 The client requires the ability to bind on TCP port 80 or 443 (depending
 on the --preferred-challenges option used). If a server is running on that
 port, it will need to be temporarily stopped so that the standalone server
 can listen on that port to complete the challenge authentication process.
 For more information on the 'standalone' mode, see:
 The certbot plugins to support apache and nginx certificate installation
 will be made available in the following ports:
  * Apache plugin: security/py-certbot-apache
  * Nginx plugin: security/py-certbot-nginx
 In order to automatically renew the certificates, add this line to
     weekly_certbot_enable="YES"      ←自動登録される
 More config details in the certbot periodic script:
     /usr/local/etc/periodic/weekly/500.certbot-3.6    ←自動登録される

 # https://freebsd.sing.ne.jp/daily/04/03/05.html
 certbot \
 	renew \
 	--standalone \
 	--force-renewal \
 	--expand \
 	--pre-hook "/usr/local/etc/rc.d/apache24 stop" \
 	--post-hook "/usr/local/etc/rc.d/apache24 start"

/etc/crontab 二ヶ月に一回更新する
 5	0	1	*/2	*	root	/root/bin/Certbot_Renew.sh


 certbot renew

 certbot renew --webroot -w /usr/local/www/apache24/data/ --renew-by-default


 --renew-by-default --dry-run
   987  8:32    locate certbot
 Installing py27-certbot-0.18.1,1...
 This port installs the "standalone" Python client only, which does not use and
 is not the certbot-auto bootstrap/wrapper script.
 To obtain certificates, use the 'certonly' command as follows:
  # sudo certbot certonly --standalone -d [server FQDN]
 Note: The client currently requires the ability to bind on TCP port 80. If
 you have a server running on this port, it will need to be temporarily stopped
 so that the standalone server can listen on that port to complete
 The certbot plugins to support apache and nginx certificate installation
 will be made available soon in the following ports:
  * Apache plugin: security/py-certbot-apache
  * Nginx plugin: security/py-certbot-nginx

 Saving debug log to /var/log/letsencrypt/letsencrypt.log
 Plugins selected: Authenticator standalone, Installer None
 Enter email address (used for urgent renewal and security notices) (Enter 'c' to
 cancel): webmaster@smb.net
 Please read the Terms of Service at
 https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf. You must agree
 in order to register with the ACME server at
 (A)gree/(C)ancel: A
 Would you be willing to share your email address with the Electronic Frontier
 Foundation, a founding partner of the Let's Encrypt project and the non-profit
 organization that develops Certbot? We'd like to send you email about EFF and
 our work to encrypt the web, protect its users and defend digital rights.
 (Y)es/(N)o: Y
 Obtaining a new certificate
 Performing the following challenges:
 tls-sni-01 challenge for sun1.smb.net
 Cleaning up challenges
 Problem binding to port 443: Could not bind to IPv4 or IPv6.
  - Your account credentials have been saved in your Certbot
    configuration directory at /usr/local/etc/letsencrypt. You should
    make a secure backup of this folder now. This configuration
    directory will also contain certificates and private keys obtained
    by Certbot so making regular backups of this folder is ideal.

 Stopping apache24.
 Waiting for PIDS: 878.
 Saving debug log to /var/log/letsencrypt/letsencrypt.log
 Plugins selected: Authenticator standalone, Installer None
 Obtaining a new certificate
 Performing the following challenges:
 tls-sni-01 challenge for sun1.smb.net
 Waiting for verification...
 Cleaning up challenges
  - Congratulations! Your certificate and chain have been saved at:
    Your key file has been saved at:
    Your cert will expire on 2017-12-25. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot
    again. To non-interactively renew *all* of your certificates, run
    "certbot renew"
  - If you like Certbot, please consider supporting our work by: 
    Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
    Donating to EFF:                    https://eff.org/donate-le
 root@sun1:~:17_09_26:10:54 #

 root@sun1:/usr/local/etc/letsencrypt:17_09_26:10:57 # ll
 total 24
 drwx------  3 root  wheel  512 Sep 26 10:42 accounts/
 drwx------  3 root  wheel  512 Sep 26 10:54 archive/
 drwxr-xr-x  2 root  wheel  512 Sep 26 10:54 csr/
 drwx------  2 root  wheel  512 Sep 26 10:54 keys/
 drwx------  3 root  wheel  512 Sep 26 10:54 live/
 drwxr-xr-x  2 root  wheel  512 Sep 26 10:54 renewal/

 Listen 443
 SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES:!IDEA
 SSLHonorCipherOrder on 
 SSLProtocol all -SSLv3 -SSLv2
 SSLProxyProtocol all -SSLv3 -SSLv2
 SSLPassPhraseDialog  builtin
 SSLSessionCache        "shmcb:/var/run/ssl_scache(512000)"
 SSLSessionCacheTimeout  300
 SSLUseStapling On
 SSLStaplingCache "shmcb:/var/run/ssl_stapling(32768)"
 SSLStaplingStandardCacheTimeout 3600
 SSLStaplingErrorCacheTimeout 600
 <VirtualHost _default_:443>
 Protocols h2 http/1.1               # 有効化するには後述の https://piano2nd.smb.net/~kuji/pukiwiki-1.4.7/index.php?SSL#k1b68f44 DocumentRoot "/usr/local/www/apache24/data" を実行する
 ServerName sun1.smb.net:443
 ServerAdmin webmaster@smb.net
 ErrorLog "/var/log/httpd-error.log"
 TransferLog "/var/log/httpd-access.log"
 SSLEngine on
 SSLCertificateFile "/usr/local/etc/letsencrypt/live/sun1.smb.net/fullchain.pem"
 SSLCertificateKeyFile "/usr/local/etc/letsencrypt/live/sun1.smb.net/privkey.pem"
 <FilesMatch "\.(cgi|shtml|phtml|php)$">
     SSLOptions +StdEnvVars
 <Directory "/usr/local/www/apache24/cgi-bin">
     SSLOptions +StdEnvVars
 BrowserMatch "MSIE [2-5]" \
          nokeepalive ssl-unclean-shutdown \
          downgrade-1.0 force-response-1.0
 CustomLog "/var/log/httpd-ssl_request.log" \
           "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
 # ファイル末尾に以下の1文を追加する。                              
 Header set Strict-Transport-Security " max-age=315360000;"

 LoadModule log_config_module libexec/apache24/mod_log_config.so
 LoadModule setenvif_module libexec/apache24/mod_setenvif.so
 LoadModule ssl_module libexec/apache24/mod_ssl.so
 LoadModule socache_shmcb_module libexec/apache24/mod_socache_shmcb.so

 Include etc/apache24/extra/httpd-ssl.conf

 Saving debug log to /var/log/letsencrypt/letsencrypt.log
 Processing /usr/local/etc/letsencrypt/renewal/sun1.smb.net.conf
 Plugins selected: Authenticator webroot, Installer None
 Renewing an existing certificate
 Performing the following challenges:
 http-01 challenge for sun1.smb.net
 Using the webroot path /usr/local/www/apache24/data for all unmatched domains.
 Waiting for verification...
 Cleaning up challenges
 new certificate deployed without reload, fullchain is
 ** DRY RUN: simulating 'certbot renew' close to cert expiry
 **          (The test certificates below have not been saved.)
 Congratulations, all renewals succeeded. The following certs have been renewed:
   /usr/local/etc/letsencrypt/live/sun1.smb.net/fullchain.pem (success)
 ** DRY RUN: simulating 'certbot renew' close to cert expiry
 **          (The test certificates above have not been saved.)
  - Your account credentials have been saved in your Certbot
    configuration directory at /usr/local/etc/letsencrypt. You should
    make a secure backup of this folder now. This configuration
    directory will also contain certificates and private keys obtained
    by Certbot so making regular backups of this folder is ideal.

 0 2,5 * * * /usr/local/bin/certbot renew --agree-tos --webroot -w /usr/local/www/apache24/data/ --renew-by-default && /usr/local/etc/rc.d/apache24 reload

 Installing mod_http2-devel-1.10.11...
 If you want to have the h2 module enabled in your apache installation,
 you need to add
    LoadModule http2_module modules/mod_h2.so
 somewhere in your config files and add a line like
    H2Engine on
 whereever you want the module to be active (general server of specific
 virtual hosts).
 NB: The shared libraries were renamed from mod_http2 to mod_h2 to
     avoid conflicts with the (now bundled) mod_http2 in www/apache24

 LoadModule http2_module libexec/apache24/mod_h2.so

 <VirtualHost _default_:443>の下に、次のコマンドを追記する。
 Protocols h2 http/1.1

