update obsd note (certbot)

content/notes/openbsd/index.md

@@ -1,7 +1,7 @@
 ---
-title: OpenBSD notes
+title: OpenBSD
 date: 2023-11-29T20:33:48+0100
-lastmod: 2024-01-22T22:02:30+0000
+lastmod: 2024-01-26T11:16:40+0000
 tags:
   - openbsd
   - python
@@ -10,6 +10,9 @@ tags:
   - git
   - rust
   - neovim
+  - apache2
+  - mod_md
+  - certbot
 
 #showDate: false
 showReadingTime: false
@@ -27,6 +30,90 @@ These are random notes -- more or less about OpenBSD. Some may
 not fit here well, but they could relate to OpenBSD or similar
 operating systems in some way...
 
+## Apache with wildcard certificates
+
+I often got errors when I clicked a link on my main website for example
+to the weather page. It was complaining about different
+<abbr title="Server Name Indication">SNI</abbr> because both hosts used different
+certificates and I wasn't sure how I could fix that easily. I thought wildcard
+certs could fix that because I'd only have one cert for all the domains.
+
+~~~console
+$ doas pkg_add certbot
+~~~
+
+Run and follow instructions:
+
+~~~console
+$ doas certbot certonly --manual --preferred-challenges dns \
+  --server https://acme-v02.api.letsencrypt.org/directory \
+  --manual-public-ip-logging-ok -d '*.oe7drt.com' -d oe7drt.com
+
+[...]
+Successfully received certificate.
+Certificate is saved at: /etc/letsencrypt/live/oe7drt.com/fullchain.pem
+Key is saved at:         /etc/letsencrypt/live/oe7drt.com/privkey.pem
+This certificate expires on 2024-04-25.
+These files will be updated when the certificate renews.
+
+NEXT STEPS:
+- This certificate will not be renewed automatically. Autorenewal of --manual
+  certificates requires the use of an authentication hook script (--manual-auth-hook)
+  but one was not provided. To renew this certificate, repeat this same certbot
+  command before the certificate's expiry date.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+If you like Certbot, please consider supporting our work by:
+ * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
+ * Donating to EFF:                    https://eff.org/donate-le
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+~~~
+
+Also adding my .net domain to the certs:
+
+~~~console
+$ doas certbot certonly --manual --manual-public-ip-logging-ok \
+  --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory \
+  -d "*.oe7drt.com" -d "*.oe7drt.net" -d oe7drt.com -d oe7drt.net
+~~~
+
+Some changes to the apache2 configuration was made:
+
+~~~apache
+<MDomain oe7drt.com oe7drt.net>
+    MDMember *.oe7drt.com
+    MDMember *.oe7drt.net
+    MDCertificateFile /etc/letsencrypt/live/oe7drt.com/fullchain.pem
+    MDCertificateKeyFile /etc/letsencrypt/live/oe7drt.com/privkey.pem
+</MDomain>
+
+MDChallengeDns01 /etc/apache2/dns/dns-challenge.phar --
+MDCertificateAgreement accepted
+MDContactEmail dominic@mm.st
+MDCAChallenges dns-01
+~~~
+
+It seems Apache likes this:
+
+![cropped output of apaches status website /md-status](./mod-status-certs.png) 
+
+This is **currently testing** because I have no idea if mod_md will update these certs
+itself or if I should run certbot again when it's needed. In the meantime I monitor my
+website with [UptimeKuma](https://github.com/louislam/uptime-kuma) which alerts me on
+expiring certificates.
+
+The binary (`dns-challenge.phar`) that actually does the DNS Challenge is taken from
+[kategray/dns-challenge-cloudflare](https://github.com/kategray/dns-challenge-cloudflare).
+
+An **easier way** to obtain wildcard certificates would be the use of **Cloudflares proxy**.
+They would also create another wildcard cert of another issuer in case the first one
+would get compromised so they would actually replace your main cert with a backup cert
+just with a whoooop.
+
+Certbot commands have been taken from
+[this article by nabbisen](https://dev.to/nabbisen/let-s-encrypt-wildcard-certificate-with-certbot-plo)
+at dev.to.
+
 ## Get some filesystem information
 
 ~~~console