Support #825
Updated by Daniel Curtis over 8 years ago
This is a guide on setting up SSL key and certificates using the certbot tool on an nginx webserver running FreeBSD 9. h2. Prepare the Environment * Make sure the system is up to date: <pre> pkg update && pkg upgrade </pre> h2. Install Certbot * Install certbot: <pre> pkg install py27-certbot </pre> h3. (Method 1) Standalone Server This is useful for non-web servers like XMPP and mail servers. * Use the certbot in standalone mode: <pre> certbot certonly --standalone -d www.example.com </pre> h3. (Method 2) Nginx Site * Create the acme-challenge directory: <pre> mkdir /usr/local/www/www.example.com/.well-known/acme-challenge </pre> * Edit the nginx server config for the site: <pre> vi /usr/local/etc/nginx/conf.d/www.example.com.conf </pre> #* And add the following location block inside of the server block of the site: <pre> location ~ /.well-known { allow all; } location '/.well-known/acme-challenge' { default_type "text/plain"; root /usr/local/www/www.example.com/.well-known/acme-challenge; } </pre> * Restart nginx: <pre> service nginx restart </pre> * Obtain SSL certificate <pre> certbot certonly --webroot -w /usr/local/www/www.example.com -d www.example.com </pre> * Choose to +Place the files in webroot directory (webroot)+ * Enter an +email address+ h2. Add SSL to Nginx * Setup the Diffie-Hellman Key Exchange Parameters <pre> cd /usr/local/etc/nginx openssl dhparam -out dhparam.pem 4096 </pre> * Edit the site server config: <pre> vi /usr/local/etc/nginx/conf.d/www.exmaple.com </pre> #* And add a SSL block for the site: <pre> server { listen 443 ssl; server_name www.example.com; access_log /var/log/www.example.com-access.log; error_log /var/log/www.example.com-error.log; # Turn on ans set SSL key/cert ssl on; ssl_certificate /usr/local/etc/letsencrypt/live/www.example.com/fullchain.pem; ssl_certificate_key /usr/local/etc/letsencrypt/live/www.example.com/privkey.pem; # Strong SSL configuration ssl_ciphers 'AES128+EECDH:AES128+EDH:!aNULL'; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_session_cache builtin:1000 shared:SSL:10m; ssl_stapling on; ssl_stapling_verify on; ssl_prefer_server_ciphers on; ssl_dhparam /usr/local/etc/nginx/dhparam.pem; add_header Strict-Transport-Security max-age=63072000; add_header X-Frame-Options ORIGIN; add_header X-Content-Type-Options nosniff; root /usr/local/www/www.example.com; location ~ /.well-known { allow all; } location '/.well-known/acme-challenge' { default_type "text/plain"; root /usr/local/www/www.example.com/.well-known/acme-challenge; } ## Disable .htaccess and other hidden files location /. { return 404; } ## Allow a static html file to be shown first location / { index index.html index.php; try_files $uri $uri/; expires 30d; } } </pre> h2. Resources * https://github.com/certbot/certbot * https://certbot.eff.org/docs/using.html#command-line-options * https://wiki.archlinux.org/index.php/Let%E2%80%99s_Encrypt * https://certbot.eff.org/all-instructions/#freebsd-nginx * https://kristaps.bsd.lv/letskencrypt/ * https://community.letsencrypt.org/t/404-on-well-known-acme-challenge/15565/6