ssl | Josh Weatherly

Here’s my notes for getting SSL certificates installed on FreeBSD 11.2-RELEASE-p2 with Apache 2.4

The following links were used to compile the information I used:

https://certbot.eff.org/lets-encrypt/freebsd-apache
https://danm.io/2016/07/08/how-to-configure-letsencrypt-on-freebsd-with-jails.html
https://www.tecmint.com/install-lets-encrypt-ssl-certificate-for-apache-on-freebsd/

Install certbot using the pkg system:

pkg install py27-certbot

Create the certs, substitute in the proper web root path’s and domain names you want certs for:

certbot certonly --webroot --webroot-path /usr/local/www/apache24/data/ -d josh-weatherly.com

The certonly parameter tells certbot to not touch any apache config files, –webroot-path is for where the files get temporarily written so that the certbot servers can verify ownership of the domain. These files will only exist during the certificate creation process then get cleaned up after.

Copy the certs out to the directory where Apache can use them:

cp -L -R /usr/local/etc/letsencrypt/live/ /usr/local/etc/apache24/certs/

Configure Apache to use the certs in the new directory
In httpd.conf I had to uncomment the following lines (each in slightly different parts of the file):

LoadModule socache_shmcb_module libexec/apache24/mod_socache_shmcb.so

LoadModule ssl_module libexec/apache24/mod_ssl.so

Include etc/apache24/extra/httpd-ssl.conf

Then in extra/httpd-ssl.conf told apache to listen on 443, and that I only want TLS 1.2 by the following:

Listen 443
SSLCipherSuite HIGH:MEDIUM:!SSLv3:!kRSA
SSLProxyCipherSuite HIGH:MEDIUM:!SSLv3:!kRSA
SSLHonorCipherOrder on

#TLS 1.2 Only
SSLProtocol TLSv1.2
SSLProxyProtocol TLSv1.2
SSLPassPhraseDialog  builtin

SSLSessionCache        "shmcb:/var/run/ssl_scache(512000)"
SSLSessionCacheTimeout  300

Then added my VirtualHost settings pointing to the cert and key files generated by certbot:

<VirtualHost _default_:443>
 DocumentRoot "/usr/local/www/apache24/data"
 ServerName josh-weatherly.com:443
 ServerAlias www.josh-weatherly.com
 ServerAdmin you@example.com

SSLEngine on
 SSLCertificateFile "/usr/local/etc/apache24/certs/josh-weatherly.com/fullchain.pem"
 SSLCertificateKeyFile "/usr/local/etc/apache24/certs/josh-weatherly.com/privkey.pem"
<FilesMatch "\.(cgi|shtml|phtml|php)$">
 SSLOptions +StdEnvVars
 </FilesMatch>
 <Directory "/usr/local/www/apache24/cgi-bin">
 SSLOptions +StdEnvVars
 </Directory>
BrowserMatch "MSIE [2-5]" \
 nokeepalive ssl-unclean-shutdown \
 downgrade-1.0 force-response-1.0
CustomLog "/var/log/www/josh-weatherly.com-ssl_request_log" \
 "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>

And then restart apache with:

service apache24 restart

After this we should be able to go to the web page in a browser to verify the certificate is being served up properly.

Certbot has an option to automatically renew any certs, this is especially usefull since they are only valid for 90 days, so the following script can be used to automate the entire process. It will check if any certs are about to expire, automatically renew them, then copy the certs to the folder where apache will read from. Create it and place it in /usr/local/etc/periodic/weekly

#!/bin/sh

/usr/local/bin/certbot renew

if ! diff "/usr/local/etc/letsencrypt/live/josh-weatherly.com/fullchain.pem" \
 "/usr/local/etc/apache24/certs/josh-weatherly.com/fullchain.pem" >/dev/null 2>&1; then 

   #copy new certs to apache's location
   cp -L -R /usr/local/etc/letsencrypt/live/ /usr/local/etc/apache24/certs/
   # Restart apache
   service apache24 restart
fi