Automatically enable HTTPS on your website with EFF's Certbot, deploying Let's Encrypt certificates.

I'm using on
No javascript? See all setup instructions here. Read the full documentation here.

Apache on FreeBSD

Automated
Advanced

Install

Run these steps to install the Certbot client.

Port:

$ cd /usr/ports/security/py-certbot && make install clean

Package:

pkg install py27-certbot

Installing DNS plugins

Certbot's DNS plugins are available for your system. These plugins can be used to automate obtaining a wildcard certificate from Let's Encrypt's ACMEv2 server. To use one of these plugins, you must have configured DNS for the domain you want to obtain a certificate for with a DNS provider that Certbot has a plugin for. A list of these plugins and more information about using them can be found here. To install one of these plugins, run the installation command above but replace pkg install py27-certbot with py27-certbot-dns-PLUGIN, where PLUGIN is the name of the plugin you want to install. For instance, for the RFC2136 plugin this would be py27-certbot-dns-rfc2136.

Get Started

Certbot supports a number of different “plugins” that can be used to obtain and/or install certificates.

Since your server architecture doesn't yet support automatic installation you'll have to use the certonly command to obtain your certificate. 

$ sudo certbot certonly

This will allow you interactively select the plugin and options used to obtain your certificate. If you already have a webserver running, we recommend choosing the "webroot" plugin.

Alternatively, you can specify more information on the command line.

To obtain a cert using the "webroot" plugin, which can work with the webroot directory of any webserver software: 

$ sudo certbot certonly --webroot -w /var/www/example -d example.com -d www.example.com -w /var/www/thing -d thing.is -d m.thing.is

This command will obtain a single cert for example.com, www.example.com, thing.is, and m.thing.is; it will place files below /var/www/example to prove control of the first two domains, and under /var/www/thing for the second pair.

To obtain a cert using a built-in “standalone” webserver (you may need to temporarily stop your existing webserver, if any) for example.com and www.example.com: 

$ sudo certbot certonly --standalone -d example.com -d www.example.com

You can also use one of Certbot's DNS plugins to obtain a certificate if it's installed and you have configured DNS for the domain you want to obtain a certificate for with the DNS provider matching the plugin. To see more information about using these plugins, click here. If you want to use one of these plugins with Let's Encrypt's new ACMEv2 server that will issue wildcard certificates, you'll also need to include the following flag on the command line: 

--server https://acme-v02.api.letsencrypt.org/directory

Automating renewal

Certbot can be configured to renew your certificates automatically before they expire. Since Let's Encrypt certificates last for 90 days, it's highly advisable to take advantage of this feature. You can test automatic renewal for your certificates by running this command: 

$ sudo certbot renew --dry-run
If that appears to be working correctly, you can arrange for automatic renewal by adding a cron job or systemd timer which runs the following:
certbot renew

An example cron job might look like this, which will run at noon and midnight every day:

0 0,12 * * * python -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew

More detailed information and options about renewal can be found in the full documentation.

Install

Run these steps to install the Certbot client.

Port:

$ cd /usr/ports/security/py-certbot && make install clean

Package:

pkg install py27-certbot

Installing DNS plugins

Certbot's DNS plugins are available for your system. These plugins can be used to automate obtaining a wildcard certificate from Let's Encrypt's ACMEv2 server. To use one of these plugins, you must have configured DNS for the domain you want to obtain a certificate for with a DNS provider that Certbot has a plugin for. A list of these plugins and more information about using them can be found here. To install one of these plugins, run the installation command above but replace pkg install py27-certbot with py27-certbot-dns-PLUGIN, where PLUGIN is the name of the plugin you want to install. For instance, for the RFC2136 plugin this would be py27-certbot-dns-rfc2136.

Get Started

Certbot supports a number of different “plugins” that can be used to obtain and/or install certificates.

Since your server architecture doesn't yet support automatic installation you'll have to use the certonly command to obtain your certificate. 

$ sudo certbot certonly

This will allow you interactively select the plugin and options used to obtain your certificate. If you already have a webserver running, we recommend choosing the "webroot" plugin.

Alternatively, you can specify more information on the command line.

To obtain a cert using the "webroot" plugin, which can work with the webroot directory of any webserver software: 

$ sudo certbot certonly --webroot -w /var/www/example -d example.com -d www.example.com -w /var/www/thing -d thing.is -d m.thing.is

This command will obtain a single cert for example.com, www.example.com, thing.is, and m.thing.is; it will place files below /var/www/example to prove control of the first two domains, and under /var/www/thing for the second pair.

To obtain a cert using a built-in “standalone” webserver (you may need to temporarily stop your existing webserver, if any) for example.com and www.example.com: 

$ sudo certbot certonly --standalone -d example.com -d www.example.com

You can also use one of Certbot's DNS plugins to obtain a certificate if it's installed and you have configured DNS for the domain you want to obtain a certificate for with the DNS provider matching the plugin. To see more information about using these plugins, click here. If you want to use one of these plugins with Let's Encrypt's new ACMEv2 server that will issue wildcard certificates, you'll also need to include the following flag on the command line: 

--server https://acme-v02.api.letsencrypt.org/directory

Automating renewal

Certbot can be configured to renew your certificates automatically before they expire. Since Let's Encrypt certificates last for 90 days, it's highly advisable to take advantage of this feature. You can test automatic renewal for your certificates by running this command: 

$ sudo certbot renew --dry-run
If that appears to be working correctly, you can arrange for automatic renewal by adding a cron job or systemd timer which runs the following:
certbot renew

An example cron job might look like this, which will run at noon and midnight every day:

0 0,12 * * * python -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew

More detailed information and options about renewal can be found in the full documentation.

Documentation

Support

Source