Skip to content

Instantly share code, notes, and snippets.

@mgax

mgax/Readme.md

Last active November 10, 2016 12:12
Show Gist options
  • Save mgax/98976562befa64b33355549e9852814b to your computer and use it in GitHub Desktop.
Save mgax/98976562befa64b33355549e9852814b to your computer and use it in GitHub Desktop.
Download ZIP
DIY letsencrypt
Raw
Readme.md

setup

sudo mkdir /opt/https
sudo chown `whoami`: /opt/https
cd /opt/https

mkdir bin libexec acme-challenge nginx
chmod 700 nginx

openssl dhparam -out nginx/dhparams.pem 2048

curl -L https://rawgit.com/lukas2511/dehydrated/992beecbdbf89ec071624af6d46814239d808bcc/letsencrypt.sh -o libexec/letsencrypt.sh
chmod +x libexec/letsencrypt.sh

cat > letsencrypt.conf <<LETSENCRYPT_CONF
WELLKNOWN=/opt/https/acme-challenge
LETSENCRYPT_CONF

cat > bin/acme <<BIN_ACME
WELLKNOWN=/opt/https/acme-challenge
#!/bin/bash
set -e

# usage: ./bin/acme foo.example.com

cd /opt/https
set -x
exec libexec/letsencrypt.sh -f letsencrypt.conf -c -d "\$@"
BIN_ACME
chmod +x bin/acme

cat > nginx/https.conf <<NGINX_HTTPS_CONF
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security max-age=15768000;
ssl_dhparam /opt/https/nginx/dhparams.pem;
NGINX_HTTPS_CONF

get certificates for a domain

/opt/https/bin/acme foo.example.com

nginx config

server {
  server_name foo.example.com;

  location / {
    return 301 https://$host$request_uri;
  }

  location /.well-known/acme-challenge {
    alias /opt/https/acme-challenge;
  }
}

server {
  listen 443 ssl;
  server_name foo.example.com;

  ssl_certificate /opt/https/certs/foo.example.com/fullchain.pem;
  ssl_certificate_key /opt/https/certs/foo.example.com/privkey.pem;
  include /opt/https/nginx/https.conf;
}

apache config

<VirtualHost *:80>
  Redirect "/" "http://foo.example.com/"
</VirtualHost>

<VirtualHost *:80>
  ServerName foo.example.com
  Redirect "/" "https://foo.example.com/"
</VirtualHost>

<VirtualHost _default_:443>
  ServerAdmin [email protected]
  ErrorLog ${APACHE_LOG_DIR}/error.log
  CustomLog ${APACHE_LOG_DIR}/access.log combined

  SSLEngine on
  SSLCertificateFile /opt/https/certs/foo.example.com/fullchain.pem
  SSLCertificateKeyFile /opt/https/certs/foo.example.com/privkey.pem

  Alias /.well-known/acme-challenge /opt/https/acme-challenge
  <Directory "/opt/https/www">
    Require all granted
  </Directory>
</VirtualHost>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment