sinabio/force-http.tpl

## readme.md

      
    Raw
  

              readme.md
            
          
install letsencrypt: https://github.com/letsencrypt/letsencrypt#installation
(optionally) make symlink: ln -s /etc/letsencrypt/letsencrypt-auto /usr/local/bin/letsencrypt

Certs will be generated/renewed to /etc/letsencrypt/live/<domain>/, so configure your webserver to take them from here OR symlink them to any domain directory (like I do)
My init/renew command uses webroot authenticator, so you need to specify webroot path.
In that directory letsencrypt will put .something/something/xxx and remote server will try to access that file to verify you have full access to that domain.
If authentication fails, it probably is not accessible from outside. Usually it is caused by rule disallowing hidden files/directories to be show - you will need to modify it to allow that generated directory+file.
Vesta tweaks

put force-https files to /usr/local/vesta/data/templates/web/nginx/php5-fpm (vesta 0.9.8) or to parent directory (older versions? try yourself), and then in Vesta change nginx template to force-https

  
## force-http.tpl
server {
    listen      %ip%:%web_port%;
    server_name %domain_idn% %alias_idn%;
    location / {
        rewrite ^(.*) https://%domain_idn%$1 permanent;
    }
}

## force-https.stpl
server {
    listen      %ip%:%web_ssl_port%;
    server_name %domain_idn% %alias_idn%;
    root        %sdocroot%;
    index       index.php index.html index.htm;
    access_log  /var/log/nginx/domains/%domain%.log combined;
    access_log  /var/log/nginx/domains/%domain%.bytes bytes;
    error_log   /var/log/nginx/domains/%domain%.error.log error;

    ssl         on;
    ssl_certificate      %ssl_pem%;
    ssl_certificate_key  %ssl_key%;

    location / {

        location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
            expires     max;
        }

        location ~ [^/]\.php(/|$) {
            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
            if (!-f $document_root$fastcgi_script_name) {
                return  404;
            }

            fastcgi_pass    %backend_lsnr%;
            fastcgi_index   index.php;
            include         /etc/nginx/fastcgi_params;
        }
    }

    error_page  403 /error/404.html;
    error_page  404 /error/404.html;
    error_page  500 502 503 504 /error/50x.html;

    location /error/ {
        alias   %home%/%user%/web/%domain%/document_errors/;
    }

    location ~* "/\.(htaccess|htpasswd)$" {
        deny    all;
        return  404;
    }

    include     /etc/nginx/conf.d/phpmyadmin.inc*;
    include     /etc/nginx/conf.d/phppgadmin.inc*;
    include     /etc/nginx/conf.d/webmail.inc*;

    include     %home%/%user%/conf/web/snginx.%domain%.conf*;
}

## main.md

      
    Raw
  

              main.md
            
          
    init & renew

replace ikw.cz with domain AND admin with vesta user

letsencrypt certonly \
 --authenticator webroot \
 --renew-by-default \
 --agree-tos \
 --webroot-path /home/admin/web/ikw.cz/public_html \
 --domains ikw.cz,www.ikw.cz


# only init
rm -rf /tmp/ssl.ikw.cz
mkdir /tmp/ssl.ikw.cz
cp /etc/letsencrypt/live/ikw.cz/fullchain.pem /tmp/ssl.ikw.cz/ikw.cz.pem
cp /etc/letsencrypt/live/ikw.cz/privkey.pem /tmp/ssl.ikw.cz/ikw.cz.key
cp /etc/letsencrypt/live/ikw.cz/cert.pem /tmp/ssl.ikw.cz/ikw.cz.crt
cp /etc/letsencrypt/live/ikw.cz/chain.pem /tmp/ssl.ikw.cz/ikw.cz.ca
v-add-web-domain-ssl admin ikw.cz /tmp/ssl.ikw.cz same yes
rm -rf /tmp/ssl.ikw.cz


rm /home/admin/conf/web/ssl.ikw.cz.*
ln -s /etc/letsencrypt/live/ikw.cz/fullchain.pem /home/admin/conf/web/ssl.ikw.cz.pem
ln -s /etc/letsencrypt/live/ikw.cz/privkey.pem /home/admin/conf/web/ssl.ikw.cz.key
ln -s /etc/letsencrypt/live/ikw.cz/cert.pem /home/admin/conf/web/ssl.ikw.cz.crt
ln -s /etc/letsencrypt/live/ikw.cz/chain.pem /home/admin/conf/web/ssl.ikw.cz.ca


## renewcerts.sh
#!/usr/bin/env bash
# Renew Let's Encrypt SSL certs
# Replace next line with first command from `gistfile1.txt` and email on line 11 with yours
# Then add this script to your cron to run every two months or so (certs are issued for 3 months)

letsencrypt certonly --authenticator webroot --renew-by-default --agree-tos --webroot-path /home/admin/web/ikw.cz/public_html --domains ikw.cz,www.ikw.cz

if [ $? -ne 0 ]
 then
        ERRORLOG=`tail /var/log/letsencrypt/letsencrypt.log`
        echo -e "The Lets Encrypt Cert has not been renewed! \n \n" $ERRORLOG | mail -s "Lets Encrypt Cert Alert" admin@ikw.cz
 else
        service apache2 reload
	service nginx reload
fi
	server {
	listen %ip%:%web_port%;
	server_name %domain_idn% %alias_idn%;
	location / {
	rewrite ^(.*) https://%domain_idn%$1 permanent;
	}
	}
	server {
	listen %ip%:%web_ssl_port%;
	server_name %domain_idn% %alias_idn%;
	root %sdocroot%;
	index index.php index.html index.htm;
	access_log /var/log/nginx/domains/%domain%.log combined;
	access_log /var/log/nginx/domains/%domain%.bytes bytes;
	error_log /var/log/nginx/domains/%domain%.error.log error;

	ssl on;
	ssl_certificate %ssl_pem%;
	ssl_certificate_key %ssl_key%;

	location / {

	location ~* ^.+\.(jpeg\|jpg\|png\|gif\|bmp\|ico\|svg\|css\|js)$ {
	expires max;
	}

	location ~ [^/]\.php(/\|$) {
	fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
	if (!-f $document_root$fastcgi_script_name) {
	return 404;
	}

	fastcgi_pass %backend_lsnr%;
	fastcgi_index index.php;
	include /etc/nginx/fastcgi_params;
	}
	}

	error_page 403 /error/404.html;
	error_page 404 /error/404.html;
	error_page 500 502 503 504 /error/50x.html;

	location /error/ {
	alias %home%/%user%/web/%domain%/document_errors/;
	}

	location ~* "/\.(htaccess\|htpasswd)$" {
	deny all;
	return 404;
	}

	include /etc/nginx/conf.d/phpmyadmin.inc*;
	include /etc/nginx/conf.d/phppgadmin.inc*;
	include /etc/nginx/conf.d/webmail.inc*;

	include %home%/%user%/conf/web/snginx.%domain%.conf*;
	}
	#!/usr/bin/env bash
	# Renew Let's Encrypt SSL certs
	# Replace next line with first command from `gistfile1.txt` and email on line 11 with yours
	# Then add this script to your cron to run every two months or so (certs are issued for 3 months)

	letsencrypt certonly --authenticator webroot --renew-by-default --agree-tos --webroot-path /home/admin/web/ikw.cz/public_html --domains ikw.cz,www.ikw.cz

	if [ $? -ne 0 ]
	then
	ERRORLOG=`tail /var/log/letsencrypt/letsencrypt.log`
	echo -e "The Lets Encrypt Cert has not been renewed! \n \n" $ERRORLOG \| mail -s "Lets Encrypt Cert Alert" admin@ikw.cz
	else
	service apache2 reload
	service nginx reload
	fi