Using with h2o

Disclaimer: this post was created on 03-27-2016 for FreeBSD, it might not work on other platforms or versions.

This will be a really short guide about how to set up the H2O webserver with letsencrypt, and how to automate it. I’ve read a nice tutorial about letsencrypt and nginx on Peter Wemm’s site. This guide is similar, but for an h2o webserver. I intend to write another guide about www/h2o later once v2.0 is released, this is just a short tutorial about letsencrypt.


You only need the www/h2o webserver (obviously) and the security/


First, install security/ from ports (with portmaster):

portmaster security/

Or from packages:

pkg install security/

Then configure h2o to redirect the domain validation request to the right folder.

        file.dir: "/usr/local/etc/"

The above needs to be in the part where h2o is configured to listen on port 80. The other important thing is to place this before the redirection to https (if any). Then restart h2o.

service h2o restart

Generate the certificates

Create a file containing the contact email address, and a domains.txt file with the domain (both with and without “www.”) and request a certificate. Replace with the actual domain. The options that can be configured are explained in the /usr/local/etc/ file.

# cd /usr/local/etc/
# echo 'CONTACT_EMAIL=your@email.address' >
# echo '' > domains.txt

Once you are done, the result should be the following:

 # INFO: Using main config file /usr/local/etc/
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting challenge for
 + Responding to challenge for
 + Challenge is valid!
 + Requesting certificate...
 + Checking certificate...
 + Done!
 + Creating fullchain.pem...
 + Done!

If everything went right, the certificate can be found in the /usr/local/etc/ folder.

Configure h2o to the newly created certificates

H2O needs to be told where these certificates actually are, so the following lines need to be placed in the part where h2o is configured to listen on port 443.

certificate-file: /usr/local/etc/
key-file: /usr/local/etc/

Naturally you need to replace the folder names with the actual path. Then restart h2o.

service h2o restart

Automating letsencrypt

The certificates from letsencrypt are only valid for 90 days and therefore it is advisable to automate the process. It is possible to run with cron, but I like the “periodic” solution more. In order to make it work, place the following line in /etc/periodic.conf:


This way the server will check for certificate renewals every week and will renew it when necessary (that is, when remaining validity time is shorter than 30 days). Have fun!