I thought I’d published this blog, but I’d only saved as a draft, so in terms of a timeline, I actually wrote this before I moved my blog from web to WordPress. It’s only relevant regarding the FreeBSD 9 EOL, as the problems described below had been learned before creating my WordPress jail, hence the reason it wasn’t mentioned!
Well, as my SSL certificate from an earlier blog was coming up for expiry later this month I thought I better have a go at setting up certbot on my Nginx-proxy server, so I don’t have to mess around creating a cert manually and copying it across to the server.
My first issue was installing certbot which should have been as simple as ‘make clean install’ in the appropriate ports directory. I was quite surprised to find that didn’t work as FreeBSD 9.3 as now reach End Of Life (EOL) and the ports are no longer supported 😮
This could be a major issue for me moving forward, and I might need to take the plunge and upgrade my FreeNAS server to 9.10, but as a workaround, it’s possible to override the warning message with the command
make ALLOW_UNSUPPORTED_SYSTEM=yes clean installI didn’t remember installing certbot into the Nginx-proxy jail, but I must have at some point as it didn’t like a clean install but was happy after a little further investigation and a ‘make reinstall’ command.
Creating the new certificate with certbot is very simple
certbot certonlyYou get a basic menu to enter some details (such as the domain) and it creates all the relevant files in the /usr/local/etc/letsencrypt folder.
It was then just a case of editing my nginx.conf file, pointing the certificate and key locations to the new files, and finally restarting the Nginx service.
I also created a cronjob to run the certbot renewal a couple of times a day (as recommended) which will fail for the first few months but should auto-renew the certificate 30 days before expiry. I’ll know for sure at the end of March if this worked!
If it does, I’ll probably create Letsencrypt certificates for all the other domains that route through the Nginx-proxy server, and hopefully, it’s something I can just forget about then.
I’ll let you know in a couple of months…
UPDATE
I also added a cert for my new WordPress domain, and while I was at it for my ownCloud one too. Fingers will be crossed at the beginning April that they all auto renew and I can forget about them for a while.
FURTHER UPDATE
Ok, so they didn’t automatically update, and I think I need to tinker with my nginx.conf file so that they will work with that instead of the standalone web server. When I stopped the nginx service and ran ‘certbot renew’ they were all updated and worked as expected. So it’s only a 5 minute job to renew them all, but is something I need to remember to do, so will spend a little time understand what I need to change in Nginx so hopefully the Cron job runs them automatically next time, or I might be able to get the cron job to stop and then restart nginx.
Trackbacks/Pingbacks