Project

General

Profile

Support #825

Updated by Daniel Curtis over 8 years ago

This is a guide on setting up SSL key and certificates using the certbot tool on an nginx webserver running FreeBSD 9. 

 h2. Prepare the Environment 

 * Make sure the system is up to date: 
 <pre> 
 pkg update && pkg upgrade 
 </pre> 

 h2. Install Certbot 

 * Install certbot: 
 <pre> 
 pkg install py27-certbot 
 </pre> 

 h3. (Method 1) Standalone Server 

 This is useful for non-web servers like XMPP and mail servers. 

 * Use the certbot in standalone mode: 
 <pre> 
 certbot certonly --standalone -d www.example.com 
 </pre> 

 h3. (Method 2) Nginx Site 

 * Create the acme-challenge directory: 
 <pre> 
 mkdir /usr/local/www/www.example.com/.well-known/acme-challenge 
 </pre> 

 * Edit the nginx server config for the site: 
 <pre> 
 vi /usr/local/etc/nginx/conf.d/www.example.com.conf 
 </pre> 
 #* And add the following location block inside of the server block of the site: 
 <pre> 
    location ~ /.well-known {  
      allow all; 
    } 

    location '/.well-known/acme-challenge' {  
      default_type "text/plain"; 
      root          /usr/local/www/www.example.com/.well-known/acme-challenge; 
    } 
 </pre> 

 * Restart nginx: 
 <pre> 
 service nginx restart 
 </pre> 

 * Obtain SSL certificate 
 <pre> 
 certbot certonly --webroot -w /usr/local/www/www.example.com -d www.example.com 
 </pre> 

 * Choose to +Place the files in webroot directory (webroot)+ 

 * Enter an +email address+ 

 h3. (Method 3) Nginx Reverse Proxy 

 This is useful when a site or service is behind an nginx reverse proxy. 

 * Create the reverse proxy config on the nginx server: 
 <pre> 
 vi /usr/local/etc/nginx/conf.d/www.example.com.conf 
 </pre> 
 #* And add the following to allow passing the well-known acme-challenge directory to the service requesting a letsencrypt certificate: 
 <pre> 
 server { 
     listen 80; 
     server_name www.example.com; 

     location '/.well-known/acme-challenge' { 
       proxy_pass http://www.example.com:80; 
     } 
 } 
 </pre> 

 * Then restart nginx to apply the config: 
 <pre> 
 service nginx restart 
 </pre> 

 * Now on the site or server requesting the certificate, run the certbot in standalone mode: 
 <pre> 
 certbot certonly --standalone -d www.example.com --standalone-supported-challenges http-01 
 </pre> 

 h2. Add SSL to Nginx 

 * Setup the Diffie-Hellman Key Exchange Parameters 
 <pre> 
 cd /usr/local/etc/nginx 
 openssl dhparam -out dhparam.pem 4096 
 </pre> 

 * Edit the site server config: 
 <pre> 
 vi /usr/local/etc/nginx/conf.d/www.exmaple.com 
 </pre> 
 #* And add a SSL block for the site: 
 <pre> 
 server { 
   listen 443 ssl; 
   server_name www.example.com; 
   access_log    /var/log/www.example.com-access.log; 
   error_log    /var/log/www.example.com-error.log; 

   # Turn on ans set SSL key/cert 
   ssl on; 
   ssl_certificate /usr/local/etc/letsencrypt/live/www.example.com/fullchain.pem; 
   ssl_certificate_key /usr/local/etc/letsencrypt/live/www.example.com/privkey.pem; 

   # Strong SSL configuration 
   ssl_ciphers 'AES128+EECDH:AES128+EDH:!aNULL'; 
   ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 
   ssl_session_cache    builtin:1000    shared:SSL:10m; 
   ssl_stapling on; 
   ssl_stapling_verify on; 
   ssl_prefer_server_ciphers on; 
   ssl_dhparam /usr/local/etc/nginx/dhparam.pem; 
   add_header Strict-Transport-Security max-age=63072000; 
   add_header X-Frame-Options ORIGIN; 
   add_header X-Content-Type-Options nosniff; 

   root /usr/local/www/www.example.com; 

   location ~ /.well-known {  
     allow all; 
   } 

   location '/.well-known/acme-challenge' {  
     default_type "text/plain"; 
     root          /usr/local/www/www.example.com/.well-known/acme-challenge; 
   } 

   ## Disable .htaccess and other hidden files 
   location    /. { 
       return 404; 
   } 

  ## Allow a static html file to be shown first 
   location / { 
     index index.html index.php; 
     try_files $uri $uri/; 
     expires 30d; 
   } 
 } 
 </pre> 

 h2. Resources 

 * https://github.com/certbot/certbot 
 * https://certbot.eff.org/docs/using.html#command-line-options 
 * https://wiki.archlinux.org/index.php/Let%E2%80%99s_Encrypt 
 * https://certbot.eff.org/all-instructions/#freebsd-nginx 
 * https://kristaps.bsd.lv/letskencrypt/ 
 * https://community.letsencrypt.org/t/404-on-well-known-acme-challenge/15565/6

Back