production-openbsd/etc/acme-client.conf

# /etc/acme-client.conf — Let's Encrypt via DNS-01 (Gandi)
#
# DNS-01 chosen because:
#   - Doesn't expose port 80 to public during challenge
#   - Allows wildcard certs (*.s8n.ru, *.veilor.uk)
#   - Works behind WAF / restricted firewall
#
# Gandi LiveDNS API token in env var GANDI_TOKEN (set in rc.conf.local or
# pass via doas wrapper). Do NOT commit token to repo.
#
# Run: acme-client -v <domain>
# Auto-renew: weekly cron (see scripts/cert-renew-check.sh)

authority letsencrypt {
    api url "https://acme-v02.api.letsencrypt.org/directory"
    account key "/etc/acme/letsencrypt-privkey.pem"
}

# === s8n.ru wildcard ===
domain s8n.ru {
    alternative names { "*.s8n.ru" "s8n.ru" }
    domain key "/etc/ssl/private/s8n.ru.key"
    domain certificate "/etc/ssl/s8n.ru.crt"
    domain full chain certificate "/etc/ssl/s8n.ru.fullchain.pem"
    sign with letsencrypt
    challengedir "/var/www/acme"
    # DNS-01 hook script: see scripts/gandi-dns-hook.sh
}

# === veilor.uk wildcard ===
domain veilor.uk {
    alternative names { "*.veilor.uk" "veilor.uk" }
    domain key "/etc/ssl/private/veilor.uk.key"
    domain certificate "/etc/ssl/veilor.uk.crt"
    domain full chain certificate "/etc/ssl/veilor.uk.fullchain.pem"
    sign with letsencrypt
    challengedir "/var/www/acme"
}