dpwiz/hostname.conf

## hostname.conf
server {
    listen       80;
    server_name  hostname.tld *.hostname.tld;

    location / {
        return 301 https://$host$request_uri;
    }

    location /.well-known/acme-challenge {
        root /ext/www/public_html/le-challenge;
    }
}

server {
    listen      443 ssl http2;
    server_name hostname.tld *.hostname.tld;

    ssl_certificate           /etc/letsencrypt/live/hostname.tld/fullchain.pem;
    ssl_certificate_key       /etc/letsencrypt/live/hostname.tld/privkey.pem;
    ssl_ciphers               "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA";
    ssl_dhparam               /etc/nginx/ssl/dhparam.pem;
    ssl_prefer_server_ciphers on;
    ssl_protocols             TLSv1 TLSv1.1 TLSv1.2;
    ssl_session_cache         shared:SSL:30m;
    ssl_session_timeout       5m;

    add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://ssl.google-analytics.com https://assets.zendesk.com https://connect.facebook.net; img-src 'self' https://ssl.google-analytics.com https://s-static.ak.facebook.com https://assets.zendesk.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://assets.zendesk.com; font-src 'self' https://themes.googleusercontent.com; frame-src https://assets.zendesk.com https://www.facebook.com https://s-static.ak.facebook.com https://tautt.zendesk.com; object-src 'none'";
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    add_header X-Frame-Options SAMEORIGIN;

    charset utf-8;
    gzip    on;

    location / {
        root   /ext/www/public_html/$host;
        index  index.html index.htm;
    }

    location /favicon.ico {
        empty_gif;
    }

    location /.well-known/acme-challenge {
        root /ext/www/public_html/le-challenge;
    }

    #error_page  404              /404.html;
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root /usr/share/nginx/html;
    }

#    access_log  /var/log/nginx/log/aenor.access.log  main;
}

## le-update.sh
HOSTS=$(echo *hostname.tld | sed -e 's/ /,/g')
WEBROOT=/opt/www/public_html/le-challenge
LETSENCRYPT=~/.local/share/letsencrypt/bin/letsencrypt

$LETSENCRYPT certonly --renew-by-default -a webroot --webroot-path $WEBROOT -tv -d $HOSTS
	server {
	listen 80;
	server_name hostname.tld *.hostname.tld;

	location / {
	return 301 https://$host$request_uri;
	}

	location /.well-known/acme-challenge {
	root /ext/www/public_html/le-challenge;
	}
	}

	server {
	listen 443 ssl http2;
	server_name hostname.tld *.hostname.tld;

	ssl_certificate /etc/letsencrypt/live/hostname.tld/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/hostname.tld/privkey.pem;
	ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA";
	ssl_dhparam /etc/nginx/ssl/dhparam.pem;
	ssl_prefer_server_ciphers on;
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	ssl_session_cache shared:SSL:30m;
	ssl_session_timeout 5m;

	add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://ssl.google-analytics.com https://assets.zendesk.com https://connect.facebook.net; img-src 'self' https://ssl.google-analytics.com https://s-static.ak.facebook.com https://assets.zendesk.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://assets.zendesk.com; font-src 'self' https://themes.googleusercontent.com; frame-src https://assets.zendesk.com https://www.facebook.com https://s-static.ak.facebook.com https://tautt.zendesk.com; object-src 'none'";
	add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
	add_header X-Frame-Options SAMEORIGIN;

	charset utf-8;
	gzip on;

	location / {
	root /ext/www/public_html/$host;
	index index.html index.htm;
	}

	location /favicon.ico {
	empty_gif;
	}

	location /.well-known/acme-challenge {
	root /ext/www/public_html/le-challenge;
	}

	#error_page 404 /404.html;
	error_page 500 502 503 504 /50x.html;
	location = /50x.html {
	root /usr/share/nginx/html;
	}

	# access_log /var/log/nginx/log/aenor.access.log main;
	}
	HOSTS=$(echo *hostname.tld \| sed -e 's/ /,/g')
	WEBROOT=/opt/www/public_html/le-challenge
	LETSENCRYPT=~/.local/share/letsencrypt/bin/letsencrypt

	$LETSENCRYPT certonly --renew-by-default -a webroot --webroot-path $WEBROOT -tv -d $HOSTS