Support #843
Updated by Daniel Curtis over 8 years ago
This is a guide for setting up auto-renewal for a LetsEncrypt certificate used on an nginx site on FreeBSD 10.
h2. Prepare the Environment
* Make sure the system is up to date:
<pre>
pkg update && pkg upgrade
</pre>
h2. Nginx Config
* Create a configuration directory to make managing individual server blocks easier
<pre>
mkdir /usr/local/etc/nginx/conf.d
</pre>
* Edit the main nginx config file:
<pre>
vi /usr/local/etc/nginx/nginx.conf
</pre>
#* And strip down the config file and add the include statement at the end to make it easier to handle various server blocks:
<pre>
worker_processes 1;
error_log /var/log/nginx-error.log;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
# Load config files from the /etc/nginx/conf.d directory
include /usr/local/etc/nginx/conf.d/*.conf;
}
</pre>
* Create the default site folder:
<pre>
mkdir -p /usr/local/www/sites/www.example.com
</pre>
* Setup the default site configuration:
<pre>
vi /usr/local/etc/nginx/conf.d/www.example.com.conf
</pre>
#* Then add or modify the configuration to look similar to the following:
<pre>
server {
listen 80;
#
listen 443 default ssl;
server_name www.example.com;
# Turn on ans set SSL key/cert
#
ssl on;
#
ssl_certificate /usr/local/etc/letsencrypt/live/www.example.com/fullchain.pem;
#
ssl_certificate_key /usr/local/etc/letsencrypt/live/www.example.com/privkey.pem;
# Strong SSL configuration
#
ssl_ciphers 'AES128+EECDH:AES128+EDH:!aNULL';
#
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
#
ssl_session_cache builtin:1000 shared:SSL:10m;
#
ssl_stapling on;
#
ssl_stapling_verify on;
#
ssl_prefer_server_ciphers on;
#
ssl_dhparam /usr/local/etc/nginx/dhparam.pem;
#
add_header Strict-Transport-Security max-age=63072000;
#
add_header X-Frame-Options SAMEORIGIN;
#
add_header X-Content-Type-Options nosniff;
root /usr/local/www/sites/www.example.com;
index index.html index.htm;
autoindex on;
location ~ /.well-known {
allow all;
}
}
</pre>
* Restart nginx to load the new website config:
<pre>
service nginx restart
</pre>
h2. LetsEncrypt
* Install the LetsEncrypt certbot:
<pre>
pkg install py27-certbot
</pre>
* Create the letsencrypt config directory:
<pre>
mkdir -p /usr/local/etc/letsencrypt/configs
</pre>
* Then create the initial letsencrypt domain config:
<pre>
vi /usr/local/etc/letsencrypt/config/www.example.com.conf
</pre>
#* And add the following:
<pre>
# the domain we want to get the cert for;
domains = www.example.com
# increase key size
rsa-key-size = 4096
# the current closed beta (as of 2015-Nov-07) is using this server
server = https://acme-v01.api.letsencrypt.org/directory
# this address will receive renewal reminders, IIRC
email = bob@example.com
# turn off the ncurses UI, we want this to be run as a cronjob
text = True
# agree to the terms of service
agree-tos
# authenticate by placing a file in the webroot and then letting LE fetch it
authenticator = webroot
webroot-path = /usr/local/www/sites/www.example.com
</pre>
* Generate the first certificate:
<pre>
certbot certonly --config /usr/local/etc/letsencrypt/config/www.example.com.conf
</pre>
#* Press *A* to agree to the terms and conditions.
h3. Automatic Renewal
* Test automatic renewal for your certificates by running this command:
<pre>
certbot renew --dry-run
</pre>
* If that appears to be working correctly, you can arrange for automatic renewal by adding a cron or systemd job which runs the following:
<pre>
certbot renew --quiet
</pre>
* Edit the root cron table:
<pre>
crontab -e
</pre>
#* And add the following to the end of the file:
<pre>
# LetEncrypt monthly renewal
30 2 * * 1 /usr/local/bin/certbot renew --quiet >> /var/log/le-renew.log
# Reload nginx after LetsEncrypt renewal
40 2 * * 1 /usr/local/etc/rc.d/nginx reload
</pre>
h2. Nginx SSL
* Generate the dhparam file:
<pre>
openssl dhparam -out /usr/local/etc/nginxdhparam.pem 4096
</pre>
* Edit the default site configuration:
<pre>
vi /usr/local/etc/nginx/conf.d/www.example.com.conf
</pre>
#* Uncomment the SSL configuration options to enable SSL:
<pre>
server {
listen 80;
listen 443 default ssl;
server_name www.example.com;
# Turn on ans set SSL key/cert
ssl on;
ssl_certificate /usr/local/etc/letsencrypt/live/www.example.com/fullchain.pem;
ssl_certificate_key /usr/local/etc/letsencrypt/live/www.example.com/privkey.pem;
# Strong SSL configuration
ssl_ciphers 'AES128+EECDH:AES128+EDH:!aNULL';
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_stapling on;
ssl_stapling_verify on;
ssl_prefer_server_ciphers on;
ssl_dhparam /usr/local/etc/nginx/dhparam.pem;
add_header Strict-Transport-Security max-age=63072000;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
root /usr/local/www/sites/www.example.com;
index index.html index.htm;
autoindex on;
location ~ /.well-known {
allow all;
}
}
h2. Resources
* https://wiki.freebsd.org/BernardSpil/LetsEncrypt
* https://gist.github.com/xrstf/581981008b6be0d2224f
* https://laracasts.com/discuss/channels/general-discussion/installing-letsencrypt-certificate-and-auto-renewal
* https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-14-04#step-4-%E2%80%94-set-up-auto-renewal
* https://certbot.eff.org/all-instructions/#freebsd-none-of-the-above