FreeBSD 11: Tips and Tricks

Next: Upgrade PHP70 to PHP71 on FreeBSD 11.0 UP: TOC

Installing is very easy. Just issue this command:

cd /usr/ports/security/ && make install clean

Lets have a look at the default variables used by

/usr/local/bin/ --env # configuration # # !! WARNING !! No main config file found, using default config! # declare -- CA="" declare -- LICENSE="" declare -- CHALLENGETYPE="http-01" declare -- HOOK="" declare -- HOOK_CHAIN="no" declare -- RENEW_DAYS="30" declare -- ACCOUNT_KEY="/usr/local/bin/private_key.pem" declare -- ACCOUNT_KEY_JSON="/usr/local/bin/private_key.json" declare -- KEYSIZE="4096" declare -- WELLKNOWN="/usr/local/bin/.acme-challenges" declare -- PRIVATE_KEY_RENEW="yes" declare -- OPENSSL_CNF="/etc/ssl/openssl.cnf" declare -- CONTACT_EMAIL="" declare -- LOCKFILE="/usr/local/bin/lock"

Next we need to update nginx configuration. The directory "WELLKNOWN" as defined in the previous step must exist and must be readable by nginx. In the configuration files vhost/.... for this domain we need those adjustments:

server { listen...... location ^~ /.well-known/acme-challenge/ { default_type "text/plain"; # this directory must exists and is identical to WELLKNOWN: alias /usr/local/bin/.acme-challenges/; }

Restart nginx to make the adjustment active:

service nginx restart

Generate the certificate as follows:

/usr/local/bin/ --cron --domain --challenge http-01 # # !! WARNING !! No main config file found, using default config! # Processing + Signing domains... + Generating private key... + Generating signing request... + Requesting challenge for + Responding to challenge for + Challenge is valid! + Requesting certificate... + Checking certificate... + Done! + Creating fullchain.pem... + Done!

Last but not least, update your webserver's vhost file

server {
    listen 80 ;
    listen 443 ssl http2;
    client_max_body_size 10M;   # max size for uploading image files
    client_body_buffer_size 10M;   # ava 20160501
    index index.php;
    server_tokens off;

    ssl on;
    ssl_certificate /usr/local/bin/certs/;
    ssl_certificate_key /usr/local/bin/certs/;
    ssl_trusted_certificate /usr/local/bin/certs/;
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;

Next: Upgrade PHP70 to PHP71 on FreeBSD 11.0 UP: TOC