Project

General

Profile

Support #843

Updated by Daniel Curtis about 8 years ago

This is a guide for setting up auto-renewal for a LetsEncrypt certificate used on an nginx site on FreeBSD 10. 

 h2. Prepare the Environment 

 * Make sure the system is up to date: 
 <pre> 
 pkg update && pkg upgrade 
 </pre> 

 h2. Nginx Config 

 * Create a configuration directory to make managing individual server blocks easier 
 <pre> 
 mkdir /usr/local/etc/nginx/conf.d 
 </pre> 

 * Edit the main nginx config file: 
 <pre> 
 vi /usr/local/etc/nginx/nginx.conf 
 </pre> 
 #* And strip down the config file and add the include statement at the end to make it easier to handle various server blocks: 
 <pre> 
 worker_processes    1; 
 error_log    /var/log/nginx-error.log; 

 events { 
     worker_connections    1024; 
 } 

 http { 
     include         mime.types; 
     default_type    application/octet-stream; 
     sendfile          on; 
     keepalive_timeout    65; 

     # Load config files from the /etc/nginx/conf.d directory 
     include /usr/local/etc/nginx/conf.d/*.conf; 
 } 
 </pre> 

 * Create the default site folder: 
 <pre> 
 mkdir -p /usr/local/www/sites/www.example.com 
 </pre> 

 * Setup the default site configuration: 
 <pre> 
 vi /usr/local/etc/nginx/conf.d/www.example.com.conf 
 </pre> 
 #* Then add or modify the configuration to look similar to the following: 
 <pre> 
 server { 
     listen 80;  
 #      listen 443 default ssl; 
     server_name www.example.com; 

     # Turn on ans set SSL key/cert 
 #      ssl on; 
 #      ssl_certificate /usr/local/etc/letsencrypt/live/www.example.com/fullchain.pem; 
 #      ssl_certificate_key /usr/local/etc/letsencrypt/live/www.example.com/privkey.pem; 

     # Strong SSL configuration 
 #      ssl_ciphers 'AES128+EECDH:AES128+EDH:!aNULL'; 
 #      ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 
 #      ssl_session_cache    builtin:1000    shared:SSL:10m; 
 #      ssl_stapling on; 
 #      ssl_stapling_verify on; 
 #      ssl_prefer_server_ciphers on; 
 #      ssl_dhparam /usr/local/etc/nginx/dhparam.pem; 
 #      add_header Strict-Transport-Security max-age=63072000; 
 #      add_header X-Frame-Options SAMEORIGIN; 
 #      add_header X-Content-Type-Options nosniff; 

     root /usr/local/www/sites/www.example.com; 
     index index.html index.htm; 
     autoindex on; 

     location ~ /.well-known { 
         allow all; 
     } 
 } 
 </pre> 

 * Restart nginx to load the new website config: 
 <pre> 
 service nginx restart 
 </pre> 

 h2. LetsEncrypt 

 * Install the LetsEncrypt certbot: 
 <pre> 
 pkg install py27-certbot 
 </pre> 

 * Create the letsencrypt config directory: 
 <pre> 
 mkdir -p /usr/local/etc/letsencrypt/configs 
 </pre> 

 * Then create the initial letsencrypt domain config: 
 <pre> 
 vi /usr/local/etc/letsencrypt/config/www.example.com.conf 
 </pre> 
 #* And add the following: 
 <pre> 
 # the domain we want to get the cert for; 
 domains = www.example.com 

 # increase key size 
 rsa-key-size = 4096 

 # the current closed beta (as of 2015-Nov-07) is using this server 
 server = https://acme-v01.api.letsencrypt.org/directory 

 # this address will receive renewal reminders, IIRC 
 email = bob@example.com 

 # turn off the ncurses UI, we want this to be run as a cronjob 
 text = True 

 # agree to the terms of service 
 agree-tos 

 # authenticate by placing a file in the webroot and then letting LE fetch it 
 authenticator = webroot 
 webroot-path = /usr/local/www/sites/www.example.com 
 </pre> 

 * Generate the first certificate: 
 <pre> 
 certbot certonly --config /usr/local/etc/letsencrypt/config/www.example.com.conf 
 </pre> 

 h3. Automatic Renewal 

 * Test automatic renewal for your certificates by running this command: 
 <pre> 
 certbot renew --dry-run 
 </pre> 

 * If that appears to be working correctly, you can arrange for automatic renewal by adding a cron or systemd job which runs the following: 
 <pre> 
 certbot renew --quiet 
 </pre> 

 * Edit the root cron table: 
 <pre> 
 crontab -e 
 </pre> 
 #* And add the following to the end of the file: 
 <pre> 
 # LetEncrypt monthly renewal 
 30 2 * * 1 /usr/local/bin/certbot renew --quiet >> /var/log/le-renew.log 

 # Reload nginx after LetsEncrypt renewal 
 40 2 * * 1 /usr/local/etc/rc.d/nginx reload 
 </pre> 

 h2. Nginx SSL 

 * Generate the dhparam file: 
 <pre> 
 openssl dhparam -out /usr/local/etc/nginx/dhparam.pem /usr/local/etc/nginxdhparam.pem 4096 
 </pre> 

 * Edit the default site configuration: 
 <pre> 
 vi /usr/local/etc/nginx/conf.d/www.example.com.conf 
 </pre> 
 #* Uncomment the SSL configuration options to enable SSL: 
 <pre> 
 server { 
     listen 80;  
     listen 443 default ssl; 
     server_name www.example.com; 

     # Turn on ans set SSL key/cert 
     ssl on; 
     ssl_certificate /usr/local/etc/letsencrypt/live/www.example.com/fullchain.pem; 
     ssl_certificate_key /usr/local/etc/letsencrypt/live/www.example.com/privkey.pem; 

     # Strong SSL configuration 
     ssl_ciphers 'AES128+EECDH:AES128+EDH:!aNULL'; 
     ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 
     ssl_session_cache    builtin:1000    shared:SSL:10m; 
     ssl_stapling on; 
     ssl_stapling_verify on; 
     ssl_prefer_server_ciphers on; 
     ssl_dhparam /usr/local/etc/nginx/dhparam.pem; 
     add_header Strict-Transport-Security max-age=63072000; 
     add_header X-Frame-Options SAMEORIGIN; 
     add_header X-Content-Type-Options nosniff; 

     root /usr/local/www/sites/www.example.com; 
     index index.html index.htm; 
     autoindex on; 

     location ~ /.well-known { 
         allow all; 
     } 
 } 
 </pre> 

 h2. Resources 

 * https://wiki.freebsd.org/BernardSpil/LetsEncrypt 
 * https://gist.github.com/xrstf/581981008b6be0d2224f 
 * https://laracasts.com/discuss/channels/general-discussion/installing-letsencrypt-certificate-and-auto-renewal 
 * https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-14-04#step-4-%E2%80%94-set-up-auto-renewal 
 * https://certbot.eff.org/all-instructions/#freebsd-none-of-the-above

Back