Setup nginx with Let's Encrypt SSL
This is a small tutorial to setup nginx with Let's Encrypt on a FreeBSD server to host a static site.
Install required software
First you have to install all the packages we need in order to get this server going:
Next is nginx. To make life easier, you should configure nginx to read all configuration files from another directory. This allows you to store all your sites in separate configurations in a separate directory. Such a setup is a regular site on nginx installations on GNU+Linux distributions, but not default on FreeBSD.
/usr/local/etc/nginx/nginx.conf and make the contents of the
block look a as follows:
This sets default ssl settings for all server blocks that enable ssl. Note that these are settings I use, and are in no way guaranteed to be perfect. I did some minor research on these settings to get an acceptable rating on SSL Labs. However, security is not standing still, and there is a decent chance that my settings will become outdated. If you have better settings that result in a safer setup, please contact me.
Due to the way
certbot works, you need a functioning web server. Since there
is no usable cert yet, this means hosting a HTTP version first. The tutorial
assumes a static HTML website to be hosted, so the configuration is pretty
Put the following in
If your site's sources do not reside in
/srv/www/domain/_site, change the
path accordingly. This guide will continue using this path for all examples, so
be sure to modify this where needed. In the same vein, the domain
will be used. Modify this to your own domain.
Nginx is now configured to host a single site over HTTP. Now is the time to enable the nginx service. Execute the following:
This will enable nginx as a system service. On reboots, it will be started automatically. You can also start it up without rebooting by running the following:
Configure Let's Encrypt
Nginx is now running as your web server on port 80. Now you can request Let's
Encrypt certificates using
certbot. You can do so as follows:
In case you want to add any sub domains, simply add more
arguments at the end. If the DNS entries for the domains resolve properly, and
no unexpected errors occur on the Let's Encrypt side, you should see a message
congratulating you with your new certs.
If your domains do not resolve correctly,
certbot will complain about this.
You will have to resolve your DNS issues before attempting again.
certbot complains about an unexpected error on their side, wait a couple
minutes and retry the command. It should work, eventually.
certbot has ran without errors, the required files should be available
Configure nginx with SSL
The certificate has been issued and base nginx is running. Now is the time to
re-configure your site on nginx to host the HTTPS version of your site instead.
/usr/local/etc/nginx/sites/domain.conf again, and make the contents
look like the following:
Do not forget to update all the paths to match your setup!
As a final step, you should generate the dhparam file. This is to avoid the issues as described on Weak DH.
Be aware that this step can take a very long time. On the test machine I used to test this tutorial, with 1 core and 1 GB ram, it took nearly 1 hour to generate this file.
The final step is to reload the nginx configuration so it hosts the SSL version of your site, and redirects the HTTP version to the HTTPS version. To do this, simply run
That should be all to get your site working with HTTP redirecting to HTTPS, and HTTPS running using a gratis Let's Encrypt certificate.