Letsencrypt
Jump to navigation
Jump to search
ĮSPĖJIMAS
Debian Jessie (8.x)[keisti]
echo 'deb http://ftp.debian.org/debian jessie-backports main' | sudo tee /etc/apt/sources.list.d/backports.list sudo apt-get update sudo apt-get install certbot -t jessie-backports sudo certbot certonly -a webroot --webroot-path=/var/www/html -d example.com -d www.example.com
nginx.conf[keisti]
location ~ /.well-known {
root /home/useris/public;
allow all;
}
/etc/nginx/snippets/ssl-params.conf[keisti]
# from https://cipherli.st/ # and https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; ssl_ecdh_curve secp384r1; ssl_session_cache shared:SSL:10m; ssl_session_tickets off; ssl_stapling on; ssl_stapling_verify on; resolver 8.8.8.8 8.8.4.4 valid=300s; resolver_timeout 5s; # Disable preloading HSTS for now. You can use the commented out header line that includes # the "preload" directive if you understand the implications. #add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"; add_header Strict-Transport-Security "max-age=63072000; includeSubdomains"; add_header X-Frame-Options DENY; add_header X-Content-Type-Options nosniff; ssl_dhparam /etc/ssl/certs/dhparam.pem;
Redirectas i ssl[keisti]
server {
listen 80;
server_name example.com www.example.com;
return 301 https://$server_name$request_uri;
}
SSL hostas[keisti]
server {
listen 443 ssl;
server_name example.com www.example.com;
include snippets/ssl-params.conf;
ssl_certificate ...path to fullchain.pem;
ssl_certificate_key ..path to privkey.pem;
}
Cron renew[keisti]
30 2 * * * root /usr/bin/certbot renew --noninteractive --renew-hook "/bin/systemctl reload nginx" >> /var/log/le-renew.log