waltspence/lets-encrypt.sh

## lets-encrypt.sh
# Let's Encrypt SSL Setup
# Following the awesome tutorial from digitalocean's community:
# https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-14-04
#####
sudo apt-get -y install git bc
sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt
sudo apt-get install nginx
sudo nano /etc/nginx/sites-available/default
# Add to server block:
# location ~ /.well-known {
#                 allow all;
#         }

sudo service nginx reload
cd /opt/letsencrypt
# Run the following by replacing yourdomain
# ./letsencrypt-auto certonly -a webroot --webroot-path=/usr/share/nginx/html -d YOURDOMAIN.com -d www.YOURDOMAIN.com

# Check that files are there by running the following, replacing your_domain_name:
sudo ls -l /etc/letsencrypt/live/your_domain_name

sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

# Configure SSL
sudo nano /etc/nginx/sites-available/default

# Delete right after the server block:
# listen 80 default_server;
# listen [::]:80 default_server ipv6only=on;

# Add, replacing yourdomain:
# listen 443 ssl;
# server_name YOURDOMAIN.com www.YOURDOMAIN.com;
# ssl_certificate /etc/letsencrypt/live/YOURDOMAIN.com/fullchain.pem;
# ssl_certificate_key /etc/letsencrypt/live/YOURDOMAIN.com/privkey.pem;
# ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# ssl_prefer_server_ciphers on;
# ssl_dhparam /etc/ssl/certs/dhparam.pem;
# ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
# ssl_session_timeout 1d;
# ssl_session_cache shared:SSL:50m;
# ssl_stapling on;
# ssl_stapling_verify on;
# add_header Strict-Transport-Security max-age=15768000;

# Then Add outside of the first server block:
# server {
#     listen 80;
#     server_name YOURDOMAIN.com www.YOURDOMAIN.com;
#     return 301 https://$host$request_uri;
# }

# Restart nginx
sudo service nginx reload

# Go to https://www.ssllabs.com/ssltest/analyze.html?d=YOURDOMAIN.com
	# Let's Encrypt SSL Setup
	# Following the awesome tutorial from digitalocean's community:
	# https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-14-04
	#####
	sudo apt-get -y install git bc
	sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt
	sudo apt-get install nginx
	sudo nano /etc/nginx/sites-available/default
	# Add to server block:
	# location ~ /.well-known {
	# allow all;
	# }

	sudo service nginx reload
	cd /opt/letsencrypt
	# Run the following by replacing yourdomain
	# ./letsencrypt-auto certonly -a webroot --webroot-path=/usr/share/nginx/html -d YOURDOMAIN.com -d www.YOURDOMAIN.com

	# Check that files are there by running the following, replacing your_domain_name:
	sudo ls -l /etc/letsencrypt/live/your_domain_name

	sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

	# Configure SSL
	sudo nano /etc/nginx/sites-available/default

	# Delete right after the server block:
	# listen 80 default_server;
	# listen [::]:80 default_server ipv6only=on;

	# Add, replacing yourdomain:
	# listen 443 ssl;
	# server_name YOURDOMAIN.com www.YOURDOMAIN.com;
	# ssl_certificate /etc/letsencrypt/live/YOURDOMAIN.com/fullchain.pem;
	# ssl_certificate_key /etc/letsencrypt/live/YOURDOMAIN.com/privkey.pem;
	# ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	# ssl_prefer_server_ciphers on;
	# ssl_dhparam /etc/ssl/certs/dhparam.pem;
	# ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
	# ssl_session_timeout 1d;
	# ssl_session_cache shared:SSL:50m;
	# ssl_stapling on;
	# ssl_stapling_verify on;
	# add_header Strict-Transport-Security max-age=15768000;

	# Then Add outside of the first server block:
	# server {
	# listen 80;
	# server_name YOURDOMAIN.com www.YOURDOMAIN.com;
	# return 301 https://$host$request_uri;
	# }

	# Restart nginx
	sudo service nginx reload

	# Go to https://www.ssllabs.com/ssltest/analyze.html?d=YOURDOMAIN.com