From owner-freebsd-questions@freebsd.org Mon Dec 19 17:55:18 2016 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 69A38C88498 for ; Mon, 19 Dec 2016 17:55:18 +0000 (UTC) (envelope-from galtsev@kicp.uchicago.edu) Received: from cosmo.uchicago.edu (cosmo.uchicago.edu [128.135.20.71]) by mx1.freebsd.org (Postfix) with ESMTP id 4A4C516EE for ; Mon, 19 Dec 2016 17:55:17 +0000 (UTC) (envelope-from galtsev@kicp.uchicago.edu) Received: by cosmo.uchicago.edu (Postfix, from userid 48) id 757F4CB8C9E; Mon, 19 Dec 2016 11:56:20 -0600 (CST) Received: from 128.135.52.6 (SquirrelMail authenticated user valeri) by cosmo.uchicago.edu with HTTP; Mon, 19 Dec 2016 11:56:20 -0600 (CST) Message-ID: <12862.128.135.52.6.1482170180.squirrel@cosmo.uchicago.edu> In-Reply-To: References: Date: Mon, 19 Dec 2016 11:56:20 -0600 (CST) Subject: Re: letsencrypt setup on freebsd From: "Valeri Galtsev" To: "David Mehler" Cc: freebsd-questions@freebsd.org Reply-To: galtsev@kicp.uchicago.edu User-Agent: SquirrelMail/1.4.8-5.el5.centos.7 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Dec 2016 17:55:18 -0000 On Mon, December 19, 2016 11:32 am, David Mehler wrote: > Hello, > > How did you get letsencrypt set up on FreeBSD? The more I'm reading > the more confusing I'm finding it. Here is what I did (followed mostly these two docs): # https://letsencrypt.org/getting-started/ # https://certbot.eff.org/#freebsd-apache pkg install py27-certbot certbot certonly --webroot -w /usr/local/www/apache24/data -d [your_domain_name].org # Note, that /usr/local/www/apache24/data is webroot of running webserver serving [your_domain_name].org #Certificate and chain have been saved at: /usr/local/etc/letsencrypt/live/cmb-s4.org/fullchain.pem # Now, note that you have to set cron job to renew them as certs # expire after 90 days... # Configure apache vi /usr/local/etc/apache24/extra/httpd-ssl.conf ----- SSLCertificateFile "/usr/local/etc/letsencrypt/live/[your_domain_name].org/cert.pem" SSLCertificateKeyFile "/usr/local/etc/letsencrypt/live/[your_domain_name].org/privkey.pem" SSLCertificateChainFile "/usr/local/etc/letsencrypt/live/[your_domain_name].org/chain.pem" ----- # and restart apache now. # note that there are symlinks: # ls -l /usr/local/etc/letsencrypt/live/[your_domain_name].org/ # and here where actual files are # cd /usr/local/etc/letsencrypt/archive/[your_domain_name].org # check that renew certificate script works /usr/local/bin/certbot renew --dry-run # it only reports about renewing # To not miss the renewal moment, set cronjob twice a day: #crontab -e #----- #27 1,13 * * * /usr/local/bin/certbot renew --quiet #----- # Note that for cron job to work you have to have cron daemon running # I hit this snag as all the above I actually have inside the jail # that runs that service for .org domain I support for on of our projects. # Alternatively you can set cron job outside jail, something like this: crontab -e ----- 27 1,13 * * * /usr/sbin/jexec `/usr/sbin/jls | /usr/bin/grep [your_domain_name_or_rather_jail_name] | /usr/bin/awk '{ print $1 }'` /usr/local/bin/certbot renew --quiet ----- And that should be it. Good luck! Valeri > > Thanks. > Dave. > ++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++