Let's Encript

Arch Linux

# pacman -S certbot-nginx

Ubuntu

# apt install certbot

RedHat 7.3

$ wget https://dl.eff.org/certbot-auto

$ chmod +x certbot-auto

$ ./certbot-auto

CentOS 6.10

$ sudo yum install epel-release

$ wget https://dl.eff.org/certbot-auto

$ chmod +x certbot-auto

$ ./certbot-auto

CentOS 7.8

$ sudo yum install certbot

Ubuntu 14.04

# apt install letsencrypt

$ letsencrypt certonly --webroot -w /var/www -d aaa.ekzemplaro.org

Ubuntu 17.10

# add-apt-repository ppa:certbot/certbot

# apt update

# apt install certbot

sudo certbot certonly --webroot -w /var/www -d ekzemplaro.org --email aaa@ekzemplaro.org

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/ekzemplaro.org/fullchain.pem. Your cert will
   expire on 2017-06-15. To obtain a new or tweaked version of this
   certificate in the future, simply run certbot again. To
   non-interactively renew *all* of your certificates, run "certbot
   renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

server {
	listen  443 ssl;
	server_name     ekzemplaro.org;
	ssl_certificate         /etc/letsencrypt/live/ekzemplaro.org/fullchain.pem;
	ssl_certificate_key     /etc/letsencrypt/live/ekzemplaro.org/privkey.pem;
	}

# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok

# systemctl restart nginx

https://ekzemplaro.org

SSL Server Test

Diffie-Hellman

dhparams.pem の作成

openssl dhparam -out dhparams.pem 2048

/etc/nginx/nginx.conf

    server {
listen  443 ssl;
server_name     ekzemplaro.org;
ssl_certificate         /etc/letsencrypt/live/ekzemplaro.org/fullchain.pem;
ssl_certificate_key     /etc/letsencrypt/live/ekzemplaro.org/privkey.pem;

ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';

ssl_prefer_server_ciphers on;

ssl_dhparam /etc/nginx/dhparams/dhparams.pem;

	

Jun/04/2021 AM 08:15