letsencrypt nginx certbot - yar145/mytestrepo1 GitHub Wiki
How To Secure Nginx with Let's Encrypt on Ubuntu 20.04
СОЗДАНИЕ СЕРТИФИКАТА LET’S ENCRYPT ДЛЯ NGINX В DEBIAN 9
Renewing Let’s Encrypt certificates using a systemd timer
vi /etc/systemd/system/certbot-renewal.service
[Unit] Description=Certbot Renewal
[Service] ExecStart=/usr/bin/certbot renew --post-hook "systemctl restart httpd"
vi /etc/systemd/system/certbot-renewal.timer
[Unit] Description=Timer for Certbot Renewal
[Timer] OnBootSec=300 OnUnitActiveSec=1w
[Install] WantedBy=multi-user.target
sudo systemctl start certbot-renewal.timer sudo systemctl enable certbot-renewal.timer
No-Magic LetsEncrypt/Certbot and nginx Configuration Recipe
upstream certbot { server 127.0.0.1:8000; } server { listen [::]:80; listen 80; server_name _;
location /.well-known/acme-challenge { proxy_pass http://certbot; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; }
location / {
return 301 https://$host$request_uri;
}
}
sudo certbot certonly
--standalone
--http-01-port 8000
--deploy-hook 'systemctl reload nginx'
--cert-name MYDOMAIN.TLD
-d MYDOMAIN.TLD,www.MYDOMAIN.TLD,...
sudo openssl dhparam -out /etc/nginx/ssl/dhparam.pem 4096
/etc/nginx/conf.d/ssl.conf
ssl_certificate /etc/letsencrypt/live/MYDOMAIN.TLD/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/MYDOMAIN.TLD/privkey.pem; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; ssl_dhparam /etc/nginx/ssl/dhparam.pem; ssl_session_cache shared:SSL:10m; ssl_prefer_server_ciphers off;