بسم الله الرحمن الرحيم
Abstract
- A tutorial to install and configure certbot within a FreeNAS Jail.
- Certbot is 'Electronic Frontier Foundation's ' implementation to issue free automated SSL certificates for webservers that are recognised by popular web browsers.
Assumptions and Prerequisites
- Domain: example.com
- Hostname: www.example.com
- OS: FreeNAS 9.10.1-U2 (FreeBSD 10.3-STABLE)
- Container: Warden Jail
- Jail Name: www
- Private IP: 10.0.0.56
- Subnet Mask: 255.255.255.0/24
- Certbot Version: 0.9.3
- Apache has already been installed.
- Apache Version: 2.4.23
- Apache Webroot directory: /usr/local/www/apache24/data
- SSL Certificate File: /usr/local/etc/letsencrypt/live/www.example.com/fullchain.pem
- SSL Key File: /usr/local/etc/letsencrypt/live/www.example.com/privkey.pem
- Apache is bound to port 80 and 443.
- Port 80 and 443 forwarding is enabled on the router to allow access to Apache webserver from the Internet.
- Email: info@example.com (required to recover lost account details from certbot).
Instructions
- Install certbot
# pkg install py27-certbot
- Configure domain
# certbot certonly
Follow installer instructions
domain: www.example.com
webroot: /usr/local/www/apache24/data
email: info@example.com
- Test certs renewal
# certbot renew --dry-run
- Renew certs (Renews certs on port 80 for 90 days. Will not renew cert if expiry date of cert is less than 30 days).
# certbot renew --quiet
- Force cert renewal with current issue date
# certbot renew --quiet --force-renewal
- Renew cert with a higher rsa-key size 4096
# certbot renew --quiet --rsa-key-size 4096
- Force cert renewal on https port 443 with a higher rsa-key size 4096
# certbot renew --quiet --rsa-key-size 4096 --force-renewal --tls-sni-01-port 443
- Change SSL Cert file paths in Apache to point to the new location of certbot's certificates
# vi /usr/local/etc/apache24/extra/httpd-ssl.conf
(144) SSLCertificateFile "/usr/local/etc/letsencrypt/live/www.example.com/fullchain.pem"
(154) SSLCertificateKeyFile "/usr/local/etc/letsencrypt/live/www.example.com/privkey.pem"
(175) #SSLCACertificateFile "/usr/local/etc/ssl/certs/ca.pem"
- Reload Apache config after certs renewal
# apachectl -k graceful
- Setup a cron job in FreeNAS to auto renew certs and reload the new apache settings with the following command.
# jexec www certbot renew --quiet --rsa-key-size 4096 && jexec www apachectl -k graceful
- Test the new SSL certs at the SSLABS website. This should give you an A+ on the SSL report.
- Links
