How to setup certificate renewal using FreeBSD, crontab, uacme and mini_httpd with Let’s Encrypt CA

If you are hosting your own services (like smtpd, httpd or any other) – there is a high chance you’ll need TLS certificate 🙂

If this post, we’ll setup very simple flow, to acquire and renew certificate for your server – using FreeBSD.

  1. I assume you have basic knowledge about FreeBSD and your domain has IN A record setup already 🙂
  2. Those commands needs to be run as root user 🙂
  3. Update packages – pkg update
  4. Install needed software – pkg install uacme mini_httpd
  5. Setup mini_httpd
    1. mkdir -p /usr/local/www/.well-known/acme-challenge – directory for our www root
    2. chown -R www:www /usr/local/www/ – make it owned by www user/group only
    3. sysrc mini_httpd_enable=”YES” – enable mini_httpd on system boot
    4. sysrc mini_httpd_flags=”-d /usr/local/www -u www -r” – serve files from our www root, chroot and run as www user
    5. service mini_httpd start – after this you should be able to access your machine using non-secure http://
  6. Now uacme:
    1. mkdir /usr/local/etc/uacme – here we will store our secrets
    2. uacme -v -c /usr/local/etc/uacme new – setup new account
    3. cp /usr/local/share/examples/uacme/ /usr/local/etc/uacme/ – copy web challenge hook script that we will use
    4. edit this file and change one of the first lines to be like CHALLENGE_PATH=”/usr/local/www/.well-known/acme-challenge” – this need to match path from where mini_httpd is serving content
    5. crontab -e – lets add entry to crontab, that will issue/renew our certificate to keep it valid, change hour/minute to something else not to stress CA servers 🙂
    6. 3 42 * * * /usr/local/bin/uacme -c /usr/local/etc/uacme -h /usr/local/etc/uacme/ issue your.domain
    7. save it and either wait one day or run the command directly (you can add -v to have more verbose output)
    8. your PEM file should be it /usr/local/etc/uacme/your.domain/cert.pem

More to read:

That’s it, now you can setup secure httpd/smtpd/other services that require valid TLS certificate.