Blue Flower

Taken from letsencrypt.org:

The objective of Let’s Encrypt and the ACME protocol is to make it possible to set up an HTTPS server and have it automatically obtain a browser-trusted certificate, without any human intervention. This is accomplished by running a certificate management agent on the web server.

To see the entire process take a look at https://letsencrypt.org/how-it-works/
Additional documentation can be found here https://letsencrypt.org/docs/
Also this walkthrough was copied with permission from https://wiki.freebsd.org/BernardSpil/LetsEncrypt

First lets install the port:


# cd /usr/ports/security/dehydrated
# make install clean

Now to setup permissions:


# pw groupadd -n _dehydrated -g 443
# pw useradd -n _dehydrated -u 443 -g 443 -d /usr/local/etc/dehydrated -w no -s /nonexistent
# chown root:_dehydrated /usr/local/etc/dehydrated
# chmod 770 /usr/local/etc/dehydrated
# mkdir -p -m 775 /usr/local/www/.well-known/acme-challenge
# chgrp _dehydrated /usr/local/www/.well-known/acme-challenge

Now to modify Apache configuration:

The acme validation will GET a uniquely named file from http://www.yourdomain.com/.well-known/acme-challenge/

The only way I can make the challenge work is by running the following command:


ln -s /usr/local/www/.well-known/ /usr/local/www/apache24/data

Now every (non-ssl) Virtual Host that you have needs to have the same symlink if you want a cert for each domain

Now what we need to do is create domains.txt and include a list of all domains you want to create certs for:


# cd /usr/local/etc/dehydrated
# cp domains.txt.example domains.txt
# vi domains.txt

Now inside domains.txt put in each domain you want to create a cert for. I'm only using one in this example to make things very easy for you.

Now we need to copy over the config.sh and modify two lines and add one line (I indicate the addition in red):


# cp config.example config
# vi config

now change the following lines. The last line in red is an addition to the config.sh script:

BASEDIR="/usr/local/etc/dehydrated"
WELLKNOWN="/usr/local/www/.well-known/acme-challenge"
alias openssl='/usr/local/bin/openssl'

You will probably want to run LetsEncrypt manually the first time:


# cd /usr/local/etc/dehydrated
# su -m _dehydrated -c 'bash /usr/local/bin/dehydrated --cron'

Now what we need to do is copy the .pem files to apache. In my apache guide we use self-signed certs and we will change apache to use the certs that we just created.


# cd /usr/local/etc/dehydrated/certs/domain.com
# cp fullchain.pem /usr/local/etc/apache24/ssl.crt/domain.com.pem
# cp privkey.pem /usr/local/etc/apache24/ssl.key/domain.com.key

Now we need to edit the httpd-ssl.conf to use the new certificates:


# vi /usr/local/etc/apache24/extra/httpd-ssl.conf

Now find the 2 lines in the httpd-ssl.conf and edit them as follows:

SSLCertificateFile "/usr/local/etc/apache24/ssl.crt/domain.com.pem"
SSLCertificateKeyFile "/usr/local/etc/apache24/ssl.key/domain.com.key"

Now to restart apache:


# /usr/local/etc/rc.d/apache24 restart

If you are using my qmail setup you can use the following commands to create a new qmail certificate.


# cd /usr/local/etc/dehydrated
# cat fullchain.pem > /var/qmail/control/domain.com.pem
# cat privkey.pem >> /var/qmail/control/domain.com.pem

Now what you need to do is edit all the following scripts and change all references of servercert.pem to domain.com.pem

/service/qmail-smtpd-ssl/run
/service/qmail-smtpd-tls/run
/usr/local/etc/dovecot.conf << There are 2 lines to replace servercert.pem

After you edit those files make sure you restart the services.

Now we're not completely done. What we need to do is create a script that will automatically renew the ssl certificates every 3 months. Here is what my current script looks like:

----- START SCRIPT -----
#!/bin/sh

# Run script to renew certs
su -m _dehydrated -c 'zsh /usr/local/etc/dehydrated/config --cron'

# uncomment the following sections as needed.

# Deploy certs to apache once they've been renewed.
# cd /usr/local/etc/dehydrated/certs/domain.com
# cp fullchain.pem /usr/local/etc/apache24/ssl.crt/domain.com.pem
# cp privkey.pem /usr/local/etc/apache24/ssl.key/domain.com.key

# copy the qmail certs over
# cd /usr/local/etc/dehydratedh/certs/domain.com
# cat fullchain.pem > /var/qmail/control/domain.com.pem
# cat privkey.pem >> /var/qmail/control/domain.com.pem
#
# Restart the necessary services
# svc -t /service/qmail-smtpd-ssl
# svc -t /service/qmail-smtpd-tls
# svc -t /service/dovecot/run

# Restart apache
# /usr/local/etc/rc.d/apache24 restart

----- END SCRIPT -----