SSL Certificate Renewal on FreeBSD

Posted on March 23, 2025

To renew Let’s Encrypt certificates on FreeBSD, use certbot renew or certbot certonly --force-renew -d yourdomain.com after installing Certbot with pkg install py39-certbot. You can also test the renewal process with certbot renew --dry-run

Here’s a more detailed breakdown:

1. Install Certbot:

Use the package manager: 

pkg install py39-certbot

2. Renew Certificates:

  • Automatic Renewal:Certbot should automatically renew certificates, but you can manually trigger it. 
  • Manual Renewal:
    • To initiate a renewal, run: certbot renew
    • To force a renewal for a specific domain, use: certbot certonly --force-renew -d yourdomain.com
  • Dry Run:Test the renewal process without actually renewing the certificate: certbot renew --dry-run

3. Check Certificate Location:

  • Certificates are typically located in /usr/local/etc/letsencrypt/live/yourdomain.com/.

Installing the necessary Programs.

Console
$ sudo pkg search certbot
$ sudo pkg install py311-certbot-nginx

$ sudo certbot --nginx -v -d kj5bpp.com -d www.kj5bpp.com

Output from installing py311-certbot-nginx

This port installs the “standalone” client only, which does not use and
is not the certbot-auto bootstrap/wrapper script.

The simplest form of usage to obtain certificates is:

# sudo certbot certonly –standalone -d <domain>, [domain2, … domainN]>

NOTE:

The client requires the ability to bind on TCP port 80 or 443 (depending
on the –preferred-challenges option used). If a server is running on that
port, it will need to be temporarily stopped so that the standalone server
can listen on that port to complete the challenge authentication process.

For more information on the ‘standalone’ mode, see:

https://certbot.eff.org/docs/using.html#standalone

The certbot plugins to support apache and nginx certificate installation
will be made available in the following ports:

* Apache plugin: security/py-certbot-apache
* Nginx plugin: security/py-certbot-nginx

In order to automatically renew the certificates, add this line to
/etc/periodic.conf:

weekly_certbot_enable=”YES”

More config details in the certbot periodic script:

/usr/local/etc/periodic/weekly/500.certbot-3.11


References:

https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-letsencrypt-freebsd

Do not forget to backup your certs from /usr/local/etc/letsencrypt/live

©2025 KJ5BPP