Well, here's a start, but it's going to be rough. I'm somewhat familiar with using letsencrypt.sh, but only on Linux systems, and things are a little different on FreeBSD. These steps will pretty much replace step 3 in
@cyberjock's instructions. Assumptions:
- You have a hostname accessible from the Internet
- Port 80 is forwarded to your Owncloud jail. IOW, http://yourhostname.tld will bring up the web server in your owncloud jail.
- You've already installed Owncloud as described, and it's running.
- Nano is installed as an editor. If you prefer a different editor, substitute it for nano in the instructions below
Edit:
Caveat: The instructions below should be basically correct, but I can't directly test them, because I run my own server that listens on port 80. I therefore can't forward port 80 to a jail on my FreeNAS box, which would be necessary in order to properly test.
Letsencrypt.sh is a bash script to handle generating and renewing certificates from letsencrypt.org. Conveniently, it's available as a FreeBSD package. These steps should get you started, from inside your owncloud jail:
- pkg install letsencrypt.sh
- mkdir -p /usr/local/www/.well-known/acme-challenge
- cd /usr/local/etc/letsencrypt.sh
- nano domains.txt
- Enter your hostname. That's it. Ctrl-X to exit, Y to save
- cp config.sh.example config.sh
- nano config.sh
- Most of the contents here can be left at their defaults. Uncomment the line setting WELLKNOWN, and set it to "/usr/local/www/.well-known/acme-challenge". You'll also want to uncomment the CONTACT_EMAIL line and set it to an email address to receive notifications from the LE system. Ctrl-X to exit, Y to save.
- nano /usr/local/www/.well-known/acme-challenge/test.txt
- Enter whatever you want in test.txt. chmod 666 /usr/local/www/.well-known/acme-challenge/test.txt
- Browse to http://$YOURHOSTNAME/.well-known/acme-challenge/test.txt, and make sure you see the contents of that file. Ideally, you should do this test from outside your network (using the Tor browser, for example, or by turning off the WiFi on your smartphone/tablet). If you don't, then stop--something's wrong (or at least not as I expect it to be) with your nginx configuration. $YOURHOSTNAME should be exactly the same as you entered in domains.txt.
- If the test above succeeded, run 'letsencrypt.sh -c'. It should run and create your certificate.
- If the above succeeded, your certificate is in /usr/local/etc/letsencrypt.sh/certs/$YOURHOSTNAME/fullchain.pem, and the server private key is in /usr/local/etc/letsencrypt.sh/certs/$YOURHOSTNAME/privkey.pem. Use these pathnames for the remainder of @cyberjock's walkthrough
Let's Encrypt will give you a trusted TLS certificate for your server. It's only good for 90 days, however. letsencrypt.sh is designed to be run automatically, from a cron job, to renew your cert whenever it has less than 30 days remaining. To enable this, edit /etc/periodic.conf and add the following lines:
- weekly_letsencrypt_enable="YES"
- weekly_letsencrypt_deployscript="/usr/local/etc/rc.d/nginx reload"
Yes, this is more involved than the steps
@cyberjock gave. However, it will give you a trusted certificate (green padlock in your browser), and it will automatically renew indefinitely.
