ckxng/crontab

## crontab
#min  hr  dom  mo  dow  cmd
56    8   4    *   *    /root/renew-ssl.sh

## http-default-vhost.conf
server {
  listen              80;
  server_name         servername.serverdomain.com;

  location '/.well-known/acme-challenge' {
    default_type "text/plain";
    root        /tmp/letsencrypt-auto;
  }

  location / {
    rewrite ^ https://$host$request_uri? permanent;
  }
}

## https-default-vhost.conf
server {
    listen 443 ssl;
    server_name servername.serverdomain.com;
    ssl_certificate /etc/letsencrypt/live/servername.serverdomain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/servername.serverdomain.com/privkey.pem;
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off;

    # openssl dhparam -out dhparam.pem 2048
    ssl_dhparam /usr/local/etc/nginx/dhparam.pem;

    ssl_protocols TLSv1.1 TLSv1.2;
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
    ssl_prefer_server_ciphers on;

    add_header Strict-Transport-Security max-age=15768000;

    #ssl_stapling on;
    #ssl_stapling_verify on;
    #ssl_trusted_certificate /etc/letsencrypt/live/servername.serverdomain.com/chain.pem;

    resolver 8.8.8.8 8.8.4.4 valid=86400;
    resolver_timeout 10;

    location / {
        root   /usr/local/www/nginx;
        index  index.html index.htm;
    }

   # redirect server error pages to the static page /50x.html

    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/local/www/nginx-dist;
    }

}

## renew-ssl.sh
#!/bin/sh
cd /root/letsencrypt
export DOMAINS="-d servername.serverdomain.com -d www.domain1.com -d subdomain.domain1.com"
export DIR=/tmp/letsencrypt-auto
mkdir -p $DIR && /root/letsencrypt/letsencrypt-auto certonly --server https://acme-v01.api.letsencrypt.org/directory -a webroot --webroot-path=$DIR --debug --agree-dev-preview $DOMAINS
	server {
	listen 80;
	server_name servername.serverdomain.com;

	location '/.well-known/acme-challenge' {
	default_type "text/plain";
	root /tmp/letsencrypt-auto;
	}

	location / {
	rewrite ^ https://$host$request_uri? permanent;
	}
	}
	server {
	listen 443 ssl;
	server_name servername.serverdomain.com;
	ssl_certificate /etc/letsencrypt/live/servername.serverdomain.com/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/servername.serverdomain.com/privkey.pem;
	ssl_session_timeout 1d;
	ssl_session_cache shared:SSL:10m;
	ssl_session_tickets off;

	# openssl dhparam -out dhparam.pem 2048
	ssl_dhparam /usr/local/etc/nginx/dhparam.pem;

	ssl_protocols TLSv1.1 TLSv1.2;
	ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
	ssl_prefer_server_ciphers on;

	add_header Strict-Transport-Security max-age=15768000;

	#ssl_stapling on;
	#ssl_stapling_verify on;
	#ssl_trusted_certificate /etc/letsencrypt/live/servername.serverdomain.com/chain.pem;

	resolver 8.8.8.8 8.8.4.4 valid=86400;
	resolver_timeout 10;

	location / {
	root /usr/local/www/nginx;
	index index.html index.htm;
	}

	# redirect server error pages to the static page /50x.html

	error_page 500 502 503 504 /50x.html;
	location = /50x.html {
	root /usr/local/www/nginx-dist;
	}

	}
	#!/bin/sh
	cd /root/letsencrypt
	export DOMAINS="-d servername.serverdomain.com -d www.domain1.com -d subdomain.domain1.com"
	export DIR=/tmp/letsencrypt-auto
	mkdir -p $DIR && /root/letsencrypt/letsencrypt-auto certonly --server https://acme-v01.api.letsencrypt.org/directory -a webroot --webroot-path=$DIR --debug --agree-dev-preview $DOMAINS