If you are hosting your own services (like smtpd, httpd or any other) – there is a high chance you’ll need TLS certificate 🙂
If this post, we’ll setup very simple flow, to acquire and renew certificate for your server – using FreeBSD.
- I assume you have basic knowledge about FreeBSD and your domain has IN A record setup already 🙂
- Those commands needs to be run as root user 🙂
- Update packages – pkg update
- Install needed software – pkg install uacme mini_httpd
- Setup mini_httpd
- mkdir -p /usr/local/www/.well-known/acme-challenge – directory for our www root
- chown -R www:www /usr/local/www/ – make it owned by www user/group only
- sysrc mini_httpd_enable=”YES” – enable mini_httpd on system boot
- sysrc mini_httpd_flags=”-d /usr/local/www -u www -r” – serve files from our www root, chroot and run as www user
- service mini_httpd start – after this you should be able to access your machine using non-secure http://
- Now uacme:
- mkdir /usr/local/etc/uacme – here we will store our secrets
- uacme -v -c /usr/local/etc/uacme new – setup new account
- cp /usr/local/share/examples/uacme/uacme.sh /usr/local/etc/uacme/ – copy web challenge hook script that we will use
- edit this file and change one of the first lines to be like CHALLENGE_PATH=”/usr/local/www/.well-known/acme-challenge” – this need to match path from where mini_httpd is serving content
- crontab -e – lets add entry to crontab, that will issue/renew our certificate to keep it valid, change hour/minute to something else not to stress CA servers 🙂
- 3 42 * * * /usr/local/bin/uacme -c /usr/local/etc/uacme -h /usr/local/etc/uacme/uacme.sh issue your.domain
- save it and either wait one day or run the command directly (you can add -v to have more verbose output)
- your PEM file should be it /usr/local/etc/uacme/your.domain/cert.pem
More to read:
- ndilieto/uacme: ACMEv2 client written in plain C with minimal dependencies (github.com)
- mini_httpd (acme.com)
That’s it, now you can setup secure httpd/smtpd/other services that require valid TLS certificate.