Admin... by accident!

You may have chosen to be an admin. I didn't!

  • Home
  • FreeBSD
  • GNU/Linux
  • Security
  • Network
  • Virtualization
  • Politics
  • Github
  • Donate
  • Me

How to manually update Letsencrypt certificates on FreeBSD

February 25, 2018 by Albert Valbuena

Update 05-2020: If anyone is interested on the automatic process you can read my tutorial on DigitalOcean about the topic.

On this guide we will manually update our Letsencrypt certificate on FreeBSD for a single website. It is a simple operation that can be automated as a cron job, but seeing it is always informative and educative.

If you find the articles in Adminbyaccident.com useful to you, please consider making a donation.

To get a general idea about certificates do not hesitate to click on this link.

A brief introduction to SSL/TLS certificates

The system’s name and username have been changed so you won’t know what I am playing with. You don’t need to know those bits. I hope you get my sense of humor though.

Soviet@Union:~ % uname -a

FreeBSD Collector 11.0-RELEASE-p15 FreeBSD 11.0-RELEASE-p15 #0: Tue Nov 14 08:04:40 UTC 2017 root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC amd64

Soviet@Union:~ %

The first thing is stopping the Apache web server.

Soviet@Union:~ % sudo service apache24 status

apache24 is running as pid 828.

Soviet@Union:~ % sudo service apache24 stop

Stopping apache24.

Waiting for PIDS: 828.

Soviet@Union:~ %

We now put the command to renew the letsencrypt certificate.

Soviet@Union:~ % sudo certbot certonly

Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?

-------------------------------------------------------------------------------

1: Spin up a temporary webserver (standalone)

2: Place files in webroot directory (webroot)

-------------------------------------------------------------------------------

Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1

Plugins selected: Authenticator standalone, Installer None

Please enter in your domain name(s) (comma and/or space separated) (Enter 'c' to cancel): www.adminbyaccident.com adminbyaccident.com

-------------------------------------------------------------------------------

You have an existing certificate that contains a portion of the domains you requested (ref:

/usr/local/etc/letsencrypt/renewal/adminbyaccident.com-0001.conf)

It contains these names: adminbyaccident.com

You requested these names for the new certificate: www.adminbyaccident.com, adminbyaccident.com.

Do you want to expand and replace this existing certificate with the new certificate?

-------------------------------------------------------------------------------

(E)xpand/(C)ancel: E

Renewing an existing certificate

Performing the following challenges:

tls-sni-01 challenge for www.adminbyaccident.com

tls-sni-01 challenge for adminbyaccident.com

Waiting for verification...

Cleaning up challenges

IMPORTANT NOTES:

- Congratulations! Your certificate and chain have been saved at:

/usr/local/etc/letsencrypt/live/adminbyaccident.com-0001/fullchain.pem

Your key file has been saved at:

/usr/local/etc/letsencrypt/live/adminbyaccident.com-0001/privkey.pem

Your cert will expire on 2018-04-21. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew"

- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate

Donating to EFF: https://eff.org/donate-le

Soviet@Union:~ %

After this we will find our certificates on the path the notes say. We will only have to place them on the path we set on our Apache configuration. In this case the website configuration is found on a manually created path.

/usr/local/etc/apache24/ssl/letsencrypt

There are two files on that path wich are the key and the certificate from the previous period. As you may know letsencrypt certificates last for three months. We will rename them first, copy the new certificate into the path, start the Apache web server and then remove the old certificates.

Soviet@Union:/usr/local/etc/apache24/ssl/letsencrypt/adminbyaccident.com % ll

total 11

-rw-r--r-- 1 root wheel 1818 22 oct. 12:05 cert.pem

-rw-r--r-- 1 root wheel 1708 22 oct. 12:05 privkey.pem

Soviet@Union:/usr/local/etc/apache24/ssl/letsencrypt/adminbyaccident.com %

We now rename the old files:

Soviet@Union:/usr/local/etc/apache24/ssl/letsencrypt/adminbyaccident.com % sudo mv cert.pem cert.pem.old

Soviet@Union:/usr/local/etc/apache24/ssl/letsencrypt/adminbyaccident.com % sudo mv privkey.pem privkey.pem.old

We copy as root the new files to the right path:

root@Union:/usr/local/etc/letsencrypt/live/adminbyaccident.com-0001 # cp cert.pem /usr/local/etc/apache24/ssl/letsencrypt/adminbyaccident.com/

root@Union:/usr/local/etc/letsencrypt/live/adminbyaccident.com-0001 # cp privkey.pem /usr/local/etc/apache24/ssl/letsencrypt/adminbyaccident.com

Once the two files have been copied to the right location we will check Apache’s configuration and if it’s ok we will start it up.

root@Union:/usr/local/etc/letsencrypt/live/adminbyaccident.com-0001 # apachectl configtest

Performing sanity check on apache24 configuration:

Syntax OK

root@Union:/usr/local/etc/letsencrypt/live/adminbyaccident.com-0001 # apachectl start

Performing sanity check on apache24 configuration:

Syntax OK

Starting apache24.

Everything should be working.

Soviet@Union:~ % sudo apachectl status

apache24 is running as pid 88318.

Soviet@Union:~ %

And indeed it is but the clearest way to see our letsencrypt certificate is being serverd is going to the browser.

So green has always been identified as ok. Let’s now check the certificate and what it says.

And here it is. Here we have our just recently created certificate, validated and issued by letsencrypt.

We need to be quick since using this method we’ve stopped our web server and the page is not running. There is an alternative method, using the webroot option where you don’t need to stop the webserver.

That would work by issuing the following command:

sudo certbot certonly --webroot -w /path/to/the/site -d domain.com -d www.domain.com

This will create the certificate, key, fullchain, etc in the same directory as in the method shown before.

Again, you will have to copy the certificate an the key to the path you set in your Apache configuration.

More official information about the install and use can be found at this address.

https://certbot.eff.org/all-instructions

For automatic LetsEncrypt setup on FreeBSD read my tutorial at DigitalOcean.

Use this link to get 100 $ credit at DOcean and support Adminbyaccident.com hosting costs.

Filed Under: FreeBSD, How To's, Security

Recent Posts

  • How to install Mate on FreeBSD 12/13
  • How to install Nessus 10 on FreeBSD 12
  • How to enable TLS traffic from the origin server on Cloudflare Argo Tunnel
  • How to use Cloudflare’s Argo Tunnel service to publish a website on FreeBSD 12/13
  • How to setup MariaDB master-slave replication on FreeBSD
  • How to upload a FreeBSD custom image on DigitalOcean
  • How to install Drupal 9 on FreeBSD 13.0
  • How to manage site visitors based on IP Geolocation
  • How to enable Geolocation in AWStats on FreeBSD 13.0
  • How to install AWStats on FreeBSD 13.0
  • How to configure Modsecurity 3 for WordPress on FreeBSD
  • How to configure Apache HTTP with a TLS reverse proxy backend on FreeBSD
  • How to detect a WAF – Web Application Firewall
  • How to install Matomo 4 on FreeBSD
  • How to test SSL/TLS configurations
  • How to configure Apache HTTP as a reverse proxy on FreeBSD
  • How to install Nextcloud on FreeBSD 12
  • How to install ModSecurity 3 on FreeBSD
  • How to replace a disk on a ZFS mirror pool
  • How to install Webmin on FreeBSD 12

Archives

  • February 2023
  • January 2023
  • December 2022
  • April 2022
  • March 2022
  • October 2021
  • September 2021
  • June 2021
  • May 2021
  • April 2021
  • March 2021
  • February 2021
  • January 2021
  • December 2020
  • July 2020
  • June 2020
  • May 2020
  • April 2020
  • March 2020
  • February 2020
  • January 2020
  • December 2019
  • November 2019
  • October 2019
  • August 2019
  • July 2019
  • June 2019
  • May 2019
  • April 2019
  • March 2019
  • February 2019
  • January 2019
  • September 2018
  • June 2018
  • May 2018
  • April 2018
  • February 2018
  • January 2018
  • November 2017
  • April 2017

RSS Admin… by accident!

  • How to install Mate on FreeBSD 12/13
  • How to install Nessus 10 on FreeBSD 12
  • How to enable TLS traffic from the origin server on Cloudflare Argo Tunnel
  • How to use Cloudflare’s Argo Tunnel service to publish a website on FreeBSD 12/13
  • How to setup MariaDB master-slave replication on FreeBSD
  • How to upload a FreeBSD custom image on DigitalOcean
  • How to install Drupal 9 on FreeBSD 13.0
  • How to manage site visitors based on IP Geolocation
  • How to enable Geolocation in AWStats on FreeBSD 13.0
  • How to install AWStats on FreeBSD 13.0

Copyright © 2023 · Magazine Pro Theme on Genesis Framework · WordPress · Log in