GSP
Quick Navigator
Search Site

Unix VPS
A - Starter
B - Basic
C - Preferred
D - Commercial
MPS - Dedicated
* Sign Up! *

Support
Customer Portal
Contact Us
Online Help
Handbooks
Domain Status
Man Pages

FAQ
Virtual Servers
Pricing
Billing
Technical

Network
Facilities
Connectivity
Topology Map

Miscellaneous
Server Agreement
Year 2038
Credits
 

USA Flag

 

 

HTTPS and SSL: Let's Encrypt Certificates

bullet Introduction

Modern browsers mark plain HTTP sites as "Not Secure," and HTTPS is required for secure logins, e-commerce, and a number of browser features. Let's Encrypt provides free, automatically-renewing TLS certificates, and this page shows the tool GSP recommends on each system — acme.sh on FreeBSD 15 and Certbot on Rocky Linux 10 — for obtaining and renewing them. It builds on Apache and Virtual Hosting.

 

bullet FreeBSD: acme.sh

Install acme.sh, then issue a certificate with the "webroot" method, which proves you control the domain by placing a temporary file in your site's document root:

# pkg install acme.sh
# acme.sh --set-default-ca --server letsencrypt        # one time, before your first issue
# acme.sh --issue -d example.com -d www.example.com \
    -w /home/youruser/public_html

Then install (copy) the certificate to a stable location Apache reads from, with an automatic reload on renewal:

# acme.sh --install-cert -d example.com \
    --cert-file      /usr/local/etc/apache24/certs/example.com/cert.pem \
    --key-file       /usr/local/etc/apache24/certs/example.com/key.pem \
    --fullchain-file /usr/local/etc/apache24/certs/example.com/fullchain.pem \
    --reloadcmd "service apache24 reload"

acme.sh installs its own cron entry to renew certificates automatically (Let's Encrypt certificates are valid for 90 days and renew well before expiry).

 

bullet Rocky Linux: Certbot

Install Apache's TLS module and Certbot (from EPEL — see Installing Software), then let Certbot's Apache plugin read your virtual hosts, prove control of each domain, install the certificate, and add the HTTPS configuration for you:

# dnf install mod_ssl certbot python3-certbot-apache
# certbot --apache -d example.com -d www.example.com

Certbot stores the certificate under /etc/letsencrypt/live/example.com/ and installs a systemd timer that renews automatically. Confirm it with systemctl list-timers certbot-renew.timer, and test renewal safely with certbot renew --dry-run.

 

bullet The HTTPS Virtual Host

If you manage the HTTPS virtual host yourself, add a *:443 block alongside your *:80 one, referencing the certificate files:

<VirtualHost *:443>
    ServerName example.com
    ServerAlias www.example.com
    DocumentRoot /home/youruser/public_html

    SSLEngine on
    SSLCertificateFile      /etc/letsencrypt/live/example.com/fullchain.pem
    SSLCertificateKeyFile   /etc/letsencrypt/live/example.com/privkey.pem
</VirtualHost>

(On FreeBSD, point these at the cert.pem / key.pem / fullchain.pem files acme.sh installed.) Thanks to SNI, one IP address can serve a separate certificate for every site you host.

 

bullet Hardening

Once the certificate works, finish the job: redirect plain HTTP to HTTPS, and (once you are confident everything loads over HTTPS) enable HSTS so browsers refuse to fall back. A minimal redirect in the *:80 virtual host:

    Redirect permanent / https://example.com/

Apache's documentation covers cipher and protocol tuning if you need to meet a specific compliance standard.

 

bullet Documentation

Toll Free 1-866-GSP-4400 • 1-301-464-9363 • service@gsp.com
Copyright © 1994-2026 GSP Services, Inc.