openssl req -new -newkey rsa:2048 -nodes -keyout pvdemo.key -out pvdemo.csr
crt + bundle (pem not required)
Last active
June 5, 2022 04:50
-
-
Save dwdraju/caa309990871d883fbba046c36013641 to your computer and use it in GitHub Desktop.
Letsencrypt nginx & apache generation and renewal
sudo apt-get install -y software-properties-common python-software-properties
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install certbot
sudo apt-get install python-certbot-nginx -y
# For Ubuntu 20.04
sudo apt install certbot python3-certbot-nginx
sudo certbot --nginx -d example.com
Add cron:
15 3 * * * sudo /usr/bin/certbot renew
cat www_example_com.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > ssl-bundle.crt
kubectl create secret tls cert-tls --cert=cert.pem --key=key.pem
sudo certbot certonly --webroot --webroot-path=/var/www/letsencrypt -d your_domain
sudo ./letsencrypt-auto certonly --manual --server https://acme-v01.api.letsencrypt.org/directory -d example.xyz -d www.example.xyz
15 3 * * * /usr/bin/certbot renew --quiet --renew-hook "/etc/init.d/nginx reload"
Add on nginx virtualhost conf:
location ^~ /.well-known { root /var/www/letsencrypt; }
server {
listen 80;
server_name example.com;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
root /var/www/html/build;
index index.html;
server_name default_server;
ssl on;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
ssl_stapling on;
ssl_stapling_verify on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5';
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 180m;
ssl_buffer_size 4k;
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
keepalive_timeout 40;
fastcgi_hide_header Set-Cookie;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
location / {
try_files $uri $uri/ /index.html?$args;
}
location ~* \.(?:jpg|jpeg|gif|ico|cur|gz|svg|svgz|mp4|ogg|ogv|webm|htc)$ {
expires 1M;
access_log off;
add_header Cache-Control "public";
}
location ~* \.(?:css|js)$ {
expires 1y;
access_log off;
add_header Cache-Control "public";
}
location = /favicon.ico { access_log off; log_not_found off; }
location ~ .(ttf|ttc|otf|eot|woff|woff2|css|js)$ {
add_header Access-Control-Allow-Origin "*";
}
}
sudo add-apt-repository ppa:certbot/certbot
sudo apt install python-certbot-apache
sudo certbot --apache -d your_domain
Choose "Redirect" option on above command. It will generate separate apache config with ssl. Check /etc/apache/sites-enabled/ folder.
<VirtualHost *:80>
ServerName example.com
Redirect permanent / https://example.com
</VirtualHost>
<VirtualHost *:80>
ServerName example.com
Redirect permanent / https://example.com
</VirtualHost>
<VirtualHost *:443>
ServerName example.com
DocumentRoot /var/www/FrontEnd/public
ErrorLog /var/www/FrontEnd/logs/error.log
CustomLog /var/www/FrontEnd/logs/access.log combined
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
<Directory /var/www/example.com/FrontEnd/public>
Options +SymLinksIfOwnerMatch
AllowOverRIde All
Order deny,allow
DirectoryIndex index.html index.php
</Directory>
</VirtualHost>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment