From: Rafael Sadowski Subject: Re: relayd: support explicit paths for keypair To: tech@openbsd.org Date: Tue, 24 Feb 2026 12:11:03 +0100 On Tue Feb 24, 2026 at 11:58:51AM +0100, Kirill A. Korinsky wrote: > On Thu, 19 Feb 2026 21:28:17 +0100, > Rafael Sadowski wrote: > > > > The following diff extends the keypair keyword in relayd.conf to allow > > explicit path specifications for certificates, private keys, and OCSP > > staple files. > > > > Currently, relayd relies on a fixed lookup logic, searching for TLS > > crt/key in /etc/ssl and /etc/ssl/private based on the keypair name and > > port. > > > > That has always annoyed me, since all other applications must comply > > with the naming convention of relayd. > > > > The idea is simple, the keypair statement now supports optional > > certificate, key, and ocsp keywords followed by a path: > > > > keypair name [certificate path [key path [ocsp path]]]. > > > > But it makes layout of the key simpler to manage. And this possibility is still there. > > Why not to move in the opposite direction and simplify acme-client.conf as > probably good source of certificates and keys to: > > domain example.com { > alternative names { secure.example.com } > domain [full chain] keypair name example.com > sign with letsencrypt > } acme-client was not meant here. Let's say you have a wildcard certificate. Would do you do?