Installation of LetsEncrypt with Nginx on FreeBSD

Posted on December 30, 2015 in systems, unix, freebsd, letsencrypt, ssl, ca, nginx

Letsencrypt is a new Certificate Authority. The software is available in the FreeBSD's ports. To install it :

cd /usr/ports/security/py-letsencrypt
make config-recursive
make install clean

To generate a certificate, you first need to stop nginx (and make sure that ports 80 and 443 are available) :

/usr/local/etc/rc.d/nginx stop

Then, to create the appropriate certificate :

letsencrypt -d my.domain.com auth

Certificates are stored in this folder : /usr/local/etc/letsencrypt/live/my.domain.com :

drwxr-xr-x  2 root  wheel   6 Dec 30 09:05 .
drwx------  7 root  wheel   7 Dec 30 09:25 ..
lrwxr-xr-x  1 root  wheel  44 Dec 30 09:05 cert.pem -> ../../archive/my.domain.com/cert1.pem
lrwxr-xr-x  1 root  wheel  45 Dec 30 09:05 chain.pem -> ../../archive/my.domain.com/chain1.pem
lrwxr-xr-x  1 root  wheel  49 Dec 30 09:05 fullchain.pem -> ../../archive/my.domain.com/fullchain1.pem
lrwxr-xr-x  1 root  wheel  47 Dec 30 09:05 privkey.pem -> ../../archive/my.domain.com/privkey1.pem

Then, you need to insert these lines in your virtualhost configuration :

    listen 443 ssl;
    # listen [::]:443 ssl; 

    ssl_certificate /usr/local/etc/letsencrypt/live/my.domain.com/fullchain.pem;
    ssl_certificate_key /usr/local/etc/letsencrypt/live/my.domain.com/privkey.pem;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA";
    ssl_prefer_server_ciphers on;
    ssl_ecdh_curve secp384r1;

    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;
    ssl_session_tickets off;

    add_header Strict-Transport-Security "max-age=31536000";
    add_header X-Frame-Options SAMEORIGIN;
    add_header X-Content-Type-Options nosniff;

Finally, you can restart the service :

/usr/local/etc/rc.d/nginx start