Thursday, 10 December 2015

Let's Encrypt! with FreeBSD 10.2 & nginx

So with the announcement that Letsencrypt.org has gone into a public beta this last week I decided to give it a go and here are my results.

If you don't know what this is, visit their website and find out https://letsencrypt.org

I have a FreeBSD 10.2 dev VM running on my Windows Server 2012 R2 Hyper-V box, it has some internal websites I use but nothing significant.


This is assuming the following, it'll be easy to get a LetsEncrypt cert in a few minutes.
Port 80 is open to the world on your webserver (or Port forwarding/PAT is configured).
Your DNS is correct for the www.mydomainname.com and points to the web server.
and lastly that your document root is /usr/local/www/nginx/

Before  asking for help check all of those are correct.

To install Letsencrypt its  a fairly straight forward "pkg install py27-letsencrypt" or cd /usr/ports/security/py-letsencrypt && make install clean. Which as of writing is py27-letsencrypt-0.1.0 on FreeBSD 10.2.

Once installed you'll need to run a command like:
letsencrypt certonly --webroot -w /usr/local/www/nginx/ -d www.mydomainname.com

Note: you can add additional arguments like "-d www.myotherdomains.com" to do multiple certs at the same time

If you get a successful message then all you need to do is edit your nginx.conf for your sites(s), I'll include a basic sample below which works for me. If you edit your nginx.conf before getting your cert and try to reload it, it won't reload because the cert and key will be missing!

server {
    listen 80;
    listen 443 ssl;
      server_name www.myotherdomains.com;
        ssl_certificate /usr/local/etc/letsencrypt/live/www.myotherdomains.com/fullchain.pem;
        ssl_certificate_key /usr/local/etc/letsencrypt/live/www.myotherdomains.com/privkey.pem;
  access_log /var/log/www/access-www.myotherdomains.com.log;
  error_log /var/log/www/error-www.myotherdomains.com.log;

 location / {
  root /usr/local/www/nginx/;
  index index.html;
}
}


Now that you have py-letsencrypt installed, your cert and nginx config sorted, all you need to do is restart nginx with:
service nginx restart

You should now have a working LetsEncyrpt cert!!!

Please note that FreeBSD does not yet have the letsencrypt-auto client as of 9th December 2015, so in 89 days you better renew your certs with the same command as you used above!