letsencrypt.sh with nginx on FreeBSD 11

2019-05-06 14:28:14.328992+00

Installing letsencrypt.sh is very easy. Just issue this command:

cd /usr/ports/security/letsencrypt.sh/ && make install clean

Lets have a look at the default variables used by letsencrypt.sh:

/usr/local/bin/letsencrypt.sh --env # letsencrypt.sh configuration # # !! WARNING !! No main config file found, using default config! # declare -- CA="https://acme-v01.api.letsencrypt.org/directory" declare -- LICENSE="https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf" declare -- CHALLENGETYPE="http-01" declare -- HOOK="" declare -- HOOK_CHAIN="no" declare -- RENEW_DAYS="30" declare -- ACCOUNT_KEY="/usr/local/bin/private_key.pem" declare -- ACCOUNT_KEY_JSON="/usr/local/bin/private_key.json" declare -- KEYSIZE="4096" declare -- WELLKNOWN="/usr/local/bin/.acme-challenges" declare -- PRIVATE_KEY_RENEW="yes" declare -- OPENSSL_CNF="/etc/ssl/openssl.cnf" declare -- CONTACT_EMAIL="" declare -- LOCKFILE="/usr/local/bin/lock"

Next we need to update nginx configuration. The directory "WELLKNOWN" as defined in the previous step must exist and must be readable by nginx. In the configuration files vhost/.... for this domain we need those adjustments:

server { listen...... location ^~ /.well-known/acme-challenge/ { default_type "text/plain"; # this directory must exists and is identical to WELLKNOWN: alias /usr/local/bin/.acme-challenges/; }

Restart nginx to make the adjustment active:

service nginx restart

Generate the certificate as follows:

/usr/local/bin/letsencrypt.sh --cron --domain www.logikfabrik.com --challenge http-01 # # !! WARNING !! No main config file found, using default config! # Processing www.logikfabrik.com + Signing domains... + Generating private key... + Generating signing request... + Requesting challenge for www.logikfabrik.com... + Responding to challenge for www.logikfabrik.com... + Challenge is valid! + Requesting certificate... + Checking certificate... + Done! + Creating fullchain.pem... + Done!

Last but not least, update your webserver's vhost file

server {
    listen 80 ;
    listen 443 ssl http2;
    server_name www.logikfabrik.com;
    client_max_body_size 10M;   # max size for uploading image files
    client_body_buffer_size 10M;   # ava 20160501
    index index.php;
    server_tokens off;

    ssl on;
    ssl_certificate /usr/local/bin/certs/www.logikfabrik.com/fullchain.pem;
    ssl_certificate_key /usr/local/bin/certs/www.logikfabrik.com/privkey.pem;
    ssl_trusted_certificate /usr/local/bin/certs/www.logikfabrik.com/fullchain.pem;
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;

Tag: freebsd