首先安裝 Certbot Ports 套件，這也是 Let's Encrypt 建議的工具
# cd /usr/ports/security/py-certbot/
# make install clean

certbot certonly  -d XXXX.com.tw

Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):1

Enter email address (used for urgent renewal and security notices)
(Enter 'c' to cancel):master@XXX.com.tw

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o:Y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o:Y

Account registered.
Requesting a certificate for XXXX.com.tw

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Could not bind TCP port 80 because it is already in use by another process on
this system (such as a web server). Please stop the program in question and then
try again.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(R)etry/(C)ancel:

如果出現以上訊息,請先暫停apache

/usr/local/etc/rc.d/apache24 stop

再重取得認證

若成功能會出現:

Successfully received certificate.
Certificate is saved at: /usr/local/etc/letsencrypt/live/XXXX.com.tw/fullchain.pem
Key is saved at: /usr/local/etc/letsencrypt/live/XXXX.com.tw/privkey.pem
This certificate expires on 2022-11-03.
These files will be updated when the certificate renews.

NEXT STEPS:
- The certificate will need to be renewed before it expires. Certbot can automatically renew the certificate in the background, but you may need to take steps to enable that functionality. See https://certbot.org/renewal-setup for instructions.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
* Donating to EFF: https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

修改httpd.conf

ee /usr/local/etc/apache24/httpd.conf

把
#LoadModule ssl_module libexec/apache24/mod_ssl.so

的#拿掉

在最後加

Listen 443

Include /usr/local/etc/apache24/extra/httpd-vhosts-le-ssl.conf

新增:/usr/local/etc/apache24/extra/httpd-vhosts-le-ssl.conf

加入

ServerAdmin master@XXXX.tw
DocumentRoot "/usr/local/www/apache24/data"
ServerName XXXX.com.tw
ServerAlias www.XXXX.com.tw
ErrorLog "/var/log/XXXX-error_log"
CustomLog "/var/log/XXXX-access_log" combined

SSLCertificateFile /usr/local/etc/letsencrypt/live/XXXX.com.tw/fullchain.pem
SSLCertificateKeyFile /usr/local/etc/letsencrypt/live/XXXX.com.tw/privkey.pem
Include /usr/local/etc/letsencrypt/options-ssl-apache.conf

#/usr/local/etc/rc.d/apache24 stop //暫停apache server

#/usr/local/bin/certbot renew更新

#/usr/local/etc/rc.d/apache24 start //啟動apache server