mshafiee/Let's Encrypt Ubuntu

## Let's Encrypt Ubuntu
Let's Encrypt:
sudo apt install git bc nginx
sudo git clone https://github.com/certbot/certbot.git /opt/letsencrypt
Automatic renewal:
sudo crontab -e

30 2 * * 1 /opt/letsencrypt/letsencrypt-auto renew >> /var/log/le-renew.log
35 2 * * 1 /etc/init.d/nginx reload

To sign certificates, the Let's Encrypt API needs to verify that you own the domain for the certificate.
The easiest strategy for doing this is called webroot:

sudo mkdir /var/www/letsencrypt-webroot
sudo vim /etc/nginx/sites-enabled/default

Inside of the server block, paste the following settings:
location ~ /.well-known {
  allow all;
  alias /var/www/letsencrypt-webroot/.well-known;
  try_files $uri $uri/ =404;
}


sudo nginx -s reload

Nginx SSL configuration:
By default, nginx has a very weak SSL configuration. Let's fix that.
First of all, we need to generate a strong set of Diffie-Hellman parameters.

sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096
sudo vim /etc/nginx/nginx.conf

 Inside of the http block, paste the following settings:
 ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ecdh_curve secp384r1;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
add_header Strict-Transport-Security "max-age=63072000; always";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;


sudo nginx -s reload


Certificate creation:

export LC_ALL="en_US.UTF-8"
export LC_CTYPE="en_US.UTF-8"

sudo /opt/letsencrypt/letsencrypt-auto -a webroot --rsa-key-size 4096 --webroot-path /var/www/letsencrypt-webroot/.well-known/ certonly

sudo vim /etc/nginx/sites-available/example.com
server {
  listen 443 ssl;
  ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
  server_name example.com;

  location ~ / {
  allow all;
  alias /var/www/html/;
  try_files $uri $uri/ =404;
  }
}


cd /etc/nginx/sites-enabled
sudo ln -s ../sites-available/example.com
	Let's Encrypt:
	sudo apt install git bc nginx
	sudo git clone https://github.com/certbot/certbot.git /opt/letsencrypt
	Automatic renewal:
	sudo crontab -e

	30 2 * * 1 /opt/letsencrypt/letsencrypt-auto renew >> /var/log/le-renew.log
	35 2 * * 1 /etc/init.d/nginx reload

	To sign certificates, the Let's Encrypt API needs to verify that you own the domain for the certificate.
	The easiest strategy for doing this is called webroot:

	sudo mkdir /var/www/letsencrypt-webroot
	sudo vim /etc/nginx/sites-enabled/default

	Inside of the server block, paste the following settings:
	location ~ /.well-known {
	allow all;
	alias /var/www/letsencrypt-webroot/.well-known;
	try_files $uri $uri/ =404;
	}


	sudo nginx -s reload

	Nginx SSL configuration:
	By default, nginx has a very weak SSL configuration. Let's fix that.
	First of all, we need to generate a strong set of Diffie-Hellman parameters.

	sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096
	sudo vim /etc/nginx/nginx.conf

	Inside of the http block, paste the following settings:
	ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	ssl_ecdh_curve secp384r1;
	ssl_session_tickets off;
	ssl_stapling on;
	ssl_stapling_verify on;
	resolver 8.8.8.8 8.8.4.4 valid=300s;
	resolver_timeout 5s;
	ssl_session_cache shared:SSL:10m;
	ssl_session_timeout 10m;
	ssl_prefer_server_ciphers on;
	ssl_dhparam /etc/ssl/certs/dhparam.pem;
	add_header Strict-Transport-Security "max-age=63072000; always";
	add_header X-Frame-Options DENY;
	add_header X-Content-Type-Options nosniff;


	sudo nginx -s reload


	Certificate creation:

	export LC_ALL="en_US.UTF-8"
	export LC_CTYPE="en_US.UTF-8"

	sudo /opt/letsencrypt/letsencrypt-auto -a webroot --rsa-key-size 4096 --webroot-path /var/www/letsencrypt-webroot/.well-known/ certonly

	sudo vim /etc/nginx/sites-available/example.com
	server {
	listen 443 ssl;
	ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
	server_name example.com;

	location ~ / {
	allow all;
	alias /var/www/html/;
	try_files $uri $uri/ =404;
	}
	}


	cd /etc/nginx/sites-enabled
	sudo ln -s ../sites-available/example.com