TL;DR
curl --silent https://raw.githubusercontent.com/srvrco/getssl/master/getssl > ~/getssl ; chmod 700 ~/getssl
~/getssl -c site.com
openssl genrsa 4096 > ~/.getssl/account.key
openssl dhparam -out ~/.getssl/dhparam.pem 4096
echo "CA=\"https://acme-v02.api.letsencrypt.org/directory\"
ACCOUNT_EMAIL=\"your@email.com\"
ACCOUNT_KEY_LENGTH=4096
ACCOUNT_KEY=\"/root/.getssl/account.key\"
PRIVATE_KEY_ALG="rsa"
ACL=('/var/www/site.com/.well-known/acme-challenge')
RELOAD_CMD=\"service apache2 restart\"
" > ~/.getssl/site.com/getssl.cfg- Apache configuration:
SSLEngine on
SSLCertificateFile /root/.getssl/site.com/site.com.crt
SSLCertificateKeyFile /root/.getssl/site.com/site.com.key
SSLCertificateChainFile /root/.getssl/site.com/chain.crtSSLOpenSSLConfCmd DHParameters “/root/.getssl/dhparam.pem”
header set Strict-Transport-Security “max-age=31536000;”
header set Content-Security-Policy-Report-Only “default-src https:; script-src https: ‘unsafe-eval’ ‘unsafe-inline’; style-src https: ‘unsafe-inline’; img-src https: data:; font-src https: data:; report-uri /csp-report” - -OR- NGINX configuration:
ssl on;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA;
ssl_session_cache shared:SSL:50m;
ssl_prefer_server_ciphers on;ssl_dhparam /root/.getssl/dhparam.pem;
ssl_certificate /root/.getssl/site.com/chain.crt;
ssl_certificate_key /root/.getssl/site.com/site.com.key;add_header Strict-Transport-Security “max-age=31536000;”;
add_header Content-Security-Policy-Report-Only “default-src https:; script-src https: ‘unsafe-eval’ ‘unsafe-inline’; style-src https: ‘unsafe-inline’; img-src https: data:; font-src https: data:; report-uri /csp-report”; ~/getssl site.com
In cron (crontab -e
) (Why?):
23 5 * * * /root/getssl -u -a -q
Continue reading