\nOpen your server console and download the certificate manager app from https:\/\/certbot.eff.org\/<\/a>. \nDepending on if this is your first time attempt to get free Let’s Encrypt certificates, the procedure above may ask you some questions, like an email address used for communications, if you agree that your ip to be logged for this request (you must agree), terms and conditions (you also must agree) and even newsletter (you choose). \nCheck that all the certificates are in place \n\nGenerate a medium strong<\/a>Diffie-Hellman<\/a> key exchange. This will take some time, depending on your server processing power, so issue the below command then go and grab a coffee. If you run this on a under-powered VPS (1vCPU), I will recommend you to run the command on another machine with more horse power and then just copy the resulted file to your server.\n<\/p>\n\n\n\n \n\nNow that we have all the files in place, just add these lines to the NGINX example.com server block, save the file and reload\/restart NGINX.\n<\/p>\n\n\n\n a comprehensive NGINX server block example: \n\nAs Let’s Encrypt certificates have a short renewal period (3 months), it’s hard to manually monitor and update those certificates. Here comes in handy the renew switch of the certbot-auto and the crontab.\n\nLaunch the crontab editor (sudo crontab -e), add following lines, save it and you are done. (afraid of crontab rules?, just visit crontab.guru<\/a> and and you will be enlightened)\n\n<\/p>\n\n\n\n \n\nThat’s all folks!\n<\/p>\n","protected":false},"excerpt":{"rendered":" Step 1, get the certbot-auto certificates manager: Open your server console and download the certificate manager app from https:\/\/certbot.eff.org\/. cd \/usr\/local\/bin\/ && sudo wget https:\/\/dl.eff.org\/certbot-auto && sudo chmod a+x certbot-auto Step 2, run certbot-auto certificates manager: sudo certbot-auto certonly -a webroot … Continue reading
<\/p>\n\n\n\ncd \/usr\/local\/bin\/ && sudo wget https:\/\/dl.eff.org\/certbot-auto && sudo chmod a+x certbot-auto\n<\/pre>\n\n\n\n
\nStep 2, run certbot-auto certificates manager:<\/h2>\n\n\n\n
sudo certbot-auto certonly -a webroot --webroot-path=\/var\/www\/example.com\/public_html -d example.com -d www.example.com\n<\/pre>\n\n\n\n
\nNext, the certbot-auto will install\/update some dependencies and then creates an temporary (used for domain validation) .well-known\/acme-challenge file at the root of the example.com*)<\/sup> declared host.
*)<\/sup>example.com must already have a DNS entry pointing to your server IP<\/em>
\nIf all goes well, you should see a congratulation message and other important infos.
<\/p>\n\n\n\nCongratulations! Your certificate and chain have been saved at\n \/etc\/letsencrypt\/live\/example.com\/fullchain.pem. Your cert will\n expire on 2017-06-16. To obtain a new or tweaked version of this\n certificate in the future, simply run certbot-auto again.\n<\/pre>\n\n\n\n
<\/p>\n\n\n\nsudo ls \/etc\/letsencrypt\/live\/example.com\ncert.pem chain.pem fullchain.pem privkey.pem README\n<\/pre>\n\n\n\n
\nStep 3, Diffie-Hellman Group:<\/h2>\n\n\n\n
sudo openssl dhparam -out \/etc\/letsencrypt\/dhparam.pem 2048\n<\/pre>\n\n\n\n
\nStep 4, NGINX server block:<\/h2>\n\n\n\n
server {\n listen 80;\n listen 443 ssl http2;\n server_name example.com www.example.com;\n if ($host = \"example.com\") {\n return 301 https:\/\/www.example.com$request_uri;\n }\n if ($scheme = http) {\n return 301 https:\/\/www.example.com$request_uri;\n }\n \n \n ssl_certificate \/etc\/letsencrypt\/live\/example.com\/fullchain.pem;\n ssl_certificate_key \/etc\/letsencrypt\/live\/example.com\/privkey.pem;\n \n ssl_session_cache shared:SSL:20m;\n ssl_session_timeout 180m;\n ssl_protocols TLSv1 TLSv1.1 TLSv1.2;\n ssl_prefer_server_ciphers on;\n ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;\n \n ssl_dhparam \/etc\/letsencrypt\/dhparam.pem;\n \n ssl_stapling on;\n ssl_stapling_verify on;\n \n ssl_trusted_certificate \/etc\/letsencrypt\/live\/example.com\/chain.pem;\n \n ....\n}\n<\/pre>\n\n\n\n
https:\/\/github.com\/b247\/WebH-NL\/blob\/master\/files\/vhosts\/fqdn-nginx-ssl.conf<\/em>
\nCheck that your site works as expected and then make a SSL test here: https:\/\/www.ssllabs.com\/ssltest\/<\/a>
\nAssuming that you’ve also got a nice A+ free SSL protected site badge, then we’re almost done, one last step to take:
<\/p>\n\n\n\n\nStep 5, automatic certificate renewal:<\/h2>\n\n\n\n
# Let's Encrypt automatic certificates renewal\n59 23 * * 0 \/usr\/local\/bin\/certbot-auto renew --renew-hook \"systemctl reload nginx\"\n<\/pre>\n\n\n\n