Skip to content

Instantly share code, notes, and snippets.

@nunomorgadinho

nunomorgadinho/le-renew-webroot.ini

Last active July 19, 2022 09:55
Show Gist options
  • Save nunomorgadinho/17327edb83d40adeac7851a42a64b2fa to your computer and use it in GitHub Desktop.
Save nunomorgadinho/17327edb83d40adeac7851a42a64b2fa to your computer and use it in GitHub Desktop.
Download ZIP
Install PHP56-FPM, Nginx, MySQL on EC2 with Amazon Linux AMI and SSL with letsencrypt
Raw
gistfile1.txt
# adduser nginx
adduser nginx
# Install linux update, followed by GCC and Make
sudo yum -y update
sudo yum install -y gcc make
# Install Nginx and PHP-FPM
sudo yum install -y nginx php56-fpm
# Install PHP extensions
sudo yum install -y php56-devel php56-pdo \
php56-pear php56-mbstring php56-cli php56-odbc \
php56-imap php56-gd php56-xml php56-soap
# Install PHP-APC
sudo yum install -y php56-pecl-apc
# Install MySQL
sudo yum -y install php56-mysqlnd
sudo yum -y install mysql-server mysql
# Configure NGINX
cd /etc
mv nginx nginx.orig
# Get our boilerplate NGINX configuration
wget http://widgilabs.com/static/nginx.tar.gz
tar -zxvpf nginx.tar.gz
# Edit your domain nginx config (see also nginx-your-domain-config below)
nano /etc/nginx/sites-available/<your_website_domain>
cd ../sites-enabled
ln -s ../sites-available/<your_website_domain> .
# Configure php-fpm (see www.conf below)
vim /etc/php-fpm-5.6.d/www.conf
# Create paths
mkdir -p /srv/www
mkdir -p /usr/share/nginx/logs/
# Start nginx and php-fpm
/etc/init.d/nginx start
/etc/init.d/php-fpm-5.6 start
# Start mysqld
/etc/init.d/mysqld start
/usr/libexec/mysql55/mysql_secure_installation
# Create MySQL user
mysql -u root -p
# Enter MySQL console
CREATE USER 'finley'@'localhost' IDENTIFIED BY 'some_pass';
GRANT ALL PRIVILEGES ON *.* TO 'finley'@'localhost' WITH GRANT OPTION;
FLUSH PRIVILEGES;
##### Add SSL with letsencrypt
yum -y install git bc
git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt
cd /opt/letsencrypt/
## Using letsencrypt and Obtaining a Certificate
## based on: https://www.mitchcanter.com/lets-encrypt-ssl-amazon-aws/
/etc/init.d/nginx stop
./letsencrypt-auto certonly --standalone --debug
## Setting up Nginx with SSL (see below nginx-your-domain-config-with-ssl)
nano /etc/nginx/sites-available/<your_domain>
## Post-Setup for WordPress
# Edit your wp-config.php file and adding these variables:
define('WP_HOME','https://yourdomain.com');
define('WP_SITEURL','https://yourdomain.com');
## Auto-Renewals of SSL Certificates
sudo nano /etc/nginx/sites-enabled/yourdomain.com
# In the “server” block, add the following:
location ~ /.well-known {
allow all;
}
cd /opt/letsencrypt
export LC_ALL="en_US.UTF-8"
export LC_CTYPE="en_US.UTF-8"
./letsencrypt-auto certonly -a webroot --agree-tos --renew-by-default --webroot-path=/srv/www -d <your_domain>
sudo service nginx reload
# Now let's create a cron job to automate this process.
sudo cp /opt/letsencrypt/examples/cli.ini /usr/local/etc/le-renew-webroot.ini
sudo nano /usr/local/etc/le-renew-webroot.ini
# Test the config
cd opt/letsencrypt
$ ./letsencrypt-auto certonly -a webroot --renew-by-default --config /usr/local/etc/le-renew-webroot.ini
# Set up cron job
sudo curl -L -o /usr/local/sbin/le-renew-webroot https://gist.githubusercontent.com/thisismitch/e1b603165523df66d5cc/raw/fbffbf358e96110d5566f13677d9bd5f4f65794c/le-renew-webroot
sudo chmod +x /usr/local/sbin/le-renew-webroot
# Test this script before we set up the cron
/usr/local/sbin/le-renew-webroot
# Edit crontab
crontab -e
30 2 * * 1 /usr/local/sbin/le-renew-webroot >> /var/log/le-renewal.log
Raw
le-renew-webroot.ini
# Use a 4096 bit RSA key instead of 2048
rsa-key-size = 4096
# Registered Email
email = you@yourdomain.com
# Domain(s) to Secure
domains = yourdomain.com, www.yourdomain.com
# Webroot Authentication and Path
authenticator = webroot
webroot-path = /sites/yourdomain.com/htdocs
Raw
nginx-your-domain-config
# configure the max_body_size and max_temp_file_size accordingly to your needs
client_max_body_size 20M;
fastcgi_max_temp_file_size 10M;
Raw
nginx-your-domain-config-with-ssl
server {
listen [::]:80;
listen 80;
listen 443 ssl; #### this is new
##### this is new - change yourdomain.com to <your_domain>
ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
Raw
www.conf
# Lives in /etc/php-fpm-5.6.d/www.conf
[...]
user = nginx
group = nginx
[...]
@nunomorgadinho
Copy link
Author

certbot/certbot#2872

@nunomorgadinho
Copy link
Author

https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-monit

@nunomorgadinho
Copy link
Author

https://myshell.co.uk/blog/2012/07/adjusting-child-processes-for-php-fpm-nginx/

@nunomorgadinho
Copy link
Author

http://linuxbsdos.com/2015/02/17/how-to-reduce-php-fpm-php5-fpm-ram-usage-by-about-50/

@nunomorgadinho
Copy link
Author

sudo root
/usr/local/sbin/le-renew-webroot
/etc/init.d/nginx restart

ou

export PATH=$PATH:/opt/letsencrypt/venv27/bin
./letsencrypt-auto certonly -a webroot --agree-tos --renew-by-default --webroot-path=/srv/www --debug -d eco.pt -d www.eco.pt
openssl x509 -noout -dates -in /etc/letsencrypt/live/eco.pt-0001/cert.pem

@hengbenkeji
Copy link

what happened in line 27 and 27, which are not consistent

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment