This still applies to OpenBSD 6.9 and 6.8 as well, likely other versions too!
This is not another tutorial on how to use acme-client or how to setup SSL/TLS with httpd in OpenBSD. There are a number of good ones out there already. This post is about a particular issue during the I was trying to setup Let’s Encrypt certificates in OpenBSD using the built-in acme-client tool. I was able to run the command:
# acme-client -v example.org
I kept getting errors from acme-client about a bad return status, and no certificates were generated. When I clicked the link to Let’s Encrypt’s website that was returned by acme-client I would see 403 Forbidden errors in the message. The weird thing (that I have not figured out) is that the certificates were working fine with the Let’s Encrypt Staging server. However, they would fail when I tried to use the production server to get a real cert.
All my permissions were setup correctly for the directories. It turns out my umask for root was set too restrictive. It was 077, which creates files with no group or other read permissions.
After running:
# umask 022
I was able to run acme-client successfully.
So watch your umask when installing any sort of software, or whenever you encounter some sort of permissions error. I personally think the acme-client should automatically set the challenge files to world readable. Perhaps I should submit a patch.