Herr Bischoff

How to Set Up acme.sh With Nginx on FreeBSD

Install

pkg install acme.sh sudo
mkdir -p /usr/local/www/acme
chown acme:acme /usr/local/www/acme

Crontab and Permissions

# /etc/crontab

#
# Let's Encrypt
45      1       *       *       *       acme    /usr/local/sbin/acme.sh --cron --home /var/db/acme/.acme.sh --reloadcmd "/usr/local/bin/sudo /usr/sbin/service nginx forcereload" > /dev/null

Run visudo and add:

acme ALL=(root) NOPASSWD: /usr/sbin/service nginx forcereload

Create Certificate and Diffie-Hellmann Parameters

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /usr/local/etc/ssl/snakeoil.key -out /usr/local/etc/ssl/snakeoil.crt
openssl dhparam -out /usr/local/etc/ssl/example.com/dhparam.pem 4096

Nginx Setup

Create file:

# /usr/local/etc/nginx/letsencrypt.conf

location /.well-known {
    default_type "text/plain";
    alias /usr/local/www/acme/.well-known;
}

Add to file:

# /usr/local/etc/nginx/nginx.conf

server {
    listen 80;
    listen [::]:80;

    # Discourage deep links by using a permanent redirect to home page of HTTPS site
    return 301 https://$host;

    # Alternatively, redirect all HTTP links to the matching HTTPS page
    # return 301 https://$host$request_uri;

    include letsencrypt.conf;

    [...]
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    ssl_certificate /usr/local/etc/ssl/snakeoil.crt;
    ssl_certificate_key /usr/local/etc/ssl/snakeoil.key;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;
    ssl_dhparam /usr/local/etc/ssl/example.com/dhparam.pem;
    ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
    ssl_ecdh_curve secp384r1;
    ssl_session_timeout 10m;
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off;
    ssl_stapling on;
    ssl_stapling_verify on;
    resolver 1.1.1.1 8.8.8.8 valid=300s;
    resolver_timeout 5s;
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
    add_header X-Frame-Options DENY;
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";

    include letsencrypt.conf;

    [...]
}
service nginx restart

Issue and Install Real Certificate

sudo -u acme acme.sh --issue -d example.com -w /usr/local/www/acme
mkdir /usr/local/etc/ssl/example.com
chown acme:acme /usr/local/etc/ssl/example.com
sudo -u acme acme.sh --install-cert -d example.com --key-file /usr/local/etc/ssl/example.com/key.pem --fullchain-file /usr/local/etc/ssl/example.com/cert.pem --reloadcmd "sudo service nginx forcereload"

Change path:

server {
    [...]

    ssl_certificate /usr/local/etc/ssl/example.com/cert.pem;
    ssl_certificate_key /usr/local/etc/ssl/example.com/key.pem;

    [...]
}
service nginx forcereload