Select Page


Let’s Encrypt is a Certificates Authority (CA) that gives a very simple technique to download and set up loose TLS/SSL certificate, thereby enabling encrypted HTTPS on internet servers. It simplifies the method via offering a tool shopper, Certbot, that automates many of the steps.

On this instructional, we can display you methods to use Certbot to procure a loose SSL certificates and apply it to a FreeBSD server operating Nginx. We will be able to additionally display you methods to mechanically renew your SSL certificates.

We will be able to use the default Nginx configuration record on this instructional as a substitute of a separate server block record. We generally recommend growing new Nginx server block recordsdata for each and every area as it is helping to steer clear of some commonplace errors and maintains the default recordsdata as a fallback configuration as meant.


To be able to entire this instructional, you’ll want:

  • A FreeBSD server. Should you’re new to running with FreeBSD, you’ll be able to apply this guide that will help you get began.
  • Nginx put in and configured for your server. For instructions on methods to set this up, see our information on How To Install an Nginx, MySQL, and PHP (FEMP) Stack on FreeBSD 10.1. Observe that you don’t want to put in or configure PHP or MySQL to procure a Let’s Encrypt certificates. At a minimal, despite the fact that, it is very important set up, allow, and configure Nginx as proven within the related instructional.
  • A registered area title that you just personal and regulate. If you don’t have already got a registered area title, you might sign in one with one of the most many area title registrars available in the market (e.g. Namecheap, GoDaddy, and many others.).
  • A DNS A Report that issues your area to the general public IP deal with of your server. You’ll be able to apply this hostname tutorial for main points on methods to upload them. That is required on account of how Let’s Encrypt validates that you just personal the area it’s issuing a certificates for. As an example, if you wish to download a certificates for, that area should get to the bottom of on your server for the validation procedure to paintings. Our setup will use and because the domains, so each DNS data are required.

When you’ve finished those necessities, let’s transfer directly to putting in Certbot, the Let’s Encrypt shopper tool.

Step 1 — Putting in Certbot

Step one to the use of Let’s Encrypt to procure an SSL certificates is to put in the certbot shopper tool for your server. The most recent model of Certbot may also be put in from supply the use of FreeBSD’s ports system.

To start out, fetch a compressed snapshot of the ports tree:

It will take a couple of mins for this command to finish. When it finishes, extract the snapshot:

It will take a little time for this command to complete, as neatly. As soon as it’s performed, navigate to the py-certbot listing throughout the ports tree:

  • cd /usr/ports/safety/py-certbot

Then use the make command with sudo privileges to obtain and collect the Certbot supply code:

Subsequent, navigate to the py-certbot-nginx listing throughout the ports tree:

  • cd /usr/ports/safety/py-certbot-nginx

Run the make command once more from this listing. This may set up the nginx plugin for Certbot which we’ll use to procure the SSL certificate:

All the way through this plugin’s set up, you’ll see a few blue conversation home windows pop up that appear to be this:

py-certbot-nginx dialog window example

Those provide the solution to set up documentation for the plugin and its dependencies. For the needs of this instructional, you’ll be able to simply press ENTER to simply accept the default choices in those home windows which can set up this documentation.

The certbot Let’s Encrypt shopper is now able to make use of. Earlier than acquiring your certificate, despite the fact that, it’s essential to arrange a firewall and make allowance HTTPS visitors thru it, when you haven’t already performed so.

Step 2 — Surroundings Up a Firewall and Permitting HTTPS Get entry to

Should you’ve already arrange a firewall for your server, you will have to be sure that it permits HTTPS get entry to (by means of port 443). Should you haven’t already arrange a firewall, you’ll be able to achieve this via following the instructions defined on this step.

Open up your rc.conf record, which is situated within the /and many others/ listing, along with your most popular editor. Right here we can use ee:

This record is used to tell FreeBSD which products and services will have to be began every time the device boots up. Close to the highest of the record, upload the next highlighted traces:

/and many others/rc.conf

. . .
firewall_myservices="22 80 443"

Right here’s what each and every of those directives and their settings do:

  • firewall_enable="YES" — This allows the firewal to begin up every time the server boots.
  • firewall_type="workstation" — FreeBSD supplies a number of default sorts of firewalls, each and every of that have fairly other configurations. Via mentioning the workstation sort, the firewall will simplest give protection to this server the use of stateful laws.
  • firewall_myservices="22 80 443" — The firewall_myservices directive is the place you’ll be able to checklist the TCP ports you wish to have to permit in the course of the firewall. On this instance, we’re specifying ports 22, 80, and 443 to permit SSH, HTTP, and HTTPS get entry to to the server, respectively.
  • firewall_allowservices="any" — This permits a device from any IP deal with to be in contact over the ports specified within the firewall_myservices directive.

After including those traces, save the record and shut the editor via urgent CTRL + C, typing go out, after which urgent ENTER.

Then, get started the ipfw firewall carrier with the next command:

With a firewall configured, you’re now able to run Certbot and fetch your certificate.

Step 3 — Acquiring an SSL Certificates

Certbot supplies a lot of techniques to procure SSL certificate thru quite a lot of plugins. The nginx plugin will handle reconfiguring Nginx and reloading the config record:

  • sudo certbot --nginx -d -d

If that is your first time operating certbot in this server, the buyer will urged you to go into an e mail deal with and comply with the Let’s Encrypt phrases of carrier. After doing so, certbot will be in contact with the Let’s Encrypt server, then run a problem to make sure that you just regulate the area you might be soliciting for a certificates for.

If the problem is a hit, Certbot will ask how you’ll love to configure your HTTPS settings:


. . . Please make a selection whether or not or to not redirect HTTP visitors to HTTPS, taking away HTTP get entry to. ------------------------------------------------------------------------------- 1: No redirect - Make no additional adjustments to the webserver configuration. 2: Redirect - Make all requests redirect to safe HTTPS get entry to. Select this for new websites, or if you are assured your web page works on HTTPS. You'll be able to undo this trade via enhancing your internet server's configuration. ------------------------------------------------------------------------------- Make a selection the precise quantity [1-2] then [enter] (press 'c' to cancel): 2

Make a selection your selection then hit ENTER. This may replace the configuration and reload Nginx to select up the brand new settings. certbot will wrap up with a message telling you the method was once a hit and the place your certificate are saved:


IMPORTANT NOTES: - Congratulations! Your certificates and chain had been stored at: /usr/native/and many others/letsencrypt/are living/ Your key record has been stored at: /usr/native/and many others/letsencrypt/are living/ Your cert will expire on 2018-09-24. To acquire a brand new or tweaked model of this certificates someday, merely run certbot once more. To non-interactively renew *all* of your certificate, run "certbot renew" - Your account credentials had been stored for your Certbot configuration listing at /usr/native/and many others/letsencrypt. You will have to make a safe backup of this folder now. This configuration listing may also comprise certificate and personal keys bought via Certbot so making common backups of this folder is perfect. - Should you like Certbot, please believe supporting our paintings via: Donating to ISRG / Let's Encrypt: Donating to EFF:

Your certificate are actually downloaded, put in, and configured. Check out reloading your website online the use of https:// and see your browser’s safety indicator. It will have to constitute that the web page is correctly secured, most often with a inexperienced lock icon. Should you take a look at your server the use of the SSL Labs Server Test, it’ll get an A grade.

After confirming that you just’re in a position to succeed in your web page over HTTPS, you’ll be able to transfer onto the general step of this instructional wherein you’ll ascertain that you’ll be able to renew your certificate after which configure a procedure to resume them mechanically.

Step 4 — Verifying Certbot Auto-Renewal

Let’s Encrypt’s certificate are simplest legitimate for 90 days. That is to inspire customers to automate their certificates renewal procedure. This step describes methods to automate certificates renewal via putting in place a cron process. Earlier than putting in place this computerized renewal despite the fact that, it’s essential to check that you just’re in a position to resume certificate appropriately.

To check the renewal procedure, you’ll be able to do a dry run with certbot:

  • sudo certbot renew --dry-run

Should you see no mistakes, you’re all set to create a brand new crontab:

This may open a brand new crontab record. Upload the next content material to the brand new record, which can inform cron to run the certbot renew command two times each day at midday and nighttime. certbot renew assessments whether or not any certificate at the machine are with reference to expiring and can try to renew them when vital:

Zero 0,12 * * * /usr/native/bin/certbot renew

Observe that since you preceded the crontab -e command with sudo, this operation might be run as root, which is vital as a result of certbot calls for superuser privileges to run.

If the automatic renewal procedure ever fails, Let’s Encrypt will ship a message to the e-mail you specified, caution you when your certificates is set to run out.


On this instructional now we have put in the Let’s Encrypt shopper certbot, downloaded SSL certificate for our area, configured Nginx to make use of those certificate, and arrange computerized certificates renewal. When you have additional questions on the use of Certbot, their documentation is a superb position to begin.