Skip to content

Instantly share code, notes, and snippets.

@fadlisaad

fadlisaad/nginx-instruction.md

Last active August 10, 2017 04:35
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save fadlisaad/3c90871d6b84a4725aa7ec764a4678b8 to your computer and use it in GitHub Desktop.
Save fadlisaad/3c90871d6b84a4725aa7ec764a4678b8 to your computer and use it in GitHub Desktop.
Download ZIP
Letsencrypt manual renewal for nginx
Raw
nginx-instruction.md

First run this command in console:

certbot certonly --webroot -w /path/to/webroot/ -d domain.name

Then, create /etc/nginx/snippets/ssl-domain.name.conf

ssl on;
ssl_certificate /etc/letsencrypt/live/domain.name/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/domain.name/privkey.pem;

Next, update domain.name.conf in /etc/nginx/sites-available/

server {
    listen 443 ssl http2;
    server_name domain.name;

    include snippets/domain.name.conf;
    include snippets/ssl-params.conf;
    
    ...
}

For creation ssl-params.conf, please refer to this guide. Example please refer below:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";

ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;

ssl_stapling on;
ssl_stapling_verify on;

resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;

ssl_dhparam /etc/ssl/certs/dhparam.pem;

There is upcoming TLSv1.3 under beta, unsure if it is already supported in nginx. If you're interested, you can try to follow this excellent guide from Mattias Geniar

@fadlisaad
Copy link
Author

Thank you @mattiasgeniar for the TLS 1.3 guide

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment