Last active
July 19, 2016 11:32
-
-
Save z2z/6424020011a7fbe2e95857f8d6ec9ea3 to your computer and use it in GitHub Desktop.
Letsencrypt CertBot on Ubuntu 14.04 with NginX.sh
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # https://certbot.eff.org/#ubuntutrusty-nginx | |
| # http://www.jeffmould.com/2016/05/14/install-lets-encrypt-ssl-certificate-laravel/ | |
| # https://loune.net/2016/01/https-with-lets-encrypt-ssl-and-nginx/ | |
| # https://community.letsencrypt.org/t/how-to-nginx-configuration-to-enable-acme-challenge-support-on-all-http-virtual-hosts/5622 | |
| sudo mkdir /usr/share/nginx/letsencrypt/.well-known | |
| sudo cd /usr/share/nginx/letsencrypt | |
| sudo chown -R user:www-data letsencrypt | |
| sudo vi /etc/nginx/sites-available/example.com | |
| # SSL Cert - Letsencrypt | |
| location ^~ /.well-known/acme-challenge/ { | |
| # Set correct content type. According to this: | |
| # https://community.letsencrypt.org/t/using-the-webroot-domain-verification-method/1445/29 | |
| # Current specification requires "text/plain" or no content header at all. | |
| # It seems that "text/plain" is a safe option. | |
| default_type "text/plain"; | |
| # This directory must be the same as in /etc/letsencrypt/cli.ini | |
| # as "webroot-path" parameter. Also don't forget to set "authenticator" parameter | |
| # there to "webroot". | |
| # Do NOT use alias, use root! Target directory is located here: | |
| # /var/www/common/letsencrypt/.well-known/acme-challenge/ | |
| root /usr/share/nginx/letsencrypt; | |
| } | |
| # these are the paths to our certificate files. You should really only have to | |
| # change the names of the domain directory, as the file names are consistent with | |
| # Let's Encrypt. | |
| ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; | |
| ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; | |
| # this is the path the to dhparam.pem file you created in Step 4 | |
| ssl_dhparam /etc/ssl/certs/dhparam.pem; | |
| # use https://mozilla.github.io/server-side-tls/ssl-config-generator/ | |
| ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | |
| ssl_prefer_server_ciphers on; | |
| ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; | |
| ssl_session_cache shared:SSL:10m; | |
| ssl_session_timeout 1d; | |
| ssl_session_tickets off; | |
| ssl_stapling on; | |
| ssl_stapling_verify on; | |
| # test nginx conf | |
| sudo nginx -t | |
| sudo nginx service reload | |
| # sudo nginx service restart | |
| # Create the dhparam.pem file, which is used by the Diffie-Hellman algorithm. | |
| sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048 | |
| # Install the Let’s Encrypt client (note the $ represents the command prompt): | |
| sudo mkdir /opt/certbot-auto/ | |
| cd /opt/certbot-auto/ | |
| sudo wget https://dl.eff.org/certbot-auto | |
| sudo chmod a+x certbot-auto | |
| sudo ./certbot-auto | |
| sudo ./certbot-auto certonly --agree-tos --renew-by-default --verbose --webroot -w /usr/share/nginx/letsencrypt -d example.com | |
| ## Auto Renewal | |
| sudo touch /opt/certbot-auto/certbot-cron.log | |
| sudo chmod 660 /opt/certbot-auto/certbot-cron.log | |
| # Add cron for root | |
| sudo crontab -e | |
| 0 6 * * * /opt/certbot-auto/certbot-auto renew --text >> /opt/certbot-auto/certbot-cron.log && sudo service nginx reload | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment