SSL Enabled Apache and Let's EncryptSynopsis:Having an SSL connection to your web server ensures that all traffic is encrypted. This avoids any "man in the middle" attack and it has also been shown that Google's search engine gives https sites higher ranking. We're going to use a free domain certificate provider, Let's Encrypt, that offers free certificates that are valid for 90 days. We'll setup to get a signed certificate and then setup a cron to automatically renew the certificate before it expires. Throughout this example, the fake domain "www.mydomain.com" will be used. Substitute your host's name in these examples. Prepare Apache for SSLOpen the httpd.conf file for editing. # cd /usr/local/etc/apache24 # ee httpd.confUn-comment modules; mod_ssl.so, mod_log_config.so, mod_setenvif.so, mod_socache_shmcb.so Next, uncomment the following two lines: Include etc/apache24/extra/httpd-ssl.conf Include etc/apache24/extra/httpd-vhosts.confEdit the httpd-ssl.conf file # ee extra/httpd-ssl.confFind <VirtualHost _default_:443> and modify: ServerName, ServerAdmin example: www.mydomain.com, webmaster@mydomain.com Install Certbot: Ports Method: # cd /usr/ports/security/py-certbot && make install cleanPackage Method: # pkg install -y py311-certbotGet Certificates: # # cd # service apache24 stop # certbot certonly --webroot -w /usr/local/www/apache24/data -d www.mydomain.com # Note that the web root path is the default for an Apache install on FreeBSD. Place the fully qualified domain name of the server after the "-d" parameter. The screen will display something like this: Saving debug log to /var/log/letsencrypt/letsencrypt.log Obtaining a new certificate Performing the following challenges: tls-sni-01 challenge for www.mydomain.com Waiting for verification... Cleaning up challenges Generating key (2048 bits): /usr/local/etc/letsencrypt/keys/0000_key-certbot.pem Creating CSR: /usr/local/etc/letsencrypt/csr/0000_csr-certbot.pem IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at /usr/local/etc/letsencrypt/live/www.mydomain.com/fullchain.pem. Your cert will expire on 2017-09-17. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-leEdit httpd-vhosts.conf # # cd /usr/local/etc/apache24/extra # ee httpd-vhosts.conf # ServerAdmin www.mydomain.com Redirect permanent / https://www.mydomain.com/ </VirtualHost> Remove or comment out any other Virtualhosts # # ee httpd-ssl.conf #Make sure the following is modified Listen 443 Add/modify only these two lines: SSLCertificateFile "/usr/local/etc/letsencrypt/live/www.mydomain.com/fullchain.pem" Restart the Apache Service: # # service apache24 start #Test renewal: # certbot renew --dry-runTroubleshooting: challenge failed Here is an example of a failed renew. # certbot renew --dry-run Saving debug log to /var/log/letsencrypt/letsencrypt.log ------------------------------------------------------------------------------- Processing /usr/local/etc/letsencrypt/renewal/www.mydomain.com.conf ------------------------------------------------------------------------------- Cert not due for renewal, but simulating renewal for dry run Renewing an existing certificate Performing the following challenges: http-01 challenge for www.mydomain.com Waiting for verification... Cleaning up challenges Attempting to renew cert from /usr/local/etc/letsencrypt/renewal/www.mydomain.com.confCheck the above for DNS errors. Another reason for failure could be the webroot .htaccess file's RewriteEngine. Edit the .htaccess file in Webroot and add the following after RewriteEngine On RewriteRule ^.well-known/acme-challenge - [L]Setup a crontab to auto renew: Create a shell file, as root # cd # mkdir bin # cd bin # ee certbot.shPlace the following contents into the file. #/bin/sh # shell file for cron to auto renew certificate # this will stop apache to open the port for certbot and then restart apache after /usr/local/bin/certbot renew --pre-hook "service apache24 stop" --post-hook "service apache24 start"Save the file. Make it executable: # chmod 755 certbot.shNext edit the crontab. # cd # crontab -ePlace the following into crontab to check the certificate every Sunday morning. SHELL=/bin/sh PATH=/etc:/bin:/sbin:/usr/bin:/usr/sbin # Order of crontab fields # minute hour mday month wday command 12 3 * * sun /root/bin/certbot.shThis will run the cron every Sunday at 3:12am and will auto renew when only 30 days are left before expiration. Sites of Interest: https://letsencrypt.org/docs/ https://certbot.eff.org/ |