Install:
$ sudo apt-get update
$ sudo apt-get install -y git
$ sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt
$ cd /opt/letsencrypt
$ sudo ./letsencrypt-auto
Create folder:
$ cd /var/www
$ sudo mkdir letsencrypt
$ sudo chgrp www-data letsencrypt
$ sudo mkdir /etc/letsencrypt/configs
Create the file /etc/letsencrypt/configs/my-domain.com.conf
with:
domains = my-domain.com, www.my-domain.com
rsa-key-size = 4096
server = https://acme-v01.api.letsencrypt.org/directory
email = soporte@axiacore.com
text = True
authenticator = webroot
webroot-path = /var/www/letsencrypt/
renew-by-default = True
agree-tos = True
Add this site to nginx:
server {
listen 80 default_server;
server_name my-domain;
location /.well-known/acme-challenge {
root /var/www/letsencrypt;
}
...
}
Run:
$ sudo nginx -t && sudo nginx -s reload
Request the certificate:
$ cd /opt/letsencrypt
$ ./letsencrypt-auto --config /etc/letsencrypt/configs/my-domain.conf certonly
Create dhparams file:
$ sudo openssl dhparam -out /etc/letsencrypt/live/my-domain/dhparams.pem 2048
Add to your nginx file:
server {
listen 80;
listen [::]:80;
server_name my-domain;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name my-domain;
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_certificate /etc/letsencrypt/live/my-domain/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/my-domain/privkey.pem;
ssl_dhparam /etc/letsencrypt/live/my-domain/dhparams.pem;
location /.well-known/acme-challenge {
root /var/www/letsencrypt;
}
...
}
Restart nginx:
$ sudo nginx -t && sudo nginx -s reload
Put this script in /etc/cron.monthly/letsencrypt
#!/bin/sh
cd /opt/letsencrypt
for conf in $(ls /etc/letsencrypt/configs/*.conf); do
./letsencrypt-auto --config "$conf" certonly
done
service nginx restart
Make it executable:
$ sudo chmod +x /etc/cron.monthly/letsencrypt
You are welcome!