ここ 2年ほど SSLボックスでサーバー証明書を作っていたのですが、承認用メールアドレスが自ドメインのメールアドレスじゃないとダメ(WHOISに登録されたアドレスを利用するのは 2025年7月15日以後禁止になった)というのがネックになったので、再び Let's Encryptでサーバー証明書を作ることにしました。
なんだか知らないうちに certbotコマンドが使えなくなってしまっていたので、まずはそこから。
参考にさせて頂いたのは『FreeBSD 14.1 に certbot をインストールして Let’s Encrypt の証明書を取得して自動更新まで設定する方法 | 僕とガジェット』さんです。
root@www:~ # pkg install -y py311-certbot
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 22 package(s) will be affected (of 0 checked):
New packages to be INSTALLED:
py311-acme: 4.2.0,1
py311-certbot: 4.2.0,1
py311-certifi: 2025.8.3
py311-cffi: 1.17.1
py311-charset-normalizer: 3.4.3
py311-configargparse: 1.7.1
py311-configobj: 5.0.9
py311-cryptography: 44.0.3_3,1
py311-distro: 1.9.0
py311-idna: 3.10
py311-josepy: 2.1.0
py311-openssl: 25.0.0_1,1
py311-parsedatetime: 2.6_1
py311-pycparser: 2.22
py311-pyrfc3339: 1.1_1
py311-pysocks: 1.7.1_1
py311-pytz: 2025.2_1,1
py311-requests: 2.32.5
py311-setuptools: 63.1.0_3
py311-six: 1.17.0
py311-typing-extensions: 4.15.0
py311-urllib3: 1.26.20,1
Number of packages to be installed: 22
The process will require 35 MiB more space.
6 MiB to be downloaded.
[1/22] Fetching py311-cryptography-44.0.3_3,1.pkg: 100% 1 MiB 1.3MB/s 00:01
[2/22] Fetching py311-pycparser-2.22.pkg: 100% 230 KiB 235.4kB/s 00:01
[3/22] Fetching py311-six-1.17.0.pkg: 100% 27 KiB 27.5kB/s 00:01
[4/22] Fetching py311-acme-4.2.0,1.pkg: 100% 198 KiB 202.3kB/s 00:01
[5/22] Fetching py311-charset-normalizer-3.4.3.pkg: 100% 95 KiB 97.6kB/s 00:01
[6/22] Fetching py311-certbot-4.2.0,1.pkg: 100% 886 KiB 907.7kB/s 00:01
[7/22] Fetching py311-parsedatetime-2.6_1.pkg: 100% 76 KiB 77.7kB/s 00:01
[8/22] Fetching py311-josepy-2.1.0.pkg: 100% 63 KiB 64.8kB/s 00:01
[9/22] Fetching py311-setuptools-63.1.0_3.pkg: 100% 1 MiB 1.5MB/s 00:01
[10/22] Fetching py311-idna-3.10.pkg: 100% 104 KiB 106.6kB/s 00:01
[11/22] Fetching py311-cffi-1.17.1.pkg: 100% 282 KiB 288.6kB/s 00:01
[12/22] Fetching py311-distro-1.9.0.pkg: 100% 32 KiB 32.7kB/s 00:01
[13/22] Fetching py311-pytz-2025.2_1,1.pkg: 100% 173 KiB 177.4kB/s 00:01
[14/22] Fetching py311-pysocks-1.7.1_1.pkg: 100% 32 KiB 32.7kB/s 00:01
[15/22] Fetching py311-requests-2.32.5.pkg: 100% 119 KiB 121.8kB/s 00:01
[16/22] Fetching py311-certifi-2025.8.3.pkg: 100% 156 KiB 159.6kB/s 00:01
[17/22] Fetching py311-configobj-5.0.9.pkg: 100% 69 KiB 70.6kB/s 00:01
[18/22] Fetching py311-urllib3-1.26.20,1.pkg: 100% 241 KiB 247.0kB/s 00:01
[19/22] Fetching py311-configargparse-1.7.1.pkg: 100% 45 KiB 46.5kB/s 00:01
[20/22] Fetching py311-pyrfc3339-1.1_1.pkg: 100% 10 KiB 10.0kB/s 00:01
[21/22] Fetching py311-typing-extensions-4.15.0.pkg: 100% 92 KiB 94.4kB/s 00:01
[22/22] Fetching py311-openssl-25.0.0_1,1.pkg: 100% 103 KiB 105.6kB/s 00:01
Checking integrity... done (0 conflicting)
[1/22] Installing py311-certifi-2025.8.3...
[1/22] Extracting py311-certifi-2025.8.3: 100%
[2/22] Installing py311-charset-normalizer-3.4.3...
[2/22] Extracting py311-charset-normalizer-3.4.3: 100%
[3/22] Installing py311-configargparse-1.7.1...
[3/22] Extracting py311-configargparse-1.7.1: 100%
[4/22] Installing py311-distro-1.9.0...
[4/22] Extracting py311-distro-1.9.0: 100%
[5/22] Installing py311-idna-3.10...
[5/22] Extracting py311-idna-3.10: 100%
[6/22] Installing py311-parsedatetime-2.6_1...
[6/22] Extracting py311-parsedatetime-2.6_1: 100%
[7/22] Installing py311-pycparser-2.22...
[7/22] Extracting py311-pycparser-2.22: 100%
[8/22] Installing py311-cffi-1.17.1...
[8/22] Extracting py311-cffi-1.17.1: 100%
[9/22] Installing py311-cryptography-44.0.3_3,1...
[9/22] Extracting py311-cryptography-44.0.3_3,1: 100%
[10/22] Installing py311-josepy-2.1.0...
[10/22] Extracting py311-josepy-2.1.0: 100%
[11/22] Installing py311-pysocks-1.7.1_1...
[11/22] Extracting py311-pysocks-1.7.1_1: 100%
[12/22] Installing py311-pytz-2025.2_1,1...
[12/22] Extracting py311-pytz-2025.2_1,1: 100%
[13/22] Installing py311-pyrfc3339-1.1_1...
[13/22] Extracting py311-pyrfc3339-1.1_1: 100%
[14/22] Installing py311-setuptools-63.1.0_3...
[14/22] Extracting py311-setuptools-63.1.0_3: 100%
[15/22] Installing py311-six-1.17.0...
[15/22] Extracting py311-six-1.17.0: 100%
[16/22] Installing py311-configobj-5.0.9...
[16/22] Extracting py311-configobj-5.0.9: 100%
[17/22] Installing py311-typing-extensions-4.15.0...
[17/22] Extracting py311-typing-extensions-4.15.0: 100%
[18/22] Installing py311-openssl-25.0.0_1,1...
[18/22] Extracting py311-openssl-25.0.0_1,1: 100%
[19/22] Installing py311-urllib3-1.26.20,1...
[19/22] Extracting py311-urllib3-1.26.20,1: 100%
[20/22] Installing py311-requests-2.32.5...
[20/22] Extracting py311-requests-2.32.5: 100%
[21/22] Installing py311-acme-4.2.0,1...
[21/22] Extracting py311-acme-4.2.0,1: 100%
[22/22] Installing py311-certbot-4.2.0,1...
[22/22] Extracting py311-certbot-4.2.0,1: 100%
=====
Message from py311-urllib3-1.26.20,1:
--
Since version 1.25 HTTPS connections are now verified by default which is done
via "cert_reqs = 'CERT_REQUIRED'". While certificate verification can be
disabled via "cert_reqs = 'CERT_NONE'", it's highly recommended to leave it on.
Various consumers of net/py-urllib3 already have implemented routines that
either explicitly enable or disable HTTPS certificate verification (e.g. via
configuration settings, CLI arguments, etc.).
Yet it may happen that there are still some consumers which don't explicitly
enable/disable certificate verification for HTTPS connections which could then
lead to errors (as is often the case with self-signed certificates).
In case of an error one should try first to temporarily disable certificate
verification of the problematic urllib3 consumer to see if that approach will
remedy the issue.
=====
Message from py311-certbot-4.2.0,1:
--
This port installs the "standalone" client only, which does not use and
is not the certbot-auto bootstrap/wrapper script.
The simplest form of usage to obtain certificates is:
# sudo certbot certonly --standalone -d , [domain2, ... domainN]>
NOTE:
The client requires the ability to bind on TCP port 80 or 443 (depending
on the --preferred-challenges option used). If a server is running on that
port, it will need to be temporarily stopped so that the standalone server
can listen on that port to complete the challenge authentication process.
For more information on the 'standalone' mode, see:
https://certbot.eff.org/docs/using.html#standalone
The certbot plugins to support apache and nginx certificate installation
will be made available in the following ports:
* Apache plugin: security/py-certbot-apache
* Nginx plugin: security/py-certbot-nginx
In order to automatically renew the certificates, add this line to
/etc/periodic.conf:
weekly_certbot_enable="YES"
More config details in the certbot periodic script:
/usr/local/etc/periodic/weekly/500.certbot-3.11
root@www:~ # certbot --version
certbot 4.2.0 無事にインストールできたので、サーバー証明書を作ってみます。
まずは www.still-laughin.com から。
root@www:~ # /usr/local/etc/rc.d/apache24 stop
/etc/rc.conf: apache24_http_accept_enable: not found
Stopping apache24.
Waiting for PIDS: 2446.
root@www:~ # certbot certonly --standalone -d www.still-laughin.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address or hit Enter to skip.
(Enter 'c' to cancel):
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at:
https://letsencrypt.org/documents/LE-SA-v1.5-February-24-2025.pdf
You must agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y
Account registered.
Requesting a certificate for www.still-laughin.com
Successfully received certificate.
Certificate is saved at: /usr/local/etc/letsencrypt/live/www.still-laughin.com/fullchain.pem
Key is saved at: /usr/local/etc/letsencrypt/live/www.still-laughin.com/privkey.pem
This certificate expires on 2026-01-31.
These files will be updated when the certificate renews.
NEXT STEPS:
- The certificate will need to be renewed before it expires. Certbot can automatically renew the certificate in the background, but you may need to take steps to enable that functionality. See https://certbot.org/renewal-setup for instructions.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
* Donating to EFF: https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
root@www:~ # certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
Certificate Name: www.still-laughin.com
Serial Number: 6a0abe72efde47b23f26bf2a81dcef0b721
Key Type: ECDSA
Domains: www.still-laughin.com
Expiry Date: 2026-01-31 06:33:50+00:00 (VALID: 89 days)
Certificate Path: /usr/local/etc/letsencrypt/live/www.still-laughin.com/fullchain.pem
Private Key Path: /usr/local/etc/letsencrypt/live/www.still-laughin.com/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
root@www:~ # ls -l /usr/local/etc/letsencrypt/live/www.still-laughin.com/
total 7
-rw-r--r-- 1 root wheel 692 Nov 2 16:32 README
lrwxr-xr-x 1 root wheel 45 Nov 2 16:32 cert.pem -> ../../archive/www.still-laughin.com/cert1.pem
lrwxr-xr-x 1 root wheel 46 Nov 2 16:32 chain.pem -> ../../archive/www.still-laughin.com/chain1.pem
lrwxr-xr-x 1 root wheel 50 Nov 2 16:32 fullchain.pem -> ../../archive/www.still-laughin.com/fullchain1.pem
lrwxr-xr-x 1 root wheel 48 Nov 2 16:32 privkey.pem -> ../../archive/www.still-laughin.com/privkey1.pem
root@www:~ # 続いて同じように blog.still-laughin.comの方のサーバー証明書も作成しました。
あとは /usr/local/etc/apache22/extra/httpd-ssl.conf を vi で開いて、Let's Encrypt時代の記述に戻しました。
SSLCertificateFile "/usr/local/etc/letsencrypt/live/www.still-laughin.com/cert.pem"
SSLCertificateKeyFile "/usr/local/etc/letsencrypt/live/www.still-laughin.com/privkey.pem"
SSLCertificateChainFile "/usr/local/etc/letsencrypt/live/www.still-laughin.com/chain.pem"仮想サーバー(blog)の方も同様です。
続いて自動更新の設定もやります。
periodic/dailyに 999.certbot-renewという設定ファイルを造ります。
root@www:/usr/local/etc/apache24/extra # cd /usr/local/etc/periodic/daily
root@www:/usr/local/etc/periodic/daily # ls -l
total 9
-rwxr-xr-x 1 root wheel 2468 Oct 26 10:05 411.pkg-backup
-rwxr-xr-x 1 root wheel 1954 Oct 26 10:05 490.status-pkg-changes
root@www:/usr/local/etc/periodic/daily # vi 999.certbot-renew内容は
#!/bin/sh
#
# $FreeBSD$
#
# If there is a global system configuration file, suck it in.
#
if [ -r /etc/defaults/periodic.conf ]; then
. /etc/defaults/periodic.conf
source_periodic_confs
fi
case "$daily_certbot_enable" in
[Yy][Ee][Ss])
echo
echo "Renewing Let's Encrypt certificates:"
/usr/local/bin/certbot renew -q
exit $?
;;
*)
exit 0
;;
esac書き終えたらパーミッションを 755に変更します。
root@www:/usr/local/etc/periodic/daily # chmod 755 999.certbot-renew
root@www:/usr/local/etc/periodic/daily # ls -l
total 14
-rwxr-xr-x 1 root wheel 2468 Oct 26 10:05 411.pkg-backup
-rwxr-xr-x 1 root wheel 1954 Oct 26 10:05 490.status-pkg-changes
-rwxr-xr-x 1 root wheel 419 Nov 2 18:33 999.certbot-renew続いて /etc/periodic.conf ファイルを作成します。
root@www:/usr/local/etc/periodic/daily # vi /etc/periodic.conf内容は
daily_certbot_enable=”YES”のみです。
root@www:/usr/local/etc/periodic/daily # ls -l /etc/periodic.conf
-rw-r--r-- 1 root wheel 31 Nov 2 18:42 /etc/periodic.confちゃんと出来てますね。
最後に /usr/local/etc/letsencrypt/renewal/内にある設定ファイルを開きます。
root@www:/usr/local/etc/periodic/daily # cd /usr/local/etc/letsencrypt/renewal/
root@www:/usr/local/etc/letsencrypt/renewal # ls -l
total 9
-rw-r--r-- 1 root wheel 588 Nov 2 18:01 blog.still-laughin.com.conf
-rw-r--r-- 1 root wheel 635 Nov 2 16:32 www.still-laughin.com.conf
root@www:/usr/local/etc/letsencrypt/renewal # vi www.still-laughin.com.conf先頭行に「# renew_before_expiry = 30 days」を挿入します。
# renew_before_expiry = 30 days
version = 4.2.0blogの方も同様です。