FreeBSD/Apache Getting Started instructions don't work


Hi New Here,

Hope this is the right place. I just wanted to mention that the FreeBSD/Apache instructions under the “get started->shell access” are woefully out of date. They are so old, the software doesn’t even exist in the FreeBSD distribution any longer!

If there isn’t anyone who fixes stuff like this, I would be happy to write up a short document on how I managed to do it. It took many hours…

Thanks for Lets Encrypt! Marvelous!


cc @schoen @SwartzCr - Do you folks know who is the best person to update these instructions?

If you could share the steps you used and highlight the specific parts that the website instructions had wrong I think it would help the Certbot folks fix the problems faster. Thanks!


Sure! Happy to.

  1. Install acme-client (the py-certbot software referred to on the certbot website doesn’t exist anymore, so everything after this on the certbot site sort of doesn’t work.)
    simplest is to do
    pkg install acme-client

but you can also build from ports.

  1. Create a .well-known directory on your web server. I did it this way (this is for Apache 24.27)
    Define DotWellKnownPath "path/to/document/root/.well-known"
    In other words, if your document root is
    then DotWellKnownPath would be

You will also need this

/< IfDefine DotWellKnownPath>
/<Directory ${DotWellKnownPath)>
Options Indexes
AllowOverride None
Require all granted
Header add Content-Type text/plain
Note: I had to add some forward slashes to get this to display here properly, but hopefully you get the idea.

You don’t need the Options Indexes, but I found it useful in getting it all to work, as I could test accesibility from various hosts easily in a browser.

If you have Virtual Hosts you want to get certificates for, include this line inside their <VirtualHost> container:

<IfDefine DotWellKnownPath>
Alias /.well-known ${DotWellKnownPath}

  1. There are some scripts included with the acme-client distribution. Unfortunately, I found there were some problems with them. In particular, they will fail for the first time you run the software, because the acme-client doesn’t create the directories if you specify them as the scripts do, so they have to exist before you run the script, and the script doesn’t create them. If you have a lot of hosts, this is a problem. However, acme-client will create per-domain directories if you give it the right switches, and this also makes for a simpler script. Here is the one I used:

#!/bin/sh -e


grep -vh ‘^[[:space:]]*(#|$)’ “${DOMAINSFILE}” | while read domain subdomains ; do
set +e # RC=2 when time to expire > 30 days
acme-client ${TESTINGARGS} -mnN -C “${CHALLENGEDIR}” ${domain} ${subdomains}
if [ $RC -eq 0 ]; then
set -e
[ $RC -ne 0 -a $RC -ne 2 ] && exit $RC

if [ “${RELOAD}” = “YES” ]; then
service apache24 reload

You’ll need to make sure the CHALLENGEDIR is correct for your configuration.
Create a text file: /usr/local/etc/acme/domains.txt

Each line of the file should list the domain names you want to obtain certs for, one domain per line: For example:
#You can use comments if you need to

etc. The first name listed on each line will also be used by acme-client as a directory under which your certificates etc are stored. I suggest uncommenting TESTINGARGS for the first couple of trial runs. This uses the Let’s Encrypt staging site and increases the verbosity of the acme-client. This will prevent you from running into any limits from the actual Let’s Encrypt CA servers. Once it all seems to be working, and are able to get certificates and keys, delete all the ones you have from the staging servers, and comment out TESTINGARGS before running it ‘for real’.

Running the script will create some directories and files. For example, if you are getting a certificate for ‘’, it will create a public certificate directory under:

You will find cert.pem, chain.pem and fullchain.pem here.

The domain private key will be:

and the account private key will be

To deploy these with Apache 24.27, for each virtual host you want to use https with:

/< VirtualHost>
SSLEngine on
SSLCertificateFile "/usr/local/etc/ssl/acme/"
SSLCertificateKeyFile “/usr/local/etc/ssl/acme/private/”
/< /VirtualHost>

Of course you can also use the wildcard *;443 or name based virtual hosts. See the Apache documentation.

FInally, you need to set up a cron job to renew your certificates Here is the script I am using at the moment:

#!/bin/sh -e

export PATH


grep -vh ‘^[[:space:]]*(#|$)’ “${DOMAINSFILE}” | while read domain subdomains ; do
set +e # RC=2 when time to expire > 30 days
acme-client -mv -b ${domain} ${subdomains}
if [ $RC -eq 0 ]; then
set -e
[ $RC -ne 0 -a $RC -ne 2 ] && exit $RC

if [ “${RELOAD}” = “YES” ]; then
service apache24 reload

The instructions on the certbot site recommend running this twice a day out of cron.


Are you quite sure? Because says it does, and was last updated on 8 Aug 17. The acme-client you’re referring to is completely different client software.


I just checked, and now it is there! Perhaps there was just a server problem yesterday. Or maybe they re-added it - I also wrote the maintainer of this software.

So, ignore all this. Sorry about that.


If you’d still like us to update any of the documentation feel free to open an issue on and mention me there!


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.