romantomjak · March 26, 2016 14:11
diff --git a/letsencrypt-ssl b/letsencrypt-ssl
 location ~ /.well-known {
    allow all;
    root /var/www/letsencrypt;
 }

 ssl on;

 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
 ssl_prefer_server_ciphers on;
 ssl_dhparam /etc/ssl/certs/dhparam.pem;
 ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
 ssl_session_timeout 1d;
 ssl_session_cache shared:SSL:10m;
 ssl_stapling on;
 ssl_stapling_verify on;
 add_header Strict-Transport-Security "max-age=15768000; includeSubdomains; preload";
 add_header X-Frame-Options SAMEORIGIN;
 add_header X-Content-Type-Options nosniff;
 ssl_session_tickets off;
 resolver 8.8.4.4 8.8.8.8 valid=300s;
 resolver_timeout 5s;
diff --git a/renew-certificates b/renew-certificates
 #!/bin/bash
 #
 # I was running this on a 512 DigitalOcean VM and run into problem:
 # "x86_64-linux-gnu-gcc: internal compiler error: Killed (program cc1)"
 #
 # To solve it I enabled swap file, as suggested here:
 # http://stackoverflow.com/a/26762938

 WS='nginx'
 CONFIG="/etc/letsencrypt/renew-certificates.ini"

 LETSENCRYPT='/opt/letsencrypt'
 DAYS_BEFORE_RENEW=30;

 if [ ! -f $CONFIG ]; then
        echo "[ERROR] config file does not exist: $CONFIG"
        exit 1;
 fi

 DOMAIN=`grep "^\s*domains" $CONFIG | sed "s/^\s*domains\s*=\s*//" | sed 's/(\s*)\|,.*$//'`
 CERT_FILE="/etc/letsencrypt/live/$DOMAIN/fullchain.pem"

 if [ ! -f $CERT_FILE ]; then
        echo "[ERROR] certificate file not found for domain $DOMAIN."
 fi

 EXPIRES_ON=$(date -d "`openssl x509 -in $CERT_FILE -text -noout|grep "Not After"|cut -c 25-`" +%s)
 DATE_NOW=$(date -d "now" +%s)
 DAYS_LEFT=$(echo \( $EXPIRES_ON - $DATE_NOW \) / 86400 |bc)

 echo "Checking expiration date for $DOMAIN..."

 if [ "$DAYS_LEFT" -gt "$DAYS_BEFORE_RENEW" ] ; then
        echo "The certificate is up to date, no need for renewal ($DAYS_LEFT days left)."
        exit 0;
 else
        echo "The certificate for $DOMAIN is about to expire soon. Starting webroot renewal script..."
        $LETSENCRYPT/letsencrypt-auto certonly -a webroot --agree-tos --renew-by-default --config $CONFIG
        echo "Reloading $WS"
        /usr/sbin/service $WS reload
        echo "Renewal process finished for domain $DOMAIN"
        exit 0;
 fi
diff --git a/renew-certificates.ini b/renew-certificates.ini
 # This is an example of the kind of things you can do in a configuration file.
 # All flags used by the client can be configured here. Run Let's Encrypt with
 # "--help" to learn more about the available options.

 # Use a 4096 bit RSA key instead of 2048
 rsa-key-size = 4096

 # Always use the staging/testing server
 # server = https://acme-staging.api.letsencrypt.org/directory

 # Uncomment and update to register with the specified e-mail address
 email = [email protected]

 # Uncomment and update to generate certificates for the specified
 # domains.
 domains = example.com, www.example.com

 # Uncomment to use a text interface instead of ncurses
 # text = True

 # Uncomment to use the standalone authenticator on port 443
 # authenticator = standalone
 # standalone-supported-challenges = tls-sni-01

 # Uncomment to use the webroot authenticator. Replace webroot-path with the
 # path to the public_html / webroot folder being served by your web server.
 # authenticator = webroot
 webroot-path = /var/www/letsencrypt
	location ~ /.well-known {
	allow all;
	root /var/www/letsencrypt;
	}

	ssl on;

	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	ssl_prefer_server_ciphers on;
	ssl_dhparam /etc/ssl/certs/dhparam.pem;
	ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
	ssl_session_timeout 1d;
	ssl_session_cache shared:SSL:10m;
	ssl_stapling on;
	ssl_stapling_verify on;
	add_header Strict-Transport-Security "max-age=15768000; includeSubdomains; preload";
	add_header X-Frame-Options SAMEORIGIN;
	add_header X-Content-Type-Options nosniff;
	ssl_session_tickets off;
	resolver 8.8.4.4 8.8.8.8 valid=300s;
	resolver_timeout 5s;
	#!/bin/bash
	#
	# I was running this on a 512 DigitalOcean VM and run into problem:
	# "x86_64-linux-gnu-gcc: internal compiler error: Killed (program cc1)"
	#
	# To solve it I enabled swap file, as suggested here:
	# http://stackoverflow.com/a/26762938

	WS='nginx'
	CONFIG="/etc/letsencrypt/renew-certificates.ini"

	LETSENCRYPT='/opt/letsencrypt'
	DAYS_BEFORE_RENEW=30;

	if [ ! -f $CONFIG ]; then
	echo "[ERROR] config file does not exist: $CONFIG"
	exit 1;
	fi

	DOMAIN=`grep "^\sdomains" $CONFIG \| sed "s/^\sdomains\s=\s//" \| sed 's/(\s)\\|,.$//'`
	CERT_FILE="/etc/letsencrypt/live/$DOMAIN/fullchain.pem"

	if [ ! -f $CERT_FILE ]; then
	echo "[ERROR] certificate file not found for domain $DOMAIN."
	fi

	EXPIRES_ON=$(date -d "`openssl x509 -in $CERT_FILE -text -noout\|grep "Not After"\|cut -c 25-`" +%s)
	DATE_NOW=$(date -d "now" +%s)
	DAYS_LEFT=$(echo \( $EXPIRES_ON - $DATE_NOW \) / 86400 \|bc)

	echo "Checking expiration date for $DOMAIN..."

	if [ "$DAYS_LEFT" -gt "$DAYS_BEFORE_RENEW" ] ; then
	echo "The certificate is up to date, no need for renewal ($DAYS_LEFT days left)."
	exit 0;
	else
	echo "The certificate for $DOMAIN is about to expire soon. Starting webroot renewal script..."
	$LETSENCRYPT/letsencrypt-auto certonly -a webroot --agree-tos --renew-by-default --config $CONFIG
	echo "Reloading $WS"
	/usr/sbin/service $WS reload
	echo "Renewal process finished for domain $DOMAIN"
	exit 0;
	fi
	# This is an example of the kind of things you can do in a configuration file.
	# All flags used by the client can be configured here. Run Let's Encrypt with
	# "--help" to learn more about the available options.

	# Use a 4096 bit RSA key instead of 2048
	rsa-key-size = 4096

	# Always use the staging/testing server
	# server = https://acme-staging.api.letsencrypt.org/directory

	# Uncomment and update to register with the specified e-mail address
	email = [email protected]

	# Uncomment and update to generate certificates for the specified
	# domains.
	domains = example.com, www.example.com

	# Uncomment to use a text interface instead of ncurses
	# text = True

	# Uncomment to use the standalone authenticator on port 443
	# authenticator = standalone
	# standalone-supported-challenges = tls-sni-01

	# Uncomment to use the webroot authenticator. Replace webroot-path with the
	# path to the public_html / webroot folder being served by your web server.
	# authenticator = webroot
	webroot-path = /var/www/letsencrypt