Benoss/Install cerbot.sh

## crontab
#sudo crontab -e

10 8 * * * cd /home/ubuntu/ && ./certbot-auto renew  > /home/ubuntu/certbot.log 2>&1 && service nginx reload

## Install cerbot.sh
#!/bin/bash

wget https://dl.eff.org/certbot-auto
chmod a+x ./certbot-auto
./certbot-auto --help
sudo mkdir /var/www/letsencrypt
sudo chown www-data:www-data /var/www/letsencrypt

## letsencrypt_create.sh
#!/bin/bash

# Usage: ./letsencrypt_renew.sh mydomain.com

# Path to the letsencrypt-auto tool
LE_TOOL=/home/ubuntu/certbot-auto

# Directory where the acme client puts the generated certs
LE_OUTPUT=/etc/letsencrypt/live

# Directory used as a web
LE_WEBROOT=/var/www/letsencrypt/

# Concat the requested domains
DOMAINS=""
for DOM in "$@"
do
    DOMAINS+=" -d $DOM"
done

# Create or renew certificate for the domain(s) supplied for this tool
$LE_TOOL --agree-tos --renew-by-default --webroot -w $LE_WEBROOT certonly $DOMAINS

service nginx reload

# Cat the certificate chain and the private key together for haproxy
# cat $LE_OUTPUT/$1/{fullchain.pem,privkey.pem} > /etc/ssl/private/${1}.pem
# Reload the haproxy daemon to activate the cert
# systemctl reload haproxy

## nginx.conf
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
        worker_connections 768;
        # multi_accept on;
}

http {

        ##
        # Basic Settings
        ##

        sendfile on;
        tcp_nopush on;
        tcp_nodelay on;
        keepalive_timeout 65;
        types_hash_max_size 2048;
        # server_tokens off;

        # server_names_hash_bucket_size 64;
        # server_name_in_redirect off;

        include /etc/nginx/mime.types;
        default_type application/octet-stream;

        ##
        # SSL Settings
        ##

        ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
        ssl_prefer_server_ciphers on;

        ##
        # Logging Settings
        ##

        access_log /var/log/nginx/access.log;
        error_log /var/log/nginx/error.log;

        ##
        # Gzip Settings
        ##
        gzip on;
        gzip_disable "msie6";

        ##
        # Virtual Host Configs
        ##

        include /etc/nginx/conf.d/*.conf;
        include /etc/nginx/sites-enabled/*;
}


## nginx_default.conf
#sudo vim /etc/nginx/conf.d/default.conf

server {
    listen 80 default_server;

    location /.well-known/acme-challenge {
        root /var/www/letsencrypt;
    }
}

## nginx_domain_example.conf

# sudo sed -i -e 's/mydomain.com/myotherdomain.com/g' /etc/nginx/conf.d/myotherdomain_prod.conf

server {
    listen 80;
    server_name mydomain.com www.mydomain.com;

    location /.well-known/acme-challenge {
        root /var/www/letsencrypt;
    }

    location / {
        return 302 https://mydomain.com$request_uri;
    }
}

server {
        listen  443 ssl http2;
        server_name www.mydomain.com;
        ssl_certificate /etc/letsencrypt/live/www.mydomain.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/www.mydomain.com/privkey.pem;
        return 302 https://mydomain.com$request_uri;
}

server {
    listen 443 ssl http2;
    server_name   mydomain.com;
    root         /home/data/www/mydomain;
    access_log   /var/log/nginx.mydomain.access_log;

    ssl_certificate /etc/letsencrypt/live/mydomain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/mydomain.com/privkey.pem;

    location / {
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_pass http://127.0.0.1:8010;
    }

    location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$ {
        expires 120d;
        log_not_found off;
        access_log off;
    }

    location ~ /\. {
     deny all;
    }
}
	#sudo crontab -e

	10 8 * * * cd /home/ubuntu/ && ./certbot-auto renew > /home/ubuntu/certbot.log 2>&1 && service nginx reload
	#!/bin/bash

	wget https://dl.eff.org/certbot-auto
	chmod a+x ./certbot-auto
	./certbot-auto --help
	sudo mkdir /var/www/letsencrypt
	sudo chown www-data:www-data /var/www/letsencrypt
	#!/bin/bash

	# Usage: ./letsencrypt_renew.sh mydomain.com

	# Path to the letsencrypt-auto tool
	LE_TOOL=/home/ubuntu/certbot-auto

	# Directory where the acme client puts the generated certs
	LE_OUTPUT=/etc/letsencrypt/live

	# Directory used as a web
	LE_WEBROOT=/var/www/letsencrypt/

	# Concat the requested domains
	DOMAINS=""
	for DOM in "$@"
	do
	DOMAINS+=" -d $DOM"
	done

	# Create or renew certificate for the domain(s) supplied for this tool
	$LE_TOOL --agree-tos --renew-by-default --webroot -w $LE_WEBROOT certonly $DOMAINS

	service nginx reload

	# Cat the certificate chain and the private key together for haproxy
	# cat $LE_OUTPUT/$1/{fullchain.pem,privkey.pem} > /etc/ssl/private/${1}.pem
	# Reload the haproxy daemon to activate the cert
	# systemctl reload haproxy
	user www-data;
	worker_processes auto;
	pid /run/nginx.pid;
	include /etc/nginx/modules-enabled/*.conf;

	events {
	worker_connections 768;
	# multi_accept on;
	}

	http {

	##
	# Basic Settings
	##

	sendfile on;
	tcp_nopush on;
	tcp_nodelay on;
	keepalive_timeout 65;
	types_hash_max_size 2048;
	# server_tokens off;

	# server_names_hash_bucket_size 64;
	# server_name_in_redirect off;

	include /etc/nginx/mime.types;
	default_type application/octet-stream;

	##
	# SSL Settings
	##

	ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
	ssl_prefer_server_ciphers on;

	##
	# Logging Settings
	##

	access_log /var/log/nginx/access.log;
	error_log /var/log/nginx/error.log;

	##
	# Gzip Settings
	##
	gzip on;
	gzip_disable "msie6";

	##
	# Virtual Host Configs
	##

	include /etc/nginx/conf.d/*.conf;
	include /etc/nginx/sites-enabled/*;
	}
	#sudo vim /etc/nginx/conf.d/default.conf

	server {
	listen 80 default_server;

	location /.well-known/acme-challenge {
	root /var/www/letsencrypt;
	}
	}

	# sudo sed -i -e 's/mydomain.com/myotherdomain.com/g' /etc/nginx/conf.d/myotherdomain_prod.conf

	server {
	listen 80;
	server_name mydomain.com www.mydomain.com;

	location /.well-known/acme-challenge {
	root /var/www/letsencrypt;
	}

	location / {
	return 302 https://mydomain.com$request_uri;
	}
	}

	server {
	listen 443 ssl http2;
	server_name www.mydomain.com;
	ssl_certificate /etc/letsencrypt/live/www.mydomain.com/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/www.mydomain.com/privkey.pem;
	return 302 https://mydomain.com$request_uri;
	}

	server {
	listen 443 ssl http2;
	server_name mydomain.com;
	root /home/data/www/mydomain;
	access_log /var/log/nginx.mydomain.access_log;

	ssl_certificate /etc/letsencrypt/live/mydomain.com/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/mydomain.com/privkey.pem;

	location / {
	proxy_set_header Host $host;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header X-Forwarded-Proto $scheme;
	proxy_pass http://127.0.0.1:8010;
	}

	location ~* \.(ogg\|ogv\|svg\|svgz\|eot\|otf\|woff\|mp4\|ttf\|css\|rss\|atom\|js\|jpg\|jpeg\|gif\|png\|ico\|zip\|tgz\|gz\|rar\|bz2\|doc\|xls\|exe\|ppt\|tar\|mid\|midi\|wav\|bmp\|rtf)$ {
	expires 120d;
	log_not_found off;
	access_log off;
	}

	location ~ /\. {
	deny all;
	}
	}