FreeBSD15.1 : Web Server SSL、Webmin

Contents

1. Web server (Apache) SSL conversion

The ports can be further updated with FreeBSD's periodic job settings.
Install certbot via pkg, and include a plugin for apache to update in webroot mode.

1.1 Installing the Certbot tool for Let's Encrypt

Search for Certbot versions that can be installed

# pkg search certbot

py311-certbot-4.2.0,1          Let's Encrypt client
py311-certbot-apache-4.2.0     Apache plugin for Certbot
py311-certbot-dns-cloudflare-4.2.0 Cloudflare DNS plugin for Certbot
py311-certbot-dns-cpanel-0.4.0_1 CPanel DNS Authenticator plugin for Certbot
py311-certbot-dns-digitalocean-4.2.0 DigitalOcean DNS Authenticator plugin for Certbot
py311-certbot-dns-dnsimple-4.2.0 DNSimple DNS Authenticator plugin for Certbot
py311-certbot-dns-dnsmadeeasy-4.2.0 DNS Made Easy DNS Authenticator plugin for Certbot
py311-certbot-dns-gandi-1.5.0_1 Gandi LiveDNS plugin for Certbot
-----------------------------------------------------------------------------------------------------

You can only install py311-certbot

Run the following command to install the Certbot package and the Apache HTTP plug-in

# pkg install py311-certbot py311-certbot-apache

1.2 Apache Configuration File Editing

①Enable mod_ssl module
https port added

# vi  /usr/local/etc/apache24/httpd.conf

Per Line53 : Add
Listen 443

Per Line92 : Uncomment
LoadModule socache_shmcb_module libexec/apache24/mod_socache_shmcb.so

Per Line148 : Uncomment
LoadModule ssl_module libexec/apache24/mod_ssl.so

1.3 Enable Rewrite module

Necessary to change URL when redirecting from HTTP to HTTPS

# vi /usr/local/etc/apache24/httpd.conf
 
Per Line 181 : Uncomment
LoadModule rewrite_module libexec/apache24/mod_rewrite.so

Apache24 restart

# service apache24 restart

1.4 Obtaining a Let's Encrypt Certificate

obtain a certificate covering only a single domain [FQDN], execute the following certbot command
This time we will use the --standalone option, so we will stop apache once.

# service apache24 stop

# certbot certonly --standalone -d [FQDN]

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address or hit Enter to skip.
 (Enter 'c' to cancel): [E-mail address]

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at:
https://letsencrypt.org/documents/LE-SA-v1.7-June-04-2026.pdf
You must agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y
Account registered.
Requesting a certificate for [FQDN]

Successfully received certificate.
Certificate is saved at: /usr/local/etc/letsencrypt/live/[FQDN]/fullchain.pem
Key is saved at:         /usr/local/etc/letsencrypt/live/[FQDN]/privkey.pem
This certificate expires on 2026-09-15.
These files will be updated when the certificate renews.

NEXT STEPS:
- The certificate will need to be renewed before it expires. Certbot can automatically renew the certificate in the background, but you may need to take steps to enable that functionality. See https://certbot.org/renewal-setup for instructions.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

apache24 start

# service apache24 start

1.5 Editing the Apache Configuration File

①/usr/local/etc/apache24/extra/httpd-ssl.conf Editing
Copy httpd-ssl.conf and create bsd-httpd-ssl.conf(bsd-httpd-ssl in bsd-httpd-ssl.conf is an arbitrary name)

# cp /usr/local/etc/apache24/extra/httpd-ssl.conf /usr/local/etc/apache24/extra/bsd-httpd-ssl.conf

# vi /usr/local/etc/apache24/extra/bsd-httpd-ssl.conf 
Line 36: Commented out
#Listen 443

Line 124-128 : Change as follows
 DocumentRoot "/usr/local/www/apache24/data/[FQDN]"
 ServerName [FQDN]:443
 ServerAdmin [mail address]
 ErrorLog "/var/log/[FQDN].httpd-error.log"
 TransferLog "/var/log/[FQDN].httpd-access.log"

Line 129 : Add
 CustomLog "/var/log/httpd/[FQDN].httpd-ssl-access.log" combined

Line 144 : Comment-out 
#SSLCertificateFile "/usr/local/etc/apache24/server.crt"

Line 147 : Add
 SSLCertificateFile "/usr/local/etc/letsencrypt/live/[FQDN]/cert.pem"

Line 154 : Comment-out 
#SSLCertificateKeyFile "/usr/local/etc/apache24/server.key"

Line 157 : Add
 SSLCertificateKeyFile "/usr/local/etc/letsencrypt/live/[FQDN]/privkey.pem"

Line 166 : Add
 SSLCertificateChainFile "/usr/local/etc/letsencrypt/live/[FQDN]/chain.pem"
 
Line 287,288 : Comment-out
#CustomLog "/var/log/httpd-ssl_request.log" \
 #           "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

</VirtualHost>

➁Create a symbolic link for Apache to read bsd-httpd-ssl.conf
Include the *.conf file in the Includes directory

# ln -s /usr/local/etc/apache24/extra/bsd-httpd-ssl.conf /usr/local/etc/apache24/Includes/bsd-httpd-ssl.conf

1.6 Redirect HTTP communications to HTTPS

Add the following to the virtual host configuration file

RewriteEngine on
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

# cd /usr/local/etc/apache24/extra
# vi bsd-vhost.conf

<VirtualHost *:80>
    RewriteEngine on
    RewriteCond %{HTTPS} off
    RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
    ServerAdmin [E-mail address]
    DocumentRoot "/usr/local/www/apache24/data/[FQDN]"
    ServerName [FQDN]
    ErrorLog "/var/log/httpd/[FQDN].error_log"
    CustomLog "/var/log/httpd/[FQDN].access_log" common
</VirtualHost>
<Directory /usr/local/www/apache24/data/[FQDN]>
   AddHandler cgi-script .cgi
   Options FollowSymlinks Includes
   AllowOverride All
   Require all granted
</Directory>

2. Webmin

Webmin is a web browser-based tool for configuring Unix-like operating systems (OS) such as Linux. It allows users to make numerous changes to internal OS settings such as user and disk usage limits, services, configuration files, etc., and to modify and control many open source applications such as Apache, PHP, MySQL, and others.

Webmin is built primarily in Perl and runs as its own process and web server. By default, it communicates on TCP port 10000.

2.1 Install

# pkg install webmin

2.2　setup

Logged-in user　; admin
Password　; Any(hyu6kon)
Others default to Enter

Perform the initial setup as follows.

# /usr/local/lib/webmin/setup.sh

Welcome to the Webmin setup script, version 2.610

Webmin is a web-based interface that allows Unix-like operating
systems and common Unix services to be easily administered.

Installing Webmin in /usr/local/lib/webmin

Webmin uses separate directories for configuration files and log files.
Unless you want to run multiple versions of Webmin at the same time
you can just accept the defaults.

Config file directory [/usr/local/etc/webmin]: /usr/local/etc/webmin
Log file directory [/var/db/webmin]: /var/db/webmin

Webmin is written entirely in Perl. Please enter the full path to the
Perl 5 interpreter on your system.

Full path to perl (default /usr/local/bin/perl): /usr/local/bin/perl

Testing Perl ..
.. done

Operating system name: FreeBSD
Operating system version: 15.1

Webmin uses its own password protected web server to provide access
to the administration programs. The setup script needs to know :

What port to run the web server on. There must not be another
web server already using this port.
The login name required to access the web server.
The password required to access the web server.
If the web server should use SSL (if your system supports it).
Whether to start webmin at boot time.

Web server port (default 10000):
Login name (default admin): [enter]
Login password: [password]
Password again: [password]
Use SSL (y/n): y

**********************************************************
Creating web server config files ..
.. done

Creating access control file ..
.. done

Creating start and stop scripts ..
.. done

Copying config files ..
.. done

Changing ownership and permissions ..
.. done

Running postinstall scripts ..
.. done

Enabling background status collection ..
.. done

2.3 Edit /etc/rc.conf

# sysrc webmin_enable=YES
webmin_enable:  -> YES

2.4 Start

The startup script is /usr/local/etc/rc.d/webmin

# service webmin start
Starting webmin.
Starting Webmin server in /usr/local/lib/webmin

2.5 Webmin SSL Configuration

Combine the Let's Encrypt certificate and private key obtained during web server SSL configuration into a single .pem file. (In this case, we'll name it webmin.pem)

# cat /usr/local/etc/letsencrypt/live/[FQDN]/fullchain.pem /usr/local/etc/letsencrypt/live/[FQDN]/privkey.pem > webmin.pem

Move the webmin.pem certificate file to the Webmin configuration directory.

# mv webmin.pem /usr/local/etc/webmin/

Edit the main Webmin configuration file
Modify the keyfile entry as follows:

# vi /usr/local/etc/webmin/miniserv.conf

Line 30 : Change
keyfile=/usr/local/etc/webmin/webmin.pem

Restart Webmin

# service webmin restart

2.6 Login

Open port 10000 on the Firewall in advance.(Add to ipfw.rules)
Router needs to be changed if connecting from outside
With a browser
Access https://<server domain> or <IP address>:10000/ to display the login screen.
Log in with the user and password you have set.