mshafiee · October 26, 2016 11:11
diff --git a/Let's Encrypt Ubuntu b/Let's Encrypt Ubuntu
 Let's Encrypt:
 sudo apt install git bc nginx
 sudo git clone https://github.com/certbot/certbot.git /opt/letsencrypt
 Automatic renewal:
 sudo crontab -e

 30 2 * * 1 /opt/letsencrypt/letsencrypt-auto renew >> /var/log/le-renew.log
 35 2 * * 1 /etc/init.d/nginx reload

 To sign certificates, the Let's Encrypt API needs to verify that you own the domain for the certificate.
 The easiest strategy for doing this is called webroot:

 sudo mkdir /var/www/letsencrypt-webroot
 sudo vim /etc/nginx/sites-enabled/default

 Inside of the server block, paste the following settings:
 location ~ /.well-known {
  allow all;
  alias /var/www/letsencrypt-webroot/.well-known;
  try_files $uri $uri/ =404;
 }


 sudo nginx -s reload

 Nginx SSL configuration:
 By default, nginx has a very weak SSL configuration. Let's fix that.
 First of all, we need to generate a strong set of Diffie-Hellman parameters. 

 sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096
 sudo vim /etc/nginx/nginx.conf

 Inside of the http block, paste the following settings: 
 ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
 ssl_ecdh_curve secp384r1;
 ssl_session_tickets off;
 ssl_stapling on;
 ssl_stapling_verify on;
 resolver 8.8.8.8 8.8.4.4 valid=300s;
 resolver_timeout 5s;
 ssl_session_cache shared:SSL:10m;
 ssl_session_timeout 10m;
 ssl_prefer_server_ciphers on;
 ssl_dhparam /etc/ssl/certs/dhparam.pem;
 add_header Strict-Transport-Security "max-age=63072000; always";
 add_header X-Frame-Options DENY;
 add_header X-Content-Type-Options nosniff;


 sudo nginx -s reload


 Certificate creation:

 export LC_ALL="en_US.UTF-8"
 export LC_CTYPE="en_US.UTF-8"

 sudo /opt/letsencrypt/letsencrypt-auto -a webroot --rsa-key-size 4096 --webroot-path /var/www/letsencrypt-webroot/.well-known/ certonly

 sudo vim /etc/nginx/sites-available/example.com
 server {
  listen 443 ssl;
  ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
  server_name example.com;
  
  location ~ / {
  allow all;
  alias /var/www/html/;
  try_files $uri $uri/ =404;
  }
 }


 cd /etc/nginx/sites-enabled
 sudo ln -s ../sites-available/example.com
	Let's Encrypt:
	sudo apt install git bc nginx
	sudo git clone https://github.com/certbot/certbot.git /opt/letsencrypt
	Automatic renewal:
	sudo crontab -e

	30 2 * * 1 /opt/letsencrypt/letsencrypt-auto renew >> /var/log/le-renew.log
	35 2 * * 1 /etc/init.d/nginx reload

	To sign certificates, the Let's Encrypt API needs to verify that you own the domain for the certificate.
	The easiest strategy for doing this is called webroot:

	sudo mkdir /var/www/letsencrypt-webroot
	sudo vim /etc/nginx/sites-enabled/default

	Inside of the server block, paste the following settings:
	location ~ /.well-known {
	allow all;
	alias /var/www/letsencrypt-webroot/.well-known;
	try_files $uri $uri/ =404;
	}


	sudo nginx -s reload

	Nginx SSL configuration:
	By default, nginx has a very weak SSL configuration. Let's fix that.
	First of all, we need to generate a strong set of Diffie-Hellman parameters.

	sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096
	sudo vim /etc/nginx/nginx.conf

	Inside of the http block, paste the following settings:
	ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	ssl_ecdh_curve secp384r1;
	ssl_session_tickets off;
	ssl_stapling on;
	ssl_stapling_verify on;
	resolver 8.8.8.8 8.8.4.4 valid=300s;
	resolver_timeout 5s;
	ssl_session_cache shared:SSL:10m;
	ssl_session_timeout 10m;
	ssl_prefer_server_ciphers on;
	ssl_dhparam /etc/ssl/certs/dhparam.pem;
	add_header Strict-Transport-Security "max-age=63072000; always";
	add_header X-Frame-Options DENY;
	add_header X-Content-Type-Options nosniff;


	sudo nginx -s reload


	Certificate creation:

	export LC_ALL="en_US.UTF-8"
	export LC_CTYPE="en_US.UTF-8"

	sudo /opt/letsencrypt/letsencrypt-auto -a webroot --rsa-key-size 4096 --webroot-path /var/www/letsencrypt-webroot/.well-known/ certonly

	sudo vim /etc/nginx/sites-available/example.com
	server {
	listen 443 ssl;
	ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
	server_name example.com;

	location ~ / {
	allow all;
	alias /var/www/html/;
	try_files $uri $uri/ =404;
	}
	}


	cd /etc/nginx/sites-enabled
	sudo ln -s ../sites-available/example.com