Letsencrypt install

crontab

#sudo crontab -e

10 8 * * * cd /home/ubuntu/ && ./certbot-auto renew  > /home/ubuntu/certbot.log 2>&1 && service nginx reload

Install cerbot.sh

#!/bin/bash

wget https://dl.eff.org/certbot-auto
chmod a+x ./certbot-auto
./certbot-auto --help
sudo mkdir /var/www/letsencrypt
sudo chown www-data:www-data /var/www/letsencrypt

letsencrypt_create.sh

#!/bin/bash

# Usage: ./letsencrypt_renew.sh mydomain.com

# Path to the letsencrypt-auto tool
LE_TOOL=/home/ubuntu/certbot-auto

# Directory where the acme client puts the generated certs
LE_OUTPUT=/etc/letsencrypt/live

# Directory used as a web
LE_WEBROOT=/var/www/letsencrypt/

# Concat the requested domains
DOMAINS=""
for DOM in "$@"
do
    DOMAINS+=" -d $DOM"
done

# Create or renew certificate for the domain(s) supplied for this tool
$LE_TOOL --agree-tos --renew-by-default --webroot -w $LE_WEBROOT certonly $DOMAINS

service nginx reload

# Cat the certificate chain and the private key together for haproxy
# cat $LE_OUTPUT/$1/{fullchain.pem,privkey.pem} > /etc/ssl/private/${1}.pem
# Reload the haproxy daemon to activate the cert
# systemctl reload haproxy

nginx.conf

user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
        worker_connections 768;
        # multi_accept on;
}

http {

        ##
        # Basic Settings
        ##

        sendfile on;
        tcp_nopush on;
        tcp_nodelay on;
        keepalive_timeout 65;
        types_hash_max_size 2048;
        # server_tokens off;

        # server_names_hash_bucket_size 64;
        # server_name_in_redirect off;

        include /etc/nginx/mime.types;
        default_type application/octet-stream;

        ##
        # SSL Settings
        ##

        ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
        ssl_prefer_server_ciphers on;

        ##
        # Logging Settings
        ##

        access_log /var/log/nginx/access.log;
        error_log /var/log/nginx/error.log;

        ##
        # Gzip Settings
        ##
        gzip on;
        gzip_disable "msie6";

        ##
        # Virtual Host Configs
        ##

        include /etc/nginx/conf.d/*.conf;
        include /etc/nginx/sites-enabled/*;
}

nginx_default.conf

#sudo vim /etc/nginx/conf.d/default.conf

server {
    listen 80 default_server;

    location /.well-known/acme-challenge {
        root /var/www/letsencrypt;
    }
}

nginx_domain_example.conf

# sudo sed -i -e 's/mydomain.com/myotherdomain.com/g' /etc/nginx/conf.d/myotherdomain_prod.conf

server {
    listen 80;
    server_name mydomain.com www.mydomain.com;
    
    location /.well-known/acme-challenge {
        root /var/www/letsencrypt;
    }
    
    location / {
        return 302 https://mydomain.com$request_uri;
    }
}

server {
        listen  443 ssl http2;
        server_name www.mydomain.com;
        ssl_certificate /etc/letsencrypt/live/www.mydomain.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/www.mydomain.com/privkey.pem;
        return 302 https://mydomain.com$request_uri;
}

server {
    listen 443 ssl http2;
    server_name   mydomain.com;
    root         /home/data/www/mydomain;
    access_log   /var/log/nginx.mydomain.access_log;

    ssl_certificate /etc/letsencrypt/live/mydomain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/mydomain.com/privkey.pem;

    location / {
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_pass http://127.0.0.1:8010;
    }

    location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$ {
        expires 120d;
        log_not_found off;
        access_log off;
    }

    location ~ /\. {
     deny all;
    }
}