silpol/Install Lets Encrypt.md

## domain.com.conf
# the domain we want to get the cert for;
# technically it's possible to have multiple of this lines, but it only worked
# with one domain for me, another one only got one cert, so I would recommend
# separate config files per domain.
domains = domain.com

# increase key size
rsa-key-size = 2048 # Or 4096

# the current closed beta (as of 2015-Nov-07) is using this server
server = https://acme-v01.api.letsencrypt.org/directory

# this address will receive renewal reminders
email = webmaster@domain.com

# turn off the ncurses UI, we want this to be run as a cronjob
text = True

# authenticate by placing a file in the webroot (under .well-known/acme-challenge/)
# and then letting LE fetch it
authenticator = webroot
webroot-path = /var/www/letsencrypt/

## Install Lets Encrypt.md

      
    Raw
  

              Install Lets Encrypt.md
            
          
    Install certbot

https://certbot.eff.org/#ubuntutrusty-other
Config certbot


mkdir -p /etc/letsencrypt/configs
Create the file: /etc/letsencrypt/configs/domain.com.conf
mkdir -p /var/www/letsencrypt/

Configure nginx


Generate dhparam:

mkdir -p /etc/nginx/ssl/
openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048


Configure vhost to support letsencrypt validator:


    location /.well-known {
        root /var/www/letsencrypt;
    }


Reload nginx:
nginx -s reload

Get the first certificate

./certbot-auto --renew-by-default --config /etc/letsencrypt/configs/domain.com.conf certonly
Configure NGINX to use the new certificate


Add the following lines to server section:

ssl                 on;
ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
ssl_certificate     /etc/letsencrypt/live/domain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/domain.com/privkey.pem;
ssl_ciphers         'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
ssl_prefer_server_ciphers on;
ssl_dhparam         /etc/nginx/ssl/dhparams.pem;
ssl_session_timeout 1d;
ssl_session_cache   shared:SSL:50m;
ssl_stapling        on;
ssl_stapling_verify on;
add_header Strict-Transport-Security max-age=15768000;

Add auto-renew to crontab


Create the file letsencrypt-autoupdate.sh
Give execution permission: chmod +x letsencrypt-autoupdate.sh
Add to crontab: crontab -e

0 0 1 * * /root/letsencrypt-autoupdate.sh


## letsencrypt-autoupdate.sh
#!/bin/sh

# update certs
cd /root/

for conf in $(ls /etc/letsencrypt/configs/*.conf); do
  ./certbot-auto --renew-by-default --config "$conf" certonly
done

# make sure nginx picks them up
/usr/sbin/nginx -s reload
	# the domain we want to get the cert for;
	# technically it's possible to have multiple of this lines, but it only worked
	# with one domain for me, another one only got one cert, so I would recommend
	# separate config files per domain.
	domains = domain.com

	# increase key size
	rsa-key-size = 2048 # Or 4096

	# the current closed beta (as of 2015-Nov-07) is using this server
	server = https://acme-v01.api.letsencrypt.org/directory

	# this address will receive renewal reminders
	email = webmaster@domain.com

	# turn off the ncurses UI, we want this to be run as a cronjob
	text = True

	# authenticate by placing a file in the webroot (under .well-known/acme-challenge/)
	# and then letting LE fetch it
	authenticator = webroot
	webroot-path = /var/www/letsencrypt/
	#!/bin/sh

	# update certs
	cd /root/

	for conf in $(ls /etc/letsencrypt/configs/*.conf); do
	./certbot-auto --renew-by-default --config "$conf" certonly
	done

	# make sure nginx picks them up
	/usr/sbin/nginx -s reload