letsencrypt setup on freebsd

Valeri Galtsev galtsev at kicp.uchicago.edu
Mon Dec 19 17:55:18 UTC 2016 

On Mon, December 19, 2016 11:32 am, David Mehler wrote:
> Hello,
>
> How did you get letsencrypt set up on FreeBSD? The more I'm reading
> the more confusing I'm finding it.

Here is what I did (followed mostly these two docs):

# https://letsencrypt.org/getting-started/
# https://certbot.eff.org/#freebsd-apache

pkg install py27-certbot

certbot certonly --webroot -w /usr/local/www/apache24/data -d
[your_domain_name].org

#  Note, that /usr/local/www/apache24/data is webroot of running webserver
serving [your_domain_name].org

#Certificate and chain have been saved at:

/usr/local/etc/letsencrypt/live/cmb-s4.org/fullchain.pem

# Now, note that you have to set cron job to renew them as certs
# expire after 90 days...

# Configure apache

vi /usr/local/etc/apache24/extra/httpd-ssl.conf
-----
SSLCertificateFile
"/usr/local/etc/letsencrypt/live/[your_domain_name].org/cert.pem"

SSLCertificateKeyFile
"/usr/local/etc/letsencrypt/live/[your_domain_name].org/privkey.pem"

SSLCertificateChainFile
"/usr/local/etc/letsencrypt/live/[your_domain_name].org/chain.pem"
-----

# and restart apache now.

# note that there are symlinks:
# ls -l /usr/local/etc/letsencrypt/live/[your_domain_name].org/
# and here where actual files are
# cd /usr/local/etc/letsencrypt/archive/[your_domain_name].org

# check that renew certificate script works

/usr/local/bin/certbot renew --dry-run

# it only reports about renewing

# To not miss the renewal moment, set cronjob twice a day:

#crontab -e
#-----
#27 1,13 * * * /usr/local/bin/certbot renew --quiet
#-----

# Note that for cron job to work you have to have cron daemon running
# I hit this snag as all the above I actually have inside the jail
# that runs that service for .org domain I support for on of our projects.

# Alternatively you can set cron job outside jail, something like this:

crontab -e
-----
27 1,13 * * * /usr/sbin/jexec `/usr/sbin/jls | /usr/bin/grep
[your_domain_name_or_rather_jail_name] | /usr/bin/awk '{ print $1 }'`
/usr/local/bin/certbot renew --quiet
-----

And that should be it.

Good luck!

Valeri

>
> Thanks.
> Dave.
>


++++++++++++++++++++++++++++++++++++++++
Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247
++++++++++++++++++++++++++++++++++++++++

More information about the freebsd-questions mailing list