We would like to use letsencrypt to get signed certificates for all our domains.

Approach with websites offline

I did this all from a virtual machine, as I do not want to let the client running with root permissions on my real server.

Everything was executed from an ubuntu machine running in a virtual machine. Create two shell scripts to get the certificate request simply created for several ALT entries:
openssl req -new -sha256 -key domain.key -subj "/" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\,,,,,,,,,,,,,,,,,,,,,,,")) > domain.csr
openssl req -new -sha256 -key domain.key -subj "/" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\,,,,,,,,")) > domain.csr

To sign the certificates I did the following:

git clone
cd letsencrypt-nosudo/
openssl genrsa 4096 > user.key
openssl rsa -in user.key -pubout >
openssl genrsa 4096 > domain.key
python --public-key domain.csr > signed.crt

Execute on the second terminal the commands the client asks you in the same directory.

You have to start a small python based webserver on the domain for each domain to verify you are the owner. Do this as the script is requesting it.

Now we install the certificate and key on our server. Copy the file domain.key and signed.crt to you server and execute the following:

cd /etc/mail/certs
cat signed.crt lets-encrypt-x1-cross-signed.pem > chained.pem

Edit you apache config to have:

SSLCertificateChainFile /etc/mail/certs/chained.pem
SSLCertificateFile /etc/mail/certs/signed.crt
SSLCertificateKeyFile /etc/mail/certs/domain.key

Approach to authenticate domains while websites are online

We want to use the existing webserver to not make websites offline while authenticate the domains.

Alias /.well-known/acme-challenge /usr/local/www/letsencrypt/.well-known/acme-challenge
<Directory /usr/local/www/letsencrypt>
        Require all granted
ProxyPass /.well-known/acme-challenge !

Make sure you include this config file before you define other ProxyPass definitions.

Create the directory:

mkdir -p /usr/local/www/letsencrypt

Install the client:

pkg install security/py-letsencrypt

Create a script:
#OPTIONS="--webroot --webroot-path=/usr/local/www/letsencrypt/ --renew-by-default --agree-tos"
OPTIONS="--webroot --webroot-path=/usr/local/www/letsencrypt/ --renew-by-default --agree-tos --server"
sudo letsencrypt certonly ${OPTIONS} --email -d -d -d -d -d -d -d -d -d -d -d -d -d -d -d

Remove the –server directive from the OPTIONS after you have verified the run is successfull.

As letsencrypt has currently a heavy rate limit I recommend to request all sub domains with one certificate. This is not good for security but protects you from the problem that you cannot renew your certificate anymore and this is very bad if you use HSTS.

SSLEngine on
<IfModule http2_module>
    Protocols h2 http/1.1

SSLCertificateFile /usr/local/etc/letsencrypt/live/${SSLCertDomain}/fullchain.pem
SSLCertificateKeyFile /usr/local/etc/letsencrypt/live/${SSLCertDomain}/privkey.pem
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
    SSLOptions +StdEnvVars
<Directory "/usr/local/www/cgi-bin">
    SSLOptions +StdEnvVars

SetEnvIf User-Agent ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0
Define SSLCertDomain
Include etc/apache24/ssl/letsencrypt.conf
Include etc/apache24/ssl/ssl-template.conf

Make sure you define the SSLCertDomain for the master domain you requested the certificate (it is normally the first domain you run the letsencrypt script).

freebsd/letsencrypt.txt · Zuletzt geändert: 2016/02/03 12:21 (Externe Bearbeitung)