diff --git a/content/notes/openbsd/index.md b/content/notes/openbsd/index.md
index 89e40eb..318ce29 100644
--- a/content/notes/openbsd/index.md
+++ b/content/notes/openbsd/index.md
@@ -1,7 +1,7 @@
---
-title: OpenBSD notes
+title: OpenBSD
date: 2023-11-29T20:33:48+0100
-lastmod: 2024-01-22T22:02:30+0000
+lastmod: 2024-01-26T11:16:40+0000
tags:
- openbsd
- python
@@ -10,6 +10,9 @@ tags:
- git
- rust
- neovim
+ - apache2
+ - mod_md
+ - certbot
#showDate: false
showReadingTime: false
@@ -27,6 +30,90 @@ These are random notes -- more or less about OpenBSD. Some may
not fit here well, but they could relate to OpenBSD or similar
operating systems in some way...
+## Apache with wildcard certificates
+
+I often got errors when I clicked a link on my main website for example
+to the weather page. It was complaining about different
+SNI because both hosts used different
+certificates and I wasn't sure how I could fix that easily. I thought wildcard
+certs could fix that because I'd only have one cert for all the domains.
+
+~~~console
+$ doas pkg_add certbot
+~~~
+
+Run and follow instructions:
+
+~~~console
+$ doas certbot certonly --manual --preferred-challenges dns \
+ --server https://acme-v02.api.letsencrypt.org/directory \
+ --manual-public-ip-logging-ok -d '*.oe7drt.com' -d oe7drt.com
+
+[...]
+Successfully received certificate.
+Certificate is saved at: /etc/letsencrypt/live/oe7drt.com/fullchain.pem
+Key is saved at: /etc/letsencrypt/live/oe7drt.com/privkey.pem
+This certificate expires on 2024-04-25.
+These files will be updated when the certificate renews.
+
+NEXT STEPS:
+- This certificate will not be renewed automatically. Autorenewal of --manual
+ certificates requires the use of an authentication hook script (--manual-auth-hook)
+ but one was not provided. To renew this certificate, repeat this same certbot
+ command before the certificate's expiry date.
+
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+If you like Certbot, please consider supporting our work by:
+ * Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
+ * Donating to EFF: https://eff.org/donate-le
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+~~~
+
+Also adding my .net domain to the certs:
+
+~~~console
+$ doas certbot certonly --manual --manual-public-ip-logging-ok \
+ --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory \
+ -d "*.oe7drt.com" -d "*.oe7drt.net" -d oe7drt.com -d oe7drt.net
+~~~
+
+Some changes to the apache2 configuration was made:
+
+~~~apache
+
+ MDMember *.oe7drt.com
+ MDMember *.oe7drt.net
+ MDCertificateFile /etc/letsencrypt/live/oe7drt.com/fullchain.pem
+ MDCertificateKeyFile /etc/letsencrypt/live/oe7drt.com/privkey.pem
+
+
+MDChallengeDns01 /etc/apache2/dns/dns-challenge.phar --
+MDCertificateAgreement accepted
+MDContactEmail dominic@mm.st
+MDCAChallenges dns-01
+~~~
+
+It seems Apache likes this:
+
+![cropped output of apaches status website /md-status](./mod-status-certs.png)
+
+This is **currently testing** because I have no idea if mod_md will update these certs
+itself or if I should run certbot again when it's needed. In the meantime I monitor my
+website with [UptimeKuma](https://github.com/louislam/uptime-kuma) which alerts me on
+expiring certificates.
+
+The binary (`dns-challenge.phar`) that actually does the DNS Challenge is taken from
+[kategray/dns-challenge-cloudflare](https://github.com/kategray/dns-challenge-cloudflare).
+
+An **easier way** to obtain wildcard certificates would be the use of **Cloudflares proxy**.
+They would also create another wildcard cert of another issuer in case the first one
+would get compromised so they would actually replace your main cert with a backup cert
+just with a whoooop.
+
+Certbot commands have been taken from
+[this article by nabbisen](https://dev.to/nabbisen/let-s-encrypt-wildcard-certificate-with-certbot-plo)
+at dev.to.
+
## Get some filesystem information
~~~console
diff --git a/content/notes/openbsd/mod-status-certs.png b/content/notes/openbsd/mod-status-certs.png
new file mode 100644
index 0000000..96d4a01
Binary files /dev/null and b/content/notes/openbsd/mod-status-certs.png differ