ezirmusitua · January 9, 2019 06:34
diff --git a/apply-and-use-letsencrypt-cert.sh b/apply-and-use-letsencrypt-cert.sh
 # 1. preparation
 ## 1.1 create cert-webroot
 sudo mkdir /opt/sites/cert-webroot
 cd /opt/sites/cert-webroot
 ## 1.2 create demo page
 sudo touch index.html
 sudo echo "<!DOCTYPE html>\n<html lang="en">\n<head>\n<meta charset="UTF-8">\n<title>Demo Site</title>\n</head>\n<body>\n<h1>This is a demo site</h1>\n</body>\n</html>" > index.html
 ## 1.3 update nginx default config
 cd /etc/nginx/sites-enabled
 vim default
 ### edit config
 server {
        listen 80 default_server;
        listen [::]:80 default_server;
        root /var/www/html;
        # Add index.php to the list if you are using PHP
        index index.html index.htm index.nginx-debian.html;
        server_name _;
        location ^~ /.well-known/acme-challenge/ {
                default_type "text/plain";
                root     /opt/sites/cert-webroot/;
        }
        location = /.well-known/acme-challenge/ {
                return 404;
        }
        location / {
                # First attempt to serve request as file, then
                # as directory, then fall back to displaying a 404.
                try_files $uri $uri/ =404;
        }
 }
 ### save default :wq

 # 2. apply new cert
 ## 2.1 verify(do not add nginx config)
 sudo certbot certonly -n \
    -m <your_email> \
    -d api.ezirmusitua.site \
    --authenticator webroot \
    --webroot-path /opt/sites/cert-webroot \
    --agree-tos
 ## 2.2 add site nginx config & refresh
 server {
  listen 80;
  listen [::]:80;

  # expires $expires;
  server_name <server_name>;
  return 301 https://$server_name$request_uri;
 }

 server {
  listen 443 ssl http2;
  listen [::]:443 ssl http2;
  server_name <site_name>;
  root /opt/sites/blog;
  index index.html index.htm index.nginx-debian.html;

  ssl_certificate      /etc/letsencrypt/live/<site_name>/fullchain.pem;
  ssl_certificate_key  /etc/letsencrypt/live/<site_name>/privkey.pem;

  keepalive_timeout    120;
  server_tokens        off;
  add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";

  location / {
    try_files $uri $uri/ =404;
  }
  error_page  404  /404.html;
 }

 # 3. renew site cert
 ## 3.1 move site cert to sites-available
 sudo mv /etc/nginx/sites-enabled/<site_name> /etc/nginx/sites-available/
 ## 3.2 renew with certbot
 sudo certbot renew
 ## 3.3 move config back
 sudo mv /etc/nginx/sites-available/<site_name> /etc/nginx/sites-enabled/
	# 1. preparation
	## 1.1 create cert-webroot
	sudo mkdir /opt/sites/cert-webroot
	cd /opt/sites/cert-webroot
	## 1.2 create demo page
	sudo touch index.html
	sudo echo "<!DOCTYPE html>\n<html lang="en">\n<head>\n<meta charset="UTF-8">\n<title>Demo Site</title>\n</head>\n<body>\n<h1>This is a demo site</h1>\n</body>\n</html>" > index.html
	## 1.3 update nginx default config
	cd /etc/nginx/sites-enabled
	vim default
	### edit config
	server {
	listen 80 default_server;
	listen [::]:80 default_server;
	root /var/www/html;
	# Add index.php to the list if you are using PHP
	index index.html index.htm index.nginx-debian.html;
	server_name _;
	location ^~ /.well-known/acme-challenge/ {
	default_type "text/plain";
	root /opt/sites/cert-webroot/;
	}
	location = /.well-known/acme-challenge/ {
	return 404;
	}
	location / {
	# First attempt to serve request as file, then
	# as directory, then fall back to displaying a 404.
	try_files $uri $uri/ =404;
	}
	}
	### save default :wq

	# 2. apply new cert
	## 2.1 verify(do not add nginx config)
	sudo certbot certonly -n \
	-m <your_email> \
	-d api.ezirmusitua.site \
	--authenticator webroot \
	--webroot-path /opt/sites/cert-webroot \
	--agree-tos
	## 2.2 add site nginx config & refresh
	server {
	listen 80;
	listen [::]:80;

	# expires $expires;
	server_name <server_name>;
	return 301 https://$server_name$request_uri;
	}

	server {
	listen 443 ssl http2;
	listen [::]:443 ssl http2;
	server_name <site_name>;
	root /opt/sites/blog;
	index index.html index.htm index.nginx-debian.html;

	ssl_certificate /etc/letsencrypt/live/<site_name>/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/<site_name>/privkey.pem;

	keepalive_timeout 120;
	server_tokens off;
	add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";

	location / {
	try_files $uri $uri/ =404;
	}
	error_page 404 /404.html;
	}

	# 3. renew site cert
	## 3.1 move site cert to sites-available
	sudo mv /etc/nginx/sites-enabled/<site_name> /etc/nginx/sites-available/
	## 3.2 renew with certbot
	sudo certbot renew
	## 3.3 move config back
	sudo mv /etc/nginx/sites-available/<site_name> /etc/nginx/sites-enabled/