How To Secure Nginx with Let's Encrypt on FreeBSD
Let's Encrypt is a Certificate Authority (CA) that provides an easy way to obtain and install free TLS/SSL certificates, thereby enabling encrypted HTTPS on web servers. It simplifies the process by providing a software client, Certbot, that automates most of the steps.
In this tutorial, we will show you how to use Certbot to obtain a free SSL certificate and use it on a FreeBSD server running Nginx. We will also show you how to automatically renew your SSL certificate.
We will use the default Nginx configuration file in this tutorial instead of a separate server block file. We generally recommend creating new Nginx server block files for each domain because it helps to avoid some common mistakes and maintains the default files as a fallback configuration as intended.
In order to complete this tutorial, you’ll need:
- A FreeBSD server. If you’re new to working with FreeBSD 11, you can follow this guide to help you get started.
- Nginx installed and configured on your server. For directions on how to set this up, see our guide on How to Install Nginx on FreeBSD 11.2.
- A registered domain name that you own and control. If you do not already have a registered domain name, you may register one with one of the many domain name registrars out there (e.g. Namecheap, GoDaddy, etc.).
- A DNS A Record that points your domain to the public IP address of your server. You can follow this hostname tutorial for details on how to add them. This is required because of how Let's Encrypt validates that you own the domain it’s issuing a certificate for. For example, if you want to obtain a certificate for
example.com, that domain must resolve to your server for the validation process to work. Our setup will use
www.example.comas the domain names, so both DNS records are required.
Once you’ve completed these prerequisites, let's move on to installing Certbot, the Let's Encrypt client software.
Step 1 — Installing Certbot
The first step to using Let's Encrypt to obtain an SSL certificate is to install the
certbot client software on your server. The latest version of Certbot can be installed from source using FreeBSD’s ports system.
To begin, fetch a compressed snapshot of the ports tree:
- sudo portsnap fetch
It may take a few minutes for this command to complete. When it finishes, extract the snapshot:
- sudo portsnap extract
It may take a while for this command to finish, as well. Once it’s done, navigate to the
py-certbot directory within the ports tree:
- cd /usr/ports/security/py-certbot
Then use the
make command with
sudo privileges to download and compile the Certbot source code:
- sudo make install clean
Next, navigate to the
py-certbot-nginx directory within the ports tree:
- cd /usr/ports/security/py-certbot-nginx
make command again from this directory. This will install the
nginx plugin for Certbot which we’ll use to obtain the SSL certificates:
- sudo make install clean
During this plugin’s installation, you will see a couple of blue dialog windows pop up that look like this:
These give you the option to install documentation for the plugin and its dependencies. For the purposes of this tutorial, you can just press
ENTER to accept the default options in these windows which will install this documentation.
certbot Let's Encrypt client is now ready to use. Before obtaining your certificates, though, it’s important to set up a firewall and allow HTTPS traffic through it, if you haven’t already done so.
Step 2 — Setting Up a Firewall and Allowing HTTPS Access
If you’ve already set up a firewall on your server, you should ensure that it allows HTTPS access (via port
443). If you haven’t already set up a firewall, you can do so by following the directions outlined in this step.
Open up your
rc.conf file, which is located in the
/etc/ directory, with your preferred editor. Here we will use
- sudo ee /etc/rc.conf
This file is used to inform FreeBSD which services should be started whenever the machine boots up. Near the top of the file, add the following highlighted lines:
. . . nginx_enable="YES" firewall_enable="YES" firewall_type="workstation" firewall_myservices="22/tcp 80/tcp 443/tcp" firewall_allowservices="any"
Here’s what each of these directives and their settings do:
firewall_enable="YES"— This enables the firewall to start up whenever the server boots.
firewall_type="workstation"— FreeBSD provides several default types of firewalls, each of which have slightly different configurations. By declaring the
workstationtype, the firewall will only protect this server using stateful rules.
firewall_myservices="22/tcp 80/tcp 443/tcp"— The
firewall_myservicesdirective is where you can list the TCP ports you want to allow through the firewall. In this example, we’re specifying ports
443to allow SSH, HTTP, and HTTPS access to the server, respectively.
firewall_allowservices="any"— This allows a machine from any IP address to communicate over the ports specified in the
After adding these lines, save the file and close the editor by pressing
CTRL + C, typing
exit, and then pressing
Then, start the
ipfw firewall service. Because this is the first time you're starting the firewall on this server, there's a chance that doing so will cause your server to stall, making it inaccessible over SSH. The following
nohup command — which stands for "no hangups" — will start the firewall while preventing stalling and also redirect the standard output and error to a temporary log file:
- sudo nohup service ipfw start >/tmp/ipfw.log 2>&1
If you're using
tcsh, though, this redirect will cause
Ambiguous output redirect. to appear in your output. In this case, run the following instead to start
- sudo nohup service ipfw start >&/tmp/ipfw.log
In the future, you can manage the
ipfw firewall as you would any other service. For example, to stop, start, and then restart the service, you would run the following commands:
- sudo service ipfw stop
- sudo service ipfw start
- sudo service ipfw restart
With a firewall configured, you’re now ready to run Certbot and fetch your certificates.
Step 3 — Obtaining an SSL Certificate
Certbot provides a variety of ways to obtain SSL certificates through various plugins. The
nginx plugin will take care of reconfiguring Nginx and reloading the config file:
- sudo certbot --nginx -d example.com -d www.example.com
If this is your first time running
certbot on this server, the client will prompt you to enter an email address and agree to the Let’s Encrypt terms of service. After doing so,
certbot will communicate with the Let's Encrypt server, then run a challenge to verify that you control the domain you're requesting a certificate for.
If the challenge is successful, Certbot will ask how you'd like to configure your HTTPS settings:
Output. . . Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access. ------------------------------------------------------------------------------- 1: No redirect - Make no further changes to the webserver configuration. 2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for new sites, or if you're confident your site works on HTTPS. You can undo this change by editing your web server's configuration. ------------------------------------------------------------------------------- Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Select your choice then hit
ENTER. This will update the configuration and reload Nginx to pick up the new settings.
certbot will wrap up with a message telling you the process was successful and where your certificates are stored:
OutputIMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /usr/local/etc/letsencrypt/live/example.com/fullchain.pem Your key file has been saved at: /usr/local/etc/letsencrypt/live/example.com/privkey.pem Your cert will expire on 2018-09-24. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - Your account credentials have been saved in your Certbot configuration directory at /usr/local/etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
Your certificates are now downloaded, installed, and configured. Try reloading your website using
https:// and notice your browser's security indicator. It should represent that the site is properly secured, usually with a green lock icon. If you test your server using the SSL Labs Server Test, it will get an A grade.
After confirming that you’re able to reach your site over HTTPS, you can move onto the final step of this tutorial in which you’ll confirm that you can renew your certificates and then configure a process to renew them automatically.
Step 4 — Verifying Certbot Auto-Renewal
Let's Encrypt's certificates are only valid for ninety days. This is to encourage users to automate their certificate renewal process. This step describes how to automate certificate renewal by setting up a
cron task. Before setting up this automatic renewal though, it’s important to test that you’re able to renew certificates correctly.
To test the renewal process, you can do a dry run with
- sudo certbot renew --dry-run
If you see no errors, you’re all set to create a new crontab:
- sudo crontab -e
This will open a new
crontab file. Add the following content to the new file, which will tell
cron to run the
certbot renew command twice every day at noon and midnight.
certbot renew checks whether any certificates on the system are close to expiring and will attempt to renew them when necessary:
0 0,12 * * * /usr/local/bin/certbot renew
Note that because you preceded the
crontab -e command with
sudo, this operation will be run as root, which is necessary because certbot requires superuser privileges to run.
If the automated renewal process ever fails, Let’s Encrypt will send a message to the email you specified, warning you when your certificate is about to expire.
In this tutorial we've installed the Let's Encrypt client
certbot, downloaded SSL certificates for our domain, configured Nginx to use these certificates, and set up automatic certificate renewal. If you have further questions about using Certbot, their documentation is a good place to start.