Using ACME script to handle let's encrypt certs is a life savior. It automates the creation, verification on DigitalOcean and automatic renewals based on a cronjob.
cd /tmp/
git clone https://github.com/Neilpang/acme.sh.git
cd acme.sh
./acme.sh --install --log \
--accountemail <admin mail> \
--home /opt/acme \
--config-home /opt/acme/data \
--cert-home /opt/acme/certs
You need to obtain a read and write capable API key from your DigitalOcean account. See: https://www.digitalocean.com/help/api/
export DO_API_KEY="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
acme.sh --issue --dns dns_dgon -d <domain_to_generate_cert_to> (-d *.<domain_to_generate_cert_to>)
Warn: Do not use the
.cer
directly in Nginx.
mkdir -p /etc/nginx/acme.sh/<domain_to_generate_cert_to>
acme.sh --install-cert -d <domain_to_generate_cert_to> \
--cert-file /etc/nginx/acme.sh/<domain_to_generate_cert_to>/cert.pem \
--key-file /etc/nginx/acme.sh/<domain_to_generate_cert_to>/key.pem \
--fullchain-file /etc/nginx/acme.sh/<domain_to_generate_cert_to>/fullchain.pem \
--reloadcmd "systemctl reload nginx.service"
Edit /etc/nginx/conf.d/site_name.conf
and inside the server
block for the ssl entry, add:
# SSL
ssl on;
ssl_certificate /etc/nginx/acme.sh/<domain_to_generate_cert_to>/fullchain.pem
ssl_certificate_key /etc/nginx/acme.sh/<domain_to_generate_cert_to>/key.pem
ssl_trusted_certificate /etc/nginx/acme.sh/<domain_to_generate_cert_to>/cert.pem
#enables all versions of TLS, but not SSLv2 or 3 which are weak and now deprecated.
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
#Disables all weak ciphers
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
ssl_prefer_server_ciphers on;
Edit /opt/acme/certs/<domain>/<domain>.conf
and update the field Le_RenewHook
.
For example, if you want to reload Nginx when the cert is renewed:
vim /opt/acme/certs/<domain>/<domain>.conf
...
Le_RenewHook='systemctl reload nginx.service'
...
When the cron renewal job executes, it should output something like the following:
...
[Thu May 10 11:41:38 UTC 2018] Run renew hook:'systemctl reload nginx.service'
[Thu May 10 11:41:38 UTC 2018] ===End cron===
...