Install Let's Encrypt SSL on FreeBSD

Let's Encrypt SSL/TLS

Install and configure the Let's Encrypt SSL/TLS certificate on the FreeBSD HAProxy load balancer. Learn how to issue, re-issue, renew, and install the Let's Encrypt SSL/TLS certificate for the HAProxy load balancer on FreeBSD.

Topics covered:
  • 2.1Install Let's Encrypt
    • 2.1.1Locate certbot
    • 2.1.2Let's Encrypt HAProxy config
  • 2.2Create Let's Encrypt SSL
    • 2.2.1Issue SSL certificate
    • 2.2.2Install SSL certificate
    • 2.2.3Re-issue SSL certificate
    • 2.2.4Renew SSL certificate
  • 2.3Auto-renew SSL certificate
    • 2.3.1Crontab certbot setup
    • 2.3.2Post-renew install script

Buy this service

The service includes the installation and setup of a Let's Encrypt SSL/TLS certbot server on a single FreeBSD server and HAProxy configuration to incorporate the Let's Encrypt certbot server into HAProxy backend. The customer must provide remote SSH access to the FreeBSD VPS or cloud server.

Product name:
Install Let's Encrypt on FreeBSD
Product ID:
GWINC-SE-D2C6I5
Price*:
US $69.95 — Buy Now

*GST extra, please add 18% GST to the above price. GST is not applicable for orders outside India. International payments are accepted only through PayPal.

Affiliate links

Setting up a custom load balancer and web server requires a VPS with root access. Use our affiliate links to purchase a VPS or cloud server from third-party vendors. The affiliate commissions we earn facilitate, Free website access for everyone.

The affiliate links are listed in alphabetical order without any favor. Users are encouraged to refer to the Global Webdynamics LLP Terms of Service governing the Third-party vendors.

2.1Install Let's Encrypt

Install Let's Encrypt Certificate Authority (CA) SSL/TLS certificate management software certbot and utilities using the FreeBSD package manager. The article covers the Let's Encrypt installation from the FreeBSD package manager only.

Terminal ~ 2.1-1
$ sudo pkg install py39-certbot py39-pyasn1 py39-ndg-httpsclient

2.1.1Locate certbot

Find where certbot binaries, configurations, and documentation files are installed system-wide.

Terminal ~ 2.1-2
$ which certbot
/usr/local/bin/certbot

$ sudo find /usr/local -name "certbot*"
/usr/local/share/man/man1/certbot.1.gz
/usr/local/share/man/man1/certbot-3.9.1.gz
/usr/local/share/man/man7/certbot.7.gz
/usr/local/share/man/man7/certbot-3.9.7.gz
/usr/local/lib/python3.9/site-packages/certbot-2.4.0-py3.9.egg-info
/usr/local/lib/python3.9/site-packages/certbot
/usr/local/bin/certbot-3.9
/usr/local/bin/certbot

2.1.2Let's Encrypt HAProxy config

At the HAProxy frontend ACL, match the incoming HTTP Let's Encrypt request path /.well-known/acme-challenge/ and redirect the request to the Let's Encrypt certbot backend server. Configure the Let's Encrypt certbot backend server to listen on localhost ( 127.0.0.1 ) at port 54321.

Terminal ~ 2.1-3
$ sudo nano -w -c /usr/local/etc/haproxy.conf
#### GLOBAL ####
...
#### FRONTEND ACL ####
frontend lb-http
    ...

frontend lb-https
    ...
    #### LETS ENCRYPT (SSL) ####
    acl lets-encrypt path_beg /.well-known/acme-challenge/
    use_backend lets-encrypt-certbot-server if lets-encrypt
    ...

#### BACKEND SERVER ####
#### LETS ENCRYPT (SSL) ####
backend lets-encrypt-certbot-server
    server letsencrypt 127.0.0.1:54321
...

#### END ####

2.2Create Let's Encrypt SSL

Issue, re-issue, renew and install Let's Encrypt SSL/TLS certificate on a FreeBSD HAProxy load balancer. Let's Encrypt certbot will be used to generate Domain Validation (DV) SSL certificates. The article doesn't cover issuing a wild card SSL certificate.

2.2.1Issue SSL certificate

To newly issue an SSL certificate for a domain example.com, use certbot's certonly option with a standalone flag. Use the proper active email ID info@example.com for the --email option, as the Let's Encrypt systems will send renewal remainders before the expiration of the SSL certificates.

Terminal ~ 2.2-1
$ sudo certbot certonly --standalone --preferred-challenges http --http-01-port 54321 -d example.com,www.example.com --non-interactive --agree-tos --email info@example.com

The certbot command will generate an SSL certificate for a domain example.com with a cert-name as example.com under the Let's Encrypt live/example.com directory.

Terminal ~ 2.2-2
$ sudo ls -l /usr/local/etc/letsencrypt/live/example.com
total 8
-rw-r--r--  1 root  wheel  692 Jun 12  2019 README
lrwxr-xr-x  1 root  wheel   34 Jun 15 15:17 cert.pem -> ../../archive/example.com/cert1.pem
lrwxr-xr-x  1 root  wheel   35 Jun 15 15:17 chain.pem -> ../../archive/example.com/chain1.pem
lrwxr-xr-x  1 root  wheel   39 Jun 15 15:17 fullchain.pem -> ../../archive/example.com/fullchain1.pem
lrwxr-xr-x  1 root  wheel   37 Jun 15 15:17 privkey.pem -> ../../archive/example.com/privkey1.pem

Append the example.com.pem SSL certificate file path /usr/local/etc/ssl/haproxy/example.com.pem (this file will be created in the next section) to the HAProxy SSL certificate list file crt-list.txt.

Terminal ~ 2.2-3
$ sudo chmod 666 /usr/local/etc/ssl/haproxy/crt-list.txt
$ echo /usr/local/etc/ssl/haproxy/example.com.pem >> /usr/local/etc/ssl/haproxy/crt-list.txt
$ sudo chmod 400 /usr/local/etc/ssl/haproxy/crt-list.txt

2.2.2Install SSL certificate

Create HAProxy SSL certificate directory /usr/local/etc/ssl/haproxy and set directory permissions.

Terminal ~ 2.2-4
$ sudo mkdir -p /usr/local/etc/ssl/haproxy
$ sudo chmod 775 /usr/local/etc/ssl/haproxy

To install the example.com domain validation SSL certificate on the HAProxy load balancer, copy the Let's Encrypt fullchain PEM certificate file fullchain.pem to the HAProxy SSL directory /usr/local/etc/ssl/haproxy.

Terminal ~ 2.2-5
$ sudo cp /usr/local/etc/letsencrypt/live/example.com/fullchain.pem /usr/local/etc/ssl/haproxy/example.com.pem
$ sudo chmod 660 /usr/local/etc/ssl/haproxy/example.com.pem

Append example.com SSL certificate private key privkey.pem to HAProxy PEM certificate file example.com.pem and set permissions to all SSL certificates under the /usr/local/etc/ssl/haproxy directory.

Terminal ~ 2.2-6
$ sudo cat /usr/local/etc/letsencrypt/live/example.com/privkey.pem >> /usr/local/etc/ssl/haproxy/example.com.pem
$ sudo chown www:www /usr/local/etc/ssl/haproxy/*.pem
$ sudo chmod 400 /usr/local/etc/ssl/haproxy/*.pem
$ sudo chmod 755 /usr/local/etc/ssl/haproxy

Finally, reload HAProxy

Terminal ~ 2.2-7
$ sudo service haproxy reload

2.2.3Re-issue SSL certificate

Forgot to add subdomains to the SSL certificate or want to add more subdomains to the existing SSL certificate, Let's Encrypt provides the --cert-name option flag to re-issue the SSL certificate.

Add mail.example.com subdomain to existing SSL certificate having cert-name as example.com ( --cert-name example.com ). Let's Encrypt allows adding more subdomains up to a limit to the existing SSL certificate.

Terminal ~ 2.2-8
$ sudo certbot certonly --standalone --preferred-challenges http --http-01-port 54321 --cert-name example.com -d example.com,www.example.com,mail.example.com --non-interactive --agree-tos --email info@example.com

Let's Encrypt certbot option flag --cert-name can be used to remove subdomains from the existing SSL certificate. To remove the mail.example.com subdomain from the SSL certificate, remove the subdomain from the domain list ( -d ) and execute the certbot certonly command with specified options.

Terminal ~ 2.2-9
$ sudo certbot certonly --standalone --preferred-challenges http --http-01-port 54321 --cert-name example.com -d example.com,www.example.com --non-interactive --agree-tos --email info@example.com

2.2.4Renew SSL certificate

Let's Encrypt issued SSL certificates have a validity period of three (3) months and must be renewed within three months to avert any secure HTTPS service disruption. Let's Encrypt advises renewing SSL certificates monthly to increase website security.

The certbot renew command will renew all the SSL certificates due for renewal. The renew command has a --dry-run option to check if any errors exist before the certificate renewal.

Terminal ~ 2.2-10
$ sudo certbot renew --dry-run
$ sudo certbot renew

Let's Encrypt certbot provides a --force-renewal option flag, when used with renew command, will forcefully renew all the active SSL certificates irrespective of the certificate's current validity period.

Terminal ~ 2.2-11
$ sudo certbot renew --force-renewal

2.3Auto-renew SSL certificate

At the start, it seems OK to login to the load balancer or web server every three months to renew the SSL certificates. But eventually, it becomes a tedious process considering the overall scheme of running a production cloud application.

2.3.1Crontab certbot setup

The certificate renewals can be automated by adding the certbot command to the crontab file. Add certbot renew command with --force-renewal option to crontab entry. The crontab entry 0 0 1 * * at the start of the line implies running the command on the first day of the month.

This step renews the SSL certificates but doesn't install the certificates to the load balancer or web server SSL directory. The newly renewed certificates must be manually copied to the server's SSL directory (Refer to section 2.2.2 Install SSL certificate).

Terminal ~ 2.3-1
$ sudo crontab -e
0 0 1 * * /usr/local/bin/certbot renew --force-renewal

2.3.2Post-renew install script

Renewing SSL certificates monthly is a good practice to mitigate web security risks. The certbot renew command has a --renew-hook option to run any script post-renewal. The certbot-install-cert.sh script will install the renewed SSL certificates from Let's Encrypt directory to the HAProxy SSL directory.

Terminal ~ 2.3-2
$ sudo crontab -e
0 0 1 * * /usr/local/bin/certbot renew --force-renewal --renew-hook "/usr/local/var/gwinc/release/util/server/lb/certbot-install-cert.sh"

Create the post-renewal script under any directory, and name the file according to your convention. The certbot-install-cert.sh post renew script is implemented as below.

Terminal ~ 2.3-3
$ sudo nano -w -c certbot-install-cert.sh
#!/usr/local/bin/bash
# INSTALL SSL/TLS CERTIFICATE
clear

#### WEB DOMAIN ####
declare -a domainList=("example.com" "example.net")

#### SSL DIRECTORY ####
SSL_HAPROXY_DIR="/usr/local/etc/ssl/haproxy"
SSL_LETS_ENCRYPT_DIR="/usr/local/etc/letsencrypt/live"

#### INSTALL SSL ####
echo -e ""
echo -e "#### INSTALL SSL/TLS CERTIFICATE ####"
echo -e ""

mkdir -p ${SSL_HAPROXY_DIR} 2> /dev/null
chmod 775 ${SSL_HAPROXY_DIR}

install_ssl()
{
    echo -e "-: WEB DOMAIN: $1"
    echo -e ""
    cp ${SSL_LETS_ENCRYPT_DIR}/$1/fullchain.pem ${SSL_HAPROXY_DIR}/$1.pem
    chmod 660 ${SSL_HAPROXY_DIR}/$1.pem
    cat ${SSL_LETS_ENCRYPT_DIR}/$1/privkey.pem >> ${SSL_HAPROXY_DIR}/$1.pem
}

for domain in ${domainList[@]}
do
    install_ssl ${domain}
done

#### SET PERMISSIONS ####
chown www:www ${SSL_HAPROXY_DIR}/*.pem
chmod 400 ${SSL_HAPROXY_DIR}/*.pem

#### RESTART HAPROXY ####
chmod 755 ${SSL_HAPROXY_DIR}
echo -e "#### RELOADING LB SERVER... ####"
service haproxy reload
echo -e ""
echo -e "\n#### DONE ####\n"

#### END ####

Affiliate links

Setting up a custom load balancer and web server requires a VPS with root access. Use our affiliate links to purchase a VPS or cloud server from third-party vendors. The affiliate commissions we earn facilitate, Free website access for everyone.

The affiliate links are listed in alphabetical order without any favor. Users are encouraged to refer to the Global Webdynamics LLP Terms of Service governing the Third-party vendors.