Skip to content

Instantly share code, notes, and snippets.

@mrabbani

mrabbani/openssl.md

Last active November 4, 2020 16:34
Show Gist options
  • Save mrabbani/78f3bb3325ff3742f9f24ce4afb1743f to your computer and use it in GitHub Desktop.
Save mrabbani/78f3bb3325ff3742f9f24ce4afb1743f to your computer and use it in GitHub Desktop.
Download ZIP
Open Ssl Configuration
Raw
openssl.md

Index

Create new certitficate

mkdir /var/www/{domain}/.well-known
chown www-data:www-data -R .well-known

Update nginx config file as follows

 location ~ /.well-known {
    allow all;
    root /var/www/{project-root-path};
 }

Reload nginx

service nginx reload

openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
apt-get update

git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt

cd /opt/letsencrypt

./letsencrypt-auto certonly -a webroot --agree-tos --renew-by-default --email {email_address} --webroot-path=/var/www/{project-root-path} -d {domain}

if python pip error OSError: Command /home/administrator/...ncrypt/bin/python2.7 - setuptools pkg_resources pip wheel failed with error code 1

apt-get install python-pip
pip install setuptools

if error locale.Error: unsupported locale setting

export LC_ALL="en_US.UTF-8"
export LC_CTYPE="en_US.UTF-8"

pip install --upgrade setuptools

then run command

/opt/letsencrypt/letsencrypt-auto certonly -a webroot --agree-tos --renew-by-default --email {email_address} --webroot-path=/var/www/{project-root-path} -d {domain}

After successfull certificate generation, message will be

  IMPORTANT NOTES:
  - Congratulations! Your certificate and chain have been saved at:
  /etc/letsencrypt/live/{domain}/fullchain.pem
  Your key file has been saved at:
  /etc/letsencrypt/live/{domain}/privkey.pem
  Your cert will expire on 2018-08-21. To obtain a new or tweaked
  version of this certificate in the future, simply run
  letsencrypt-auto again. To non-interactively renew all of your
  certificates, run "letsencrypt-auto renew"
  - If you like Certbot, please consider supporting our work by:

  Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
  Donating to EFF: https://eff.org/donate-le

Update nginx config for ssl as follows. (configs are in /etc/nginx/sites-available/{domainnn})

server {
  listen 80;
  listen [::]:80;

  server_name {domain}  www.{domain}

  return 301 https://{domain}$request_uri;
}

server {
  listen 443 ssl http2;
  ssl on;
  ssl_certificate		/etc/letsencrypt/live/{domain}/fullchain.pem;
  ssl_certificate_key	/etc/letsencrypt/live/{domain}/privkey.pem;

  server_name {domain} www.{domain};

  root /var/www/{project-public-path};
  index index.html index.php;

  location / {
    try_files $uri $uri/ /index.php?$query_string;
    #try_files $uri $uri/ =404;
  }

  location ~ \.php$ {
    include snippets/fastcgi-php.conf;
    fastcgi_pass unix:/run/php/php7.2-fpm.sock;
  }

  location ~ /.well-known {
        allow all;
        root /var/www/{project-root-path};
    }
}

Reload nginx

service nginx reload

Renew Certificate

cd /opt/letsencrypt
./letsencrypt-auto renew
service nginx reload

Renew wildcard SSL

cd /opt/letsencrypt
certbot certonly --manual -d '*.enzaime.com'
service nginx reload

This will propt you to set the given value as TXT record against _acme-challenge .enzaime.com. You need to set the value shown in terminal before to continue.

Redirect WWW to non-WWW wildcard domain

if ($host ~* ^www\.(.*)) {
    set $host_without_www $1;
    rewrite ^(.*) http://$host_without_www$1 permanent;
}

Delete Certificate

sudo certbot delete --cert-name yourdomain.com
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment