pkg install

Configuration is in:


Certificates are stored in


As the certificates are only accessible by user acme, we need to do an additional step to make the certificates available to dovecot/postfix/haproxy.

We do not modify any daemon but we let write into a common/shared directory each website is using, so doing anything with does not have any impact on any service from your server

As next we configure log rotation:

cp /usr/local/share/examples/ /usr/local/etc/newsyslog.conf.d/

Make sure you uncomment the line in /usr/local/share/examples/

/var/log/  acme:acme       640  90    *    @T00   BC

Next is to configure cron to automatically renew your certificates. For this we edit /etc/crontab

# Renew certificates created by
7       2       *       *       *       acme    /usr/local/sbin/ --cron --home /var/db/acme/ > /dev/null

We need to create the logfile:

touch /var/log/
chown acme /var/log/

Allow acme to write the challenge files:

mkdir -p 
chgrp acme /usr/local/www/letsencrypt/.well-known/
chmod g+w /usr/local/www/letsencrypt/.well-known/

Setup configuration of

echo ACCOUNT_EMAIL=\"name@yourdomain.tld\" >> account.conf

Hook the own custom deploy scripts from: Make sure you create a config file and now symlink the hook:

cd /var/db/acme/
ln -s /usr/home/idefix/letsencrypt/

Now we can create our first test certificate (run this as root):

su -l acme -c "cd /var/db/acme && --issue --test -k ec-256 -w /usr/local/www/letsencrypt --ocsp -d -d --deploy-hook create-haproxy-ssl-restart-all_acme"
su -l acme -c "cd /var/db/acme && --issue --test -w /usr/local/www/letsencrypt --ocsp -d -d --deploy-hook create-haproxy-ssl-restart-all_acme"

Now you should find an RSA and a ECDSA certificate in:


As we will renew certificates of many domains, but tools like dovecot/postfix/haproxy need a directory or a single file we need to prepare these files and copy them with correct permissions to destination folders.

freebsd/ · Zuletzt geändert: 2022/06/15 10:31 von