On this guide we will manually update our Letsencrypt certificate on FreeBSD for a single website. It is a simple operation that can be automated as a cron job, but seeing it is always informative and educative.
To get a general idea about certificates do not hesitate to click on this link.
The system’s name and username have been changed so you won’t know what I am playing with. You don’t need to know those bits. I hope you get my sense of humor though.
Soviet@Union:~ % uname -a
FreeBSD Collector 11.0-RELEASE-p15 FreeBSD 11.0-RELEASE-p15 #0: Tue Nov 14 08:04:40 UTC 2017 firstname.lastname@example.org:/usr/obj/usr/src/sys/GENERIC amd64
The first thing is stopping the Apache web server.
Soviet@Union:~ % sudo service apache24 status
apache24 is running as pid 828.
Soviet@Union:~ % sudo service apache24 stop
Waiting for PIDS: 828.
We now put the command to renew the letsencrypt certificate.
Soviet@Union:~ % sudo certbot certonly
Saving debug log to /var/log/letsencrypt/letsencrypt.log
How would you like to authenticate with the ACME CA?
1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)
Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 1
Plugins selected: Authenticator standalone, Installer None
Please enter in your domain name(s) (comma and/or space separated) (Enter ‘c’ to cancel): www.adminbyaccident.com adminbyaccident.com
You have an existing certificate that contains a portion of the domains you requested (ref:
It contains these names: adminbyaccident.com
You requested these names for the new certificate: www.adminbyaccident.com, adminbyaccident.com.
Do you want to expand and replace this existing certificate with the new certificate?
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for www.adminbyaccident.com
tls-sni-01 challenge for adminbyaccident.com
Waiting for verification…
Cleaning up challenges
– Congratulations! Your certificate and chain have been saved at:
Your key file has been saved at:
Your cert will expire on 2018-04-21. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run “certbot renew”
– If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
After this we will find our certificates on the path the notes say. We will only have to place them on the path we set on our Apache configuration. In this case the website configuration is found on a manually created path.
There are two files on that path wich are the key and the certificate from the previous period. As you may know letsencrypt certificates last for three months. We will rename them first, copy the new certificate into the path, start the Apache web server and then remove the old certificates.
Soviet@Union:/usr/local/etc/apache24/ssl/letsencrypt/adminbyaccident.com % ll
-rw-r–r– 1 root wheel 1818 22 oct. 12:05 cert.pem
-rw-r–r– 1 root wheel 1708 22 oct. 12:05 privkey.pem
We now rename the old files:
Soviet@Union:/usr/local/etc/apache24/ssl/letsencrypt/adminbyaccident.com % sudo mv cert.pem cert.pem.old
Soviet@Union:/usr/local/etc/apache24/ssl/letsencrypt/adminbyaccident.com % sudo mv privkey.pem privkey.pem.old
We copy as root the new files to the right path:
root@Union:/usr/local/etc/letsencrypt/live/adminbyaccident.com-0001 # cp cert.pem /usr/local/etc/apache24/ssl/letsencrypt/adminbyaccident.com/
root@Union:/usr/local/etc/letsencrypt/live/adminbyaccident.com-0001 # cp privkey.pem /usr/local/etc/apache24/ssl/letsencrypt/adminbyaccident.com
Once the two files have been copied to the right location we will check Apache’s configuration and if it’s ok we will start it up.
root@Union:/usr/local/etc/letsencrypt/live/adminbyaccident.com-0001 # apachectl configtest
Performing sanity check on apache24 configuration:
root@Union:/usr/local/etc/letsencrypt/live/adminbyaccident.com-0001 # apachectl start
Performing sanity check on apache24 configuration:
Everything should be working.
Soviet@Union:~ % sudo apachectl status
apache24 is running as pid 88318.
And indeed it is but the clearest way to see our letsencrypt certificate is being serverd is going to the browser.
So green has always been identified as ok. Let’s now check the certificate and what it says.
And here it is. Here we have our just recently created certificate, validated and issued by letsencrypt.
We need to be quick since using this method we’ve stopped our web server and the page is not running. There is an alternative method, using the webroot option where you don’t need to stop the webserver.
That would work by issuing the following command:
sudo certbot certonly –webroot -w /path/to/the/site -d domain.com -d www.domain.com
This will create the certificate, key, fullchain, etc in the same directory as in the method shown before.
Again, you will have to copy the certificate an the key to the path you set in your Apache configuration.
More official information about the install and use can be found at this address.