com

...

You can, of course, add as many such lines as you need.

In addition our ‘acme-client.conf’ needs the new version for the API URL. This should be as follows:

...

authority letsencrypt {
  api url "https://acme-v02.api.letsencrypt.org/directory"
  account key "/etc/acme/letsencrypt-privkey.pem"
}

...

Also, in the same ‘conf,’ the ‘domain certificate’ line is not needed (so long as we offer up the ‘domain full chain certificate,’ which we will be).

Removing the old

We once had our ‘certs’ and keys as softlinks, but with the new support in 6.6, we can rely on the sources.

doas rm /etc/ssl/0.0.0.0.pem
doas rm /etc/ssl/0.0.0.0.crt
doas rm /etc/ssl/private/0.0.0.0.key

However, since we are only going to rely on the fullchain certificate, we need to offer that up with the proper naming so ‘relayd’ plays nice. We can do that as follows:

cd /etc/ssl
doas mv foobar.com.crt foobar.com.crt.bak
doas ln -s foobar.com.fullchain.pem foobar.com.crt

Nothing more needs to be done! with a quick check of the ‘relayd.conf’ configuration — doas relayd -n — we’re able to serve up our app with this new support.

doas rcctl restart relayd

Since our crontab will handle the certificate renewal, nothing needs to be restarted with acme-client.