How to Set Up acme.sh With Nginx on FreeBSD
Install
pkg install acme.sh sudo
mkdir -p /usr/local/www/acme
chown acme:acme /usr/local/www/acme
Crontab and Permissions
# /etc/crontab
#
# Let's Encrypt
45 1 * * * acme /usr/local/sbin/acme.sh --cron --home /var/db/acme/.acme.sh --reloadcmd "/usr/local/bin/sudo /usr/sbin/service nginx forcereload" > /dev/null
Run visudo
and add:
acme ALL=(root) NOPASSWD: /usr/sbin/service nginx forcereload
Create Certificate and Diffie-Hellmann Parameters
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /usr/local/etc/ssl/snakeoil.key -out /usr/local/etc/ssl/snakeoil.crt
openssl dhparam -out /usr/local/etc/ssl/example.com/dhparam.pem 4096
Nginx Setup
Create file:
# /usr/local/etc/nginx/letsencrypt.conf
location /.well-known {
default_type "text/plain";
alias /usr/local/www/acme/.well-known;
}
Add to file:
# /usr/local/etc/nginx/nginx.conf
server {
listen 80;
listen [::]:80;
# Discourage deep links by using a permanent redirect to home page of HTTPS site
return 301 https://$host;
# Alternatively, redirect all HTTP links to the matching HTTPS page
# return 301 https://$host$request_uri;
include letsencrypt.conf;
[...]
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /usr/local/etc/ssl/snakeoil.crt;
ssl_certificate_key /usr/local/etc/ssl/snakeoil.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_dhparam /usr/local/etc/ssl/example.com/dhparam.pem;
ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
ssl_ecdh_curve secp384r1;
ssl_session_timeout 10m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 1.1.1.1 8.8.8.8 valid=300s;
resolver_timeout 5s;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
include letsencrypt.conf;
[...]
}
service nginx restart
Issue and Install Real Certificate
sudo -u acme acme.sh --issue -d example.com -w /usr/local/www/acme
mkdir /usr/local/etc/ssl/example.com
chown acme:acme /usr/local/etc/ssl/example.com
sudo -u acme acme.sh --install-cert -d example.com --key-file /usr/local/etc/ssl/example.com/key.pem --fullchain-file /usr/local/etc/ssl/example.com/cert.pem --reloadcmd "sudo service nginx forcereload"
Change path:
server {
[...]
ssl_certificate /usr/local/etc/ssl/example.com/cert.pem;
ssl_certificate_key /usr/local/etc/ssl/example.com/key.pem;
[...]
}
service nginx forcereload