From: Stuart Henderson <stu@spacehopper.org>
Subject: Re: add .crt to acme-client.conf example
To: "Marc.J" <openbsd@cypher-fox.com>
Cc: tech@openbsd.org
Date: Mon, 19 May 2025 11:12:54 +0100

On 2025/05/19 12:10, Marc.J wrote:
> Hi,
> 
> The existing acme-client.conf example referenced a .pem full chain
> certificate, which could be confusing since daemons like relayd and httpd
> expect .crt certificates in /etc/ssl.

httpd doesn't. relayd is just weird anyway.

> This patch adds an explicit .crt certificate line to the example to align
> with those daemons' expectations. The .pem line is retained to demonstrate
> that other extensions can also be used, providing flexibility for users.
> 
> 
> Index: etc/examples/acme-client.conf
> ===================================================================
> RCS file: /cvs/src/etc/examples/acme-client.conf,v
> diff -u -p -u -r1.5 acme-client.conf
> --- etc/examples/acme-client.conf	10 May 2023 07:34:57 -0000	1.5
> +++ etc/examples/acme-client.conf	19 May 2025 10:04:32 -0000
> @@ -26,6 +26,8 @@ authority buypass-test {
>  domain example.com {
>  	alternative names { secure.example.com }
>  	domain key "/etc/ssl/private/example.com.key"
> +	# Daemons like relayd/httpd expect .crt certs
> +	domain certificate "/etc/ssl/example.com.crt"
>  	domain full chain certificate "/etc/ssl/example.com.fullchain.pem"
>  	# Test with the staging server to avoid aggressive rate-limiting.
>  	#sign with letsencrypt-staging
>