Nginx SSL via Let's Encrypt! - jonatello/lab-musing GitHub Wiki

Resources:

https://www.tecmint.com/install-lets-encrypt-ssl-for-nginx-on-freebsd/

Configuration:

Update the jail

pkg update -f

pkg upgrade

Install the Nginx package

pkg install Nginx

Enable Nginx via rc.conf

sysrc nginx_enable=yes

Make subdirectories for sites-available and sites-enabled or easy management

mkdir /usr/local/etc/nginx/sites-enabled

mkdir /usr/local/etc/nginx/sites-available

Generate strong Diffie-Hellman parameter file

openssl dhparam -out /usr/local/etc/nginx/dhparam.pem 4096

Create site configuration and fill with the appropriate configuration. The "famp.nginx.conf" is a good starting place. Replace example.com appropriately. "example" within the config refers to an upstream server already configured within the main nginx.conf file. The cipher list and strong settings are using the suggestions from here - https://cipherli.st/

touch /usr/local/etc/nginx/sites-available/example.com

Create symlink from sites-available to sites-enabled. This makes it very simple to manage many sites and enable/disable on the fly

ln -s /usr/local/etc/nginx/sites-available/example.com /usr/local/etc/nginx/sites-enabled/example.com

Install certbot for Let's Encrypt autorenewal

pkg intall py27-certbot

Request new certificate via webroot method (fill out with appropriate information when prompted)

certbot certonly --webroot -w /usr/local/www/nginx -d example.com -d www.example.com

Test renewal

certbot renew --dry-run

Set up cronjob for automatic renewal

crontab -E

0 6 * * * certbot renew --quiet --post-hook "service nginx restart"

For added security and to abide by RFC 6844 add a CAA type record within the appropriate DNS zone file. It should look like this for "example.com"

example.com. CAA 128 issue "letsencrypt.org"