Skip to content

Instantly share code, notes, and snippets.

@kmassada

kmassada/README.md

Created June 25, 2018 17:32
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save kmassada/ac1f3be46db91cc999a343c8c50b8291 to your computer and use it in GitHub Desktop.
Save kmassada/ac1f3be46db91cc999a343c8c50b8291 to your computer and use it in GitHub Desktop.
Download ZIP
Trying let'sencrypt with nginx
Raw
README.md

Letsencrypt + nginx

sudo apt-get install -y software-properties-common
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install python-certbot-nginx
sudo apt-get install nginx

sudo cp /etc/nginx/sites-available/default  /etc/nginx/conf.d/test.example.com.conf
sudo nginx -t
sudo systemctl reload nginx

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/nginx-selfsigned.key -out /etc/ssl/certs/nginx-selfsigned.crt
sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

# self-signed.conf
ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;

# ssl-params.conf from https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.10.3&openssl=1.0.1e&hsts=yes&profile=intermediate
...
ssl_dhparam /etc/ssl/certs/dhparam.pem;

include snippets/self-signed.conf;
include snippets/ssl-params.conf;

# why authenticator standalone, https://github.com/certbot/certbot/issues/5405#issuecomment-356498627
sudo certbot --authenticator standalone --installer nginx --pre-hook "service nginx stop" --post-hook "service nginx start" -d test.example.com -d www.test.example.com

Debug

more /var/log/letsencrypt/letsencrypt.log
Raw
config-dump.conf
# Default server configuration
#
server {
listen 80;
listen [::]:80;
server_name test.example.com www.test.example.com;
# return 301 https://$server_name$request_uri;
# Redirect non-https traffic to https
if ($scheme != "https") {
return 301 https://$host$request_uri;
} # managed by Certbot
}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name test.example.com www.test.example.com;
ssl_certificate /etc/letsencrypt/live/test.example.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/test.example.com/privkey.pem; # managed by Certbot
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security max-age=15768000;
ssl_stapling on;
ssl_stapling_verify on;
# ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
root /var/www/html;
index index.html index.htm index.nginx-debian.html;
location / {
try_files $uri $uri/ =404;
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment