Skip to content

Instantly share code, notes, and snippets.

@camilonova

camilonova/README.md

Last active May 25, 2017 20:26
Show Gist options
  • Save camilonova/557b09f29a665debb629e59e44369e32 to your computer and use it in GitHub Desktop.
Save camilonova/557b09f29a665debb629e59e44369e32 to your computer and use it in GitHub Desktop.
Download ZIP
Setup lets encrypt
Raw
README.md

Get lets encrypt certificate

Install:

$ sudo apt-get update
$ sudo apt-get install -y git
$ sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt
$ cd /opt/letsencrypt
$ sudo ./letsencrypt-auto

Create folder:

$ cd /var/www
$ sudo mkdir letsencrypt
$ sudo chgrp www-data letsencrypt
$ sudo mkdir /etc/letsencrypt/configs

Create the file /etc/letsencrypt/configs/my-domain.com.conf with:

domains = my-domain.com, www.my-domain.com
rsa-key-size = 4096
server = https://acme-v01.api.letsencrypt.org/directory
email = soporte@axiacore.com
text = True
authenticator = webroot
webroot-path = /var/www/letsencrypt/
renew-by-default = True
agree-tos = True

Add this site to nginx:

server {
    listen 80 default_server;
    server_name my-domain;

    location /.well-known/acme-challenge {
        root /var/www/letsencrypt;
    }
    ...
}

Run:

$ sudo nginx -t && sudo nginx -s reload

Request the certificate:

$ cd /opt/letsencrypt
$ ./letsencrypt-auto --config /etc/letsencrypt/configs/my-domain.conf certonly

Create dhparams file:

$ sudo openssl dhparam -out /etc/letsencrypt/live/my-domain/dhparams.pem 2048

Add to your nginx file:

server {
    listen                      80;
    listen                      [::]:80;
    server_name                 my-domain;

    return                      301 https://$host$request_uri;
}

server {
    listen                      443 ssl http2;
    listen                      [::]:443 ssl http2;
    server_name                 my-domain;

    ssl_session_cache           shared:SSL:50m;
    ssl_session_timeout         10m;
    ssl_protocols               TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers   on;
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';

    ssl_certificate             /etc/letsencrypt/live/my-domain/fullchain.pem;
    ssl_certificate_key         /etc/letsencrypt/live/my-domain/privkey.pem;
    ssl_dhparam                 /etc/letsencrypt/live/my-domain/dhparams.pem;

    location /.well-known/acme-challenge {
        root /var/www/letsencrypt;
    }

    ...
}

Restart nginx:

$ sudo nginx -t && sudo nginx -s reload

Renewal

Put this script in /etc/cron.monthly/letsencrypt

#!/bin/sh

cd /opt/letsencrypt

for conf in $(ls /etc/letsencrypt/configs/*.conf); do
  ./letsencrypt-auto --config "$conf" certonly
done

service nginx restart

Make it executable:

$ sudo chmod +x /etc/cron.monthly/letsencrypt

You are welcome!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment