How To Secure Nginx with Let's Encrypt on FreeBSD
How To Secure Nginx with Let's Encrypt on FreeBSD
We hope you find this tutorial helpful. In addition to guides like this one, we provide simple cloud infrastructure for developers. Learn more →

How To Secure Nginx with Let's Encrypt on FreeBSD

PostedJuly 2, 2018 8.6k views Let's Encrypt Firewall Security Nginx FreeBSD

Introduction

Let's Encrypt is a Certificate Authority (CA) that provides an easy way to obtain and install free TLS/SSL certificates, thereby enabling encrypted HTTPS on web servers. It simplifies the process by providing a software client, Certbot, that automates most of the steps.

In this tutorial, we will show you how to use Certbot to obtain a free SSL certificate and use it on a FreeBSD server running Nginx. We will also show you how to automatically renew your SSL certificate.

We will use the default Nginx configuration file in this tutorial instead of a separate server block file. We generally recommend creating new Nginx server block files for each domain because it helps to avoid some common mistakes and maintains the default files as a fallback configuration as intended.

Prerequisites

In order to complete this tutorial, you’ll need:

  • A FreeBSD server. If you’re new to working with FreeBSD, you can follow this guide to help you get started.
  • Nginx installed and configured on your server. For directions on how to set this up, see our guide on How To Install an Nginx, MySQL, and PHP (FEMP) Stack on FreeBSD 10.1. Note that you do not need to install or configure PHP or MySQL to obtain a Let’s Encrypt certificate. At a minimum, though, you will need to install, enable, and configure Nginx as shown in the linked tutorial.
  • A registered domain name that you own and control. If you do not already have a registered domain name, you may register one with one of the many domain name registrars out there (e.g. Namecheap, GoDaddy, etc.).
  • A DNS A Record that points your domain to the public IP address of your server. You can follow this hostname tutorial for details on how to add them. This is required because of how Let's Encrypt validates that you own the domain it’s issuing a certificate for. For example, if you want to obtain a certificate for example.com, that domain must resolve to your server for the validation process to work. Our setup will use example.com and www.example.com as the domain names, so both DNS records are required.

Once you’ve completed these prerequisites, let's move on to installing Certbot, the Let's Encrypt client software.

Step 1 — Installing Certbot

The first step to using Let's Encrypt to obtain an SSL certificate is to install the certbot client software on your server. The latest version of Certbot can be installed from source using FreeBSD’s ports system.

To begin, fetch a compressed snapshot of the ports tree:

  • sudo portsnap fetch

It may take a few minutes for this command to complete. When it finishes, extract the snapshot:

  • sudo portsnap extract

It may take a while for this command to finish, as well. Once it’s done, navigate to the py-certbot directory within the ports tree:

  • cd /usr/ports/security/py-certbot

Then use the make command with sudo privileges to download and compile the Certbot source code:

  • sudo make install clean

Next, navigate to the py-certbot-nginx directory within the ports tree:

  • cd /usr/ports/security/py-certbot-nginx

Run the make command again from this directory. This will install the nginx plugin for Certbot which we’ll use to obtain the SSL certificates:

  • sudo make install clean

During this plugin’s installation, you will see a couple of blue dialog windows pop up that look like this:

py-certbot-nginx dialog window example

These give you the option to install documentation for the plugin and its dependencies. For the purposes of this tutorial, you can just press ENTER to accept the default options in these windows which will install this documentation.

The certbot Let's Encrypt client is now ready to use. Before obtaining your certificates, though, it’s important to set up a firewall and allow HTTPS traffic through it, if you haven’t already done so.

Step 2 — Setting Up a Firewall and Allowing HTTPS Access

If you’ve already set up a firewall on your server, you should ensure that it allows HTTPS access (via port 443). If you haven’t already set up a firewall, you can do so by following the directions outlined in this step.

Open up your rc.conf file, which is located in the /etc/ directory, with your preferred editor. Here we will use ee:

  • sudo ee /etc/rc.conf

This file is used to inform FreeBSD which services should be started whenever the machine boots up. Near the top of the file, add the following highlighted lines:

/etc/rc.conf
. . .
nginx_enable="YES"
firewall_enable="YES"
firewall_type="workstation"
firewall_myservices="22 80 443"
firewall_allowservices="any"

Here’s what each of these directives and their settings do:

  • firewall_enable="YES" — This enables the firewal to start up whenever the server boots.
  • firewall_type="workstation" — FreeBSD provides several default types of firewalls, each of which have slightly different configurations. By declaring the workstation type, the firewall will only protect this server using stateful rules.
  • firewall_myservices="22 80 443" — The firewall_myservices directive is where you can list the TCP ports you want to allow through the firewall. In this example, we’re specifying ports 22, 80, and 443 to allow SSH, HTTP, and HTTPS access to the server, respectively.
  • firewall_allowservices="any" — This allows a machine from any IP address to communicate over the ports specified in the firewall_myservices directive.

After adding these lines, save the file and close the editor by pressing CTRL + C, typing exit, and then pressing ENTER.

Then, start the ipfw firewall service with the following command:

  • sudo service ipfw start

With a firewall configured, you’re now ready to run Certbot and fetch your certificates.

Step 3 — Obtaining an SSL Certificate

Certbot provides a variety of ways to obtain SSL certificates through various plugins. The nginx plugin will take care of reconfiguring Nginx and reloading the config file:

  • sudo certbot --nginx -d example.com -d www.example.com

If this is your first time running certbot on this server, the client will prompt you to enter an email address and agree to the Let’s Encrypt terms of service. After doing so, certbot will communicate with the Let's Encrypt server, then run a challenge to verify that you control the domain you're requesting a certificate for.

If the challenge is successful, Certbot will ask how you'd like to configure your HTTPS settings:

Output
. . . Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access. ------------------------------------------------------------------------------- 1: No redirect - Make no further changes to the webserver configuration. 2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for new sites, or if you're confident your site works on HTTPS. You can undo this change by editing your web server's configuration. ------------------------------------------------------------------------------- Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2

Select your choice then hit ENTER. This will update the configuration and reload Nginx to pick up the new settings. certbot will wrap up with a message telling you the process was successful and where your certificates are stored:

Output
IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /usr/local/etc/letsencrypt/live/example.com/fullchain.pem Your key file has been saved at: /usr/local/etc/letsencrypt/live/example.com/privkey.pem Your cert will expire on 2018-09-24. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - Your account credentials have been saved in your Certbot configuration directory at /usr/local/etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le

Your certificates are now downloaded, installed, and configured. Try reloading your website using https:// and notice your browser's security indicator. It should represent that the site is properly secured, usually with a green lock icon. If you test your server using the SSL Labs Server Test, it will get an A grade.

After confirming that you’re able to reach your site over HTTPS, you can move onto the final step of this tutorial in which you’ll confirm that you can renew your certificates and then configure a process to renew them automatically.

Step 4 — Verifying Certbot Auto-Renewal

Let's Encrypt's certificates are only valid for ninety days. This is to encourage users to automate their certificate renewal process. This step describes how to automate certificate renewal by setting up a cron task. Before setting up this automatic renewal though, it’s important to test that you’re able to renew certificates correctly.

To test the renewal process, you can do a dry run with certbot:

  • sudo certbot renew --dry-run

If you see no errors, you’re all set to create a new crontab:

  • sudo crontab -e

This will open a new crontab file. Add the following content to the new file, which will tell cron to run the certbot renew command twice every day at noon and midnight. certbot renew checks whether any certificates on the system are close to expiring and will attempt to renew them when necessary:

0 0,12 * * * /usr/local/bin/certbot renew

Note that because you preceded the crontab -e command with sudo, this operation will be run as root, which is necessary because certbot requires superuser privileges to run.

If the automated renewal process ever fails, Let’s Encrypt will send a message to the email you specified, warning you when your certificate is about to expire.

Conclusion

In this tutorial we've installed the Let's Encrypt client certbot, downloaded SSL certificates for our domain, configured Nginx to use these certificates, and set up automatic certificate renewal. If you have further questions about using Certbot, their documentation is a good place to start.

Creative Commons License