WillSquire
3/1/2016 - 12:20 PM

Install Let's Encrypt on FreeBSD

Install Let's Encrypt on FreeBSD

freebsd_letsencrypt_install.md
content_copyfile_download
  • Rendered
  • Source

Install Let's Encrypt port:

cd /usr/ports/security/py-letsencrypt && sudo make config-recursive install distclean

certonly obtains the certificates but does not install them (at the time of writing this automatic certificate installation is not avalible, but this may be avalible in future. If so, replacing this with --apache (for example) will obtain and install certificates for Apache). /usr/local/www/apache24/data is currently the default web root for Apache, but change this if DocumentRoot and Directory has been changed in the httpd.conf file to the custom webroot directory. use to both initially obtain/replace existing certificates for new:

sudo letsencrypt certonly --webroot -w /usr/local/www/apache24/data -d example.com -d www.example.com

Updating certificate

To update the certificate manually, use the above command and restart Apache with:

sudo apachectl graceful

Apache Install (manual)

If you don't have the Let's Encrypt Apache package, the SSL certificate will need to be installed manually. Open the Apache config file with:

sudo ee /usr/local/etc/apache24/httpd.conf

Find and ensure the following directives are uncommented by removing # at the start of their lines (if present). (Note these directives will likely not be located next to each as displayed below):

LoadModule ssl_module libexec/apache24/mod_ssl.so
LoadModule cache_module libexec/apache24/mod_cache.so
LoadModule cache_socache_module libexec/apache24/mod_cache_socache.so
LoadModule socache_shmcb_module libexec/apache24/mod_socache_shmcb.so

Find and uncomment #Include etc/apache24/extra/httpd-ssl.conf to look like:

# Secure (SSL/TLS) connections
Include etc/apache24/extra/httpd-ssl.conf

Save, exit. Now open the Apache SSL config file with:

sudo ee /usr/local/etc/apache24/extra/httpd-ssl.conf

Find the VirtualHost section and if you are using a non-default DocumentRoot, change this to be the same as the httpd.conf:

DocumentRoot "/usr/local/www/apache24/data"

Change the ServerName to reflect the URL of your site:

ServerName www.example.com:443

If not set, it would be a good idea to change the ServerAdmin to an appropriate email address:

ServerAdmin example@example.com

(For Apache < 2.4.8) Find and ensure the following directives are uncommented by removing # at the start of their lines (if present) and alter the directive's values to the certificate path given by the letsencrypt command earlier (note it will only give one path, but the others can be deduced from this. Replace example.com with your site's domain). When finished, save and exit:

SSLCertificateFile "/usr/local/etc/letsencrypt/live/example.com/cert.pem"
SSLCertificateKeyFile "/usr/local/etc/letsencrypt/live/example.com/privkey.pem"
SSLCertificateChainFile "/usr/local/etc/letsencrypt/live/example.com/chain.pem"

Optional: Add HSTS (HTTP Strict Transport Security) to header only if the site should use HTTPS only (note that mod_headers is required). This needs to be placed between the opening and closing VirtualHost tags and max-age is how long this will be applicable for (63072000 is 2 years):

#   Enable HSTS to instruct browsers to only use SSL
#   connections in future
<IfModule mod_headers.c>
  Header set Strict-Transport-Security "max-age=63072000; includeSubdomains"
</IfModule>

Firewall

If a firewall has been setup, then ensure the firewall is not blocking port 443 as this is the default port for SSL connections. To check this:

sudo ee /etc/rc.conf

Ensure either the port number 443 or https is present in the firewall_myservices directive, then save and exit:

firewall_myservices="443 [another_port_number] [another_port_number_etc]"

Reload the firewall for the firewall changes to take effect (check after with sudo ipfw list):

sudo service ipfw restart

Restart Apache for the Apache changes to take effect:

sudo apachectl graceful

###References