├── .gitmodules ├── README.md ├── nginx-config ├── letsencrypt_challenge ├── sample_config └── www_to_none_www └── ssl ├── apply_all_certs.sh ├── config └── renew_all_certs.sh /.gitmodules: -------------------------------------------------------------------------------- 1 | [submodule "letsencrypt"] 2 | path = letsencrypt 3 | url = https://github.com/letsencrypt/letsencrypt 4 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Half Automatic nginx SSL Configuration with [Let's Encrypt] 2 | 3 | With [Let's Encrypt] we can easily manage our certificates and build https sites. 4 | 5 | This tool I offer will make integrating [Let's Encrypt] with [nginx] easier. 6 | 7 | ## What this tool can do 8 | 9 | 1. Apply certificates for all the domains pointing to the nginx on this server within one command. 10 | 2. Crontab task to auto renew the certificates. 11 | 3. Simple nginx config files that can redirect all your www domain to none www domain and get you an A+ score at [SSL Labs](https://www.ssllabs.com/) 12 | 13 | ## Install 14 | 15 | [Let's Encrypt] is included in this tool as a submodule. You can just git clone this project and init submodules. 16 | 17 | ~~~ 18 | git clone https://github.com/songchenwen/nginx-ssl-config-with-letsencrypt.git 19 | cd nginx-ssl-config-with-letsencrypt 20 | git submodule init 21 | git submodule update --remote 22 | ~~~ 23 | 24 | ## Usage 25 | 26 | ### Apply Certificates 27 | 28 | #### Edit `ssl/config` 29 | 30 | Fill in your domains, the first domain will be used as the common name, and your certificate will be stored in `/etc/letsencrypt/live/{your first domain in config file}/` 31 | 32 | Choose a server. The `acme-v01` server is the product server, it has a strict rate limit. The `acme-staging` is a testing server, you'd better use this server first to test your configurations. 33 | 34 | #### Configure nginx 35 | 36 | [Let's Encrypt] use a little http server to verify your ownership to the domain. We need to configure nginx to serve that file for us. 37 | 38 | Copy my configuration file `letsencrypt_challenge` to nginx config folder. This configuration file will redirect all http traffic to https exluding the url that [Let's Encrypt] needs to verify. 39 | 40 | ~~~ 41 | sudo cp nginx-config/letsencrypt_challenge /etc/nginx/sites-available/letsencrypt_challenge 42 | sudo ln -s /etc/nginx/sites-available/letsencrypt_challenge /etc/nginx/sites-enabled/letsencrypt_challenge 43 | sudo nginx -s reload 44 | ~~~ 45 | 46 | #### Run the script 47 | 48 | Execute `ssl/apply_all_certs.sh`, fill in your email and get your certificates. 49 | 50 | ~~~ 51 | bash ssl/apply_all_certs.sh 52 | sudo nginx -s reload 53 | ~~~ 54 | 55 | ### Sample nginx Config File 56 | 57 | There's 3 usefull nginx config files under `nginx-config`. Remember to use them after you modify them, at least replace my domain with yours. 58 | 59 | - `letsencrypt_challenge` redirects all your http traffic to https, but leaves the url that [Let's Encrypt] needs to apply or renew certificates as http. 60 | - `www_to_none_www` redirects all your https traffic to www prefixed domain to its none www counterpart. 61 | - `sample_config` is a simple server config that can get an A score at [SSL Labs](https://www.ssllabs.com/). Uncomment the last line before `}` will enable HSTS, which will give you a A+ score. 62 | 63 | ### Auto Renew Crontab Task 64 | 65 | [Let's Encrypt] certificates only live for 90 days. We definitely need a way to auto renew our certificates. A crontab task which renews the certificates every month will be enough. This crontab should be run as root, since we'll need to reload our nginx's configuration after auto renewal. 66 | 67 | ~~~ 68 | sudo crontab -e 69 | ~~~ 70 | 71 | Crontab task goes below 72 | 73 | ~~~ 74 | 0 2 1 1-12 * /path/to/ssl/renew_all_certs.sh 75 | ~~~ 76 | 77 | [Let's Encrypt]:https://letsencrypt.org/ 78 | [nginx]:https://www.nginx.com 79 | -------------------------------------------------------------------------------- /nginx-config/letsencrypt_challenge: -------------------------------------------------------------------------------- 1 | server { 2 | listen 80; 3 | listen [::]:80; 4 | location '/.well-known/acme-challenge' { 5 | default_type "text/plain"; 6 | root /tmp/letsencrypt-auto; 7 | } 8 | 9 | location / { 10 | return 301 https://$host$request_uri; 11 | } 12 | } -------------------------------------------------------------------------------- /nginx-config/sample_config: -------------------------------------------------------------------------------- 1 | server { 2 | listen 443 ssl spdy; 3 | 4 | server_name songchenwen.com; 5 | root /home/scw/www/public/; 6 | 7 | ssl on; 8 | 9 | ssl_certificate /etc/letsencrypt/live/songchenwen.com/cert.pem; 10 | ssl_certificate_key /etc/letsencrypt/live/songchenwen.com/privkey.pem; 11 | 12 | ssl_trusted_certificate /etc/letsencrypt/live/songchenwen.com/fullchain.pem; 13 | ssl_stapling on; 14 | ssl_stapling_verify on; 15 | 16 | # openssl dhparam -outform pem -out dhparam2048.pem 2048 17 | ssl_dhparam /path/to/dhparam2048.pem; 18 | 19 | ssl_session_timeout 1d; 20 | ssl_session_cache shared:SSL:50m; 21 | 22 | # intermediate configuration. tweak to your needs. 23 | ssl_protocols TLSv1.2 TLSv1.1 TLSv1; 24 | ssl_ciphers 'kEECDH+ECDSA+AES128 kEECDH+ECDSA+AES256 kEECDH+AES128 kEECDH+AES256 kEDH+AES128 kEDH+AES256 DES-CBC3-SHA +SHA !aNULL !eNULL !LOW !MD5 !EXP !DSS !PSK !SRP !kECDH !CAMELLIA !RC4 !SEED'; 25 | ssl_prefer_server_ciphers on; 26 | 27 | # enable HSTS 28 | # add_header Strict-Transport-Security 'max-age=31536000'; 29 | } 30 | -------------------------------------------------------------------------------- /nginx-config/www_to_none_www: -------------------------------------------------------------------------------- 1 | server { 2 | listen 443 ssl spdy; 3 | 4 | server_name "~^www\.(.*)$" ; 5 | return 301 $scheme://$1$request_uri ; 6 | 7 | ssl on; 8 | 9 | ssl_certificate /etc/letsencrypt/live/songchenwen.com/cert.pem; 10 | ssl_certificate_key /etc/letsencrypt/live/songchenwen.com/privkey.pem; 11 | 12 | ssl_trusted_certificate /etc/letsencrypt/live/songchenwen.com/fullchain.pem; 13 | ssl_stapling on; 14 | ssl_stapling_verify on; 15 | 16 | # openssl dhparam -outform pem -out dhparam2048.pem 2048 17 | ssl_dhparam /path/to/dhparam2048.pem; 18 | 19 | ssl_session_timeout 1d; 20 | ssl_session_cache shared:SSL:50m; 21 | 22 | # intermediate configuration. tweak to your needs. 23 | ssl_protocols TLSv1.2 TLSv1.1 TLSv1; 24 | ssl_ciphers 'kEECDH+ECDSA+AES128 kEECDH+ECDSA+AES256 kEECDH+AES128 kEECDH+AES256 kEDH+AES128 kEDH+AES256 DES-CBC3-SHA +SHA !aNULL !eNULL !LOW !MD5 !EXP !DSS !PSK !SRP !kECDH !CAMELLIA !RC4 !SEED'; 25 | ssl_prefer_server_ciphers on; 26 | 27 | # enable HSTS 28 | # add_header Strict-Transport-Security 'max-age=31536000'; 29 | } 30 | -------------------------------------------------------------------------------- /ssl/apply_all_certs.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | DIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd ) 4 | 5 | . $DIR/config 6 | 7 | echo "apply for domains $DOMAINS" 8 | echo "store challege in $SERVE_DIR" 9 | 10 | mkdir -p $SERVE_DIR && $DIR/../letsencrypt/letsencrypt-auto certonly --server $SERVER -a webroot --webroot-path=$SERVE_DIR --agree-tos $DOMAINS 11 | -------------------------------------------------------------------------------- /ssl/config: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | DOMAINS="-d songchenwen.com -d www.songchenwen.com" 4 | SERVE_DIR=/tmp/letsencrypt-auto 5 | #SERVER=https://acme-staging.api.letsencrypt.org/directory 6 | SERVER=https://acme-v01.api.letsencrypt.org/directory 7 | -------------------------------------------------------------------------------- /ssl/renew_all_certs.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | DIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd ) 4 | 5 | . $DIR/config 6 | 7 | echo "renew for domains $DOMAINS" 8 | echo "store challege in $SERVE_DIR" 9 | 10 | mkdir -p $SERVE_DIR && $DIR/../letsencrypt/letsencrypt-auto --renew-by-default certonly --server $SERVER -a webroot --webroot-path=$SERVE_DIR --agree-tos $DOMAINS 11 | 12 | /usr/sbin/nginx -s reload 13 | --------------------------------------------------------------------------------