Hi New Here,
Hope this is the right place. I just wanted to mention that the FreeBSD/Apache instructions under the “get started->shell access” are woefully out of date. They are so old, the software doesn’t even exist in the FreeBSD distribution any longer!
If there isn’t anyone who fixes stuff like this, I would be happy to write up a short document on how I managed to do it. It took many hours…
Thanks for Lets Encrypt! Marvelous!
Scott
cc @schoen @SwartzCr - Do you folks know who is the best person to update these instructions?
If you could share the steps you used and highlight the specific parts that the website instructions had wrong I think it would help the Certbot folks fix the problems faster. Thanks!
Sure! Happy to.
but you can also build from ports.
You will also need this
/< IfDefine DotWellKnownPath>
/<Directory ${DotWellKnownPath)>
Options Indexes
AllowOverride None
Require all granted
Header add Content-Type text/plain
/</Directory/>
/</IfDefine/>
Note: I had to add some forward slashes to get this to display here properly, but hopefully you get the idea.
You don’t need the Options Indexes, but I found it useful in getting it all to work, as I could test accesibility from various hosts easily in a browser.
If you have Virtual Hosts you want to get certificates for, include this line inside their <VirtualHost> container:
<IfDefine DotWellKnownPath>
Alias /.well-known ${DotWellKnownPath}
</IfDefine>
#!/bin/sh -e
#TESTINGARGS="-s -v"
BASEDIR="/usr/local/etc/acme"
DOMAINSFILE="${BASEDIR}/domains.txt"
CHALLENGEDIR="/usr/local/www/apache24/data/www/.well-known"
RELOAD=“NO”
grep -vh ‘^[[:space:]]*(#|$)’ “${DOMAINSFILE}” | while read domain subdomains ; do
set +e # RC=2 when time to expire > 30 days
acme-client ${TESTINGARGS} -mnN -C “${CHALLENGEDIR}” ${domain} ${subdomains}
RC=$?
if [ $RC -eq 0 ]; then
RELOAD="YES"
fi
set -e
[ $RC -ne 0 -a $RC -ne 2 ] && exit $RC
done
if [ “${RELOAD}” = “YES” ]; then
service apache24 reload
You’ll need to make sure the CHALLENGEDIR is correct for your configuration.
Create a text file: /usr/local/etc/acme/domains.txt
Each line of the file should list the domain names you want to obtain certs for, one domain per line: For example:
-FILE-
#You can use comments if you need to
www.example.com example.com
www.example2.com example2.com foo.example2.com
-ENDFILE-
etc. The first name listed on each line will also be used by acme-client as a directory under which your certificates etc are stored. I suggest uncommenting TESTINGARGS for the first couple of trial runs. This uses the Let’s Encrypt staging site and increases the verbosity of the acme-client. This will prevent you from running into any limits from the actual Let’s Encrypt CA servers. Once it all seems to be working, and are able to get certificates and keys, delete all the ones you have from the staging servers, and comment out TESTINGARGS before running it ‘for real’.
Running the script will create some directories and files. For example, if you are getting a certificate for ‘www.example.com example.com’, it will create a public certificate directory under:
/usr/local/etc/ssl/acme/www.example.com/
You will find cert.pem, chain.pem and fullchain.pem here.
The domain private key will be:
/usr/local/etc/ssl/acme/private/www.example.com/privkey.pem
and the account private key will be
/usr/local/etc/acme/example.com/example.com/privkey.pem
To deploy these with Apache 24.27, for each virtual host you want to use https with:
Listen xxx.xxx.xxx.xxx:443
/< VirtualHost xxx.xxx.xxx.xxx:443>
SSLEngine on
SSLCertificateFile "/usr/local/etc/ssl/acme/www.example.com/fullchain.pem"
SSLCertificateKeyFile “/usr/local/etc/ssl/acme/private/www.example.com/privkey.pem”
/< /VirtualHost>
Of course you can also use the wildcard *;443 or name based virtual hosts. See the Apache documentation.
FInally, you need to set up a cron job to renew your certificates Here is the script I am using at the moment:
#!/bin/sh -e
PATH=$PATH:/usr/local/bin:/usr/local/sbin
export PATH
BASEDIR="/usr/local/etc/acme"
DOMAINSFILE="${BASEDIR}/domains.txt"
grep -vh ‘^[[:space:]]*(#|$)’ “${DOMAINSFILE}” | while read domain subdomains ; do
set +e # RC=2 when time to expire > 30 days
acme-client -mv -b ${domain} ${subdomains}
RC=$?
if [ $RC -eq 0 ]; then
RELOAD="YES"
fi
set -e
[ $RC -ne 0 -a $RC -ne 2 ] && exit $RC
done
if [ “${RELOAD}” = “YES” ]; then
service apache24 reload
–
The instructions on the certbot site recommend running this twice a day out of cron.
Are you quite sure? Because FreshPorts -- security/py-certbot: Let's Encrypt client says it does, and was last updated on 8 Aug 17. The acme-client you're referring to is completely different client software.
I just checked, and now it is there! Perhaps there was just a server problem yesterday. Or maybe they re-added it - I also wrote the maintainer of this software.
So, ignore all this. Sorry about that.
If you’d still like us to update any of the documentation feel free to open an issue on https://github.com/certbot/website/issues and mention me there!
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.