At the time of writing letsencrypt was out of beta for some months and I decided to give it a go. I’ve had good experience with StartSSL and their free certificate for one hostname, but I’ve been following the letsencrypt developments and I really stand behind what they are doing.
I have to say I was somewhat surprised by the results. It was really easy to set up and the certificate was trusted, no problem. Even SSL Labs didn’t complain :).
Here’s how I did it.
On your FreeNAS host, find out which jail is runing owncloud and enter it:
jls jexec 3 tcsh
Install the needed packages within this jail:
pkg install py27-letsencrypt
Stop apache and start the setup wizard:
/usr/pbi/owncloud-amd64/etc/rc.d/apache24 stop letsencrypt certonly
Softlink the new certs from the apache directory (replace your.domain.org with the domain name from step 3)
/usr/pbi/owncloud-amd64/etc/rc.d/apache24 start cd /usr/pbi/owncloud-amd64/etc/apache24/ ln -s /usr/local/etc/letsencrypt/live/your.domain.org/cert.pem letsencrypt.crt ln -s /usr/local/etc/letsencrypt/live/your.domain.org/privkey.pem letsencrypt.key ln -s /usr/local/etc/letsencrypt/live/your.domain.org/chain.pem letsencrypt_chain.crt
extra/httpd-ssl.confand change it so that
1 2 3 4 5 6 7
SSLProtocol all -SSLv2 -SSLv3 SSLHonorCipherOrder on SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS" SSLCertificateFile "/usr/pbi/owncloud-amd64/etc/apache24/letsencrypt.crt" SSLCertificateKeyFile "/usr/pbi/owncloud-amd64/etc/apache24/letsencrypt.key" SSLCACertificateFile "/usr/pbi/owncloud-amd64/etc/apache24/letsencrypt_chain.crt"
Restart Apache HTTPD:
Check the logs for errors: