by lik » Thu Jun 16, 2016 2:41 pm

Code: Select all yum install epel-release

yum install certbot

Code: Select all server {

listen 80;

listen [::]:80;

server_name .example.com;



location /.well-known/acme-challenge {

root /etc/letsencrypt/well-known-auto;

}

location / {

return 301 https://example.com$request_uri;

}

}

Code: Select all mkdir /etc/letsencrypt/well-known-auto

Code: Select all certbot certonly --webroot -w /etc/letsencrypt/well-known-auto -d example.com -d www.example.com --email ssl@example.com --agree-tos

Code: Select all server {

listen 443 ssl http2;

listen [::]:443 ssl http2;

server_name example.com;

root /home/sites/example.com;



ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;

ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

# openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048

ssl_dhparam /etc/nginx/ssl/dhparam.pem;

ssl_session_timeout 1d;

ssl_session_cache shared:SSL:50m;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';

ssl_prefer_server_ciphers on;

ssl_session_tickets off;



ssl_stapling on;

ssl_stapling_verify on;

ssl_trusted_certificate /etc/letsencrypt/live/example.com/fullchain.pem;



add_header X-Frame-Options SAMEORIGIN;

add_header X-Content-Type-Options nosniff;

add_header X-XSS-Protection "1; mode=block";

add_header Strict-Transport-Security max-age=15768000;



location / {

try_files $uri $uri/ /index.php?$args;

}

location ~ \.php$ {

try_files $uri =404;

fastcgi_pass php-fpm;

include fastcgi_params;

fastcgi_index index.php;

fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;

}



}

Code: Select all certbot renew --dry-run

Code: Select all 5 5 * * * certbot renew --post-hook "systemctl restart nginx" --quiet

WARNING:certbot.cli:You are running with an old copy of certbot that does not receive updates, and is less reliable than more recent versions. We recommend upgrading to the latest certbot-auto script, or using native OS packages.

Code: Select all 5 5 * * * CERTBOT_AUTO= certbot renew --post-hook "systemctl restart nginx" --quiet

Letsencrypt (link) provides free SSL certificates for websites. Process of issuing certificate (and renewal) is greatly simplified by certbot scripts (former letsencrypt-auto) written in python.Here we will install certbot on Centos 7 and issue SSL certificate for example.com/www.example.com running on Nginx.Certbot installation instructions can be found at certbot.eff.org or at GitHub repo Certbot is packaged in the EPEL repository. Enable EPEL on your system and install Certbot:I prefer not to create .well-known directory in webroot of sites to pass http-01 challenge, therefore we will use one common directory for all sites:And create that dir:Reload Nginx to apply configuration changes and request SSL certificate for example.com domain:Now configure Nginx to use this new SSL certificate. Good example of SSL virtualhost config (not only for Nginx) you can find at Mozilla ssl-config-generator page.Test renewal command:And finally add it to cron to automate the process:Notes:- There is a bug in version <0.8.1 of certbot which will trigger post-hook action regardless of status.- Workaround until [certbot|letsecrypt{,-auto}] mess in scripts resolved is to set environmental variable CERTBOT_AUTO to avoid warning:e.g.