For your everyday “Free” SSL usage you can use “Let's Encrypt” a free service that will provide you with a free certificate every 90 days. The idea is to retrieve a certificate automatically from “Let's Encrypt” using the Certbot. Here is how to do this.

First we need to install Certbot.

cd /usr/ports/security/py-certbot && make install clean BATCH=yes

There are some switches for this as well and 2 of them are quite important and may need some explaining.

1. --webroot
2. --standalone

The first option is similar to how Google webmaster tools works. It creates a file in your web root which proves that you are actually installing an SSL on the server which can be reach from the domain we are creating the SSL for. The “check” file must be accessible from the internet.

Now the second option spins up a web server listening on port 80. The issue here may or may not be obvious to you - If we already have a web server bound to port 80 this will fail “There can be only one”

Next create a certificate. We will use method 1 for this. Be sure to replace the example domain(s) with a real domain(s).

Just to clarify. A “check” file will be created for each domain and needs to be reachable from the internet in the domains root folder.

So here is an example using multiple domains. Modify this to your needs. Important replace [email protected] with a real e-email address. If you want to see what is going on remove the following “-m [email protected] –agree-tos –no-eff-email” from the command line.

certbot certonly --webroot -m [email protected] --agree-tos --no-eff-email -w /usr/local/www/example -d example.com -d sub1.example.com -w /usr/local/www/thing -d thing.com -d sub1.thing.com

You will be asked a few questions. Here is a sample output. What's really important from that output is this line:

Your account credentials have been saved in your Certbot configuration directory at /usr/local/etc/letsencrypt.

You will get a certificate which will be stored here.

/usr/local/etc/letsencrypt/live/domain.com/fullchain.pem

Be sure to back up that folder as this folder contains your Certbot settings as well as the certifacte information you entered above.

This is quite easy, all you need to do is run the following from cron. The script below runs once a day.

15        1       *       *       *       root    /usr/local/bin/certbot renew --quiet --post-hook "apachectl graceful" >/dev/null 2>&1

Remember to restart cron.

/etc/rc.d/cron restart

Note: In rare cases the SSL does not get renewed. (tracked down to how and when certbot decides a certificate is not yet ready for renewal) you can fix this by using the --force-renew flag and then run the renew like this. This should only be used if the above method fails.

certbot certonly --force-renew --quiet -d example.com -d sub1.example.com -d thing.com -d sub1.thing.com something.yourdomain.xxx 

This will try to renew all certificates you have obtained and will try to update those that expires in less than 30 days. So the best solution in order to renew your certificates would probably be to run the renewal process from cron like once a week or even once a day. The easiest way to do this is probably to create a small script that will run all of the above commands for us.

15        1       *       *       *       root    /usr/local/bin/certbot certonly --force-renew -d yourdomain.xxx -d www.yourdomain.xxx >/dev/null 2>&1

Instructions on how to set this up with Apache is shown here FreeBSD Enable SSL On Apache 2.4