Initial commit

3 files changed, 69 insertions, 0 deletions

diff --git a/issue-certs-nginx b/issue-certs-nginx
new file mode 100755
index 0000000..5db460a
--- /dev/null
+++ b/issue-certs-nginx
@@ -0,0 +1,30 @@
+#!/bin/sh
+# Obtain or renew certificates from letsencrypt, to be used with nginx
+# webroot verification.
+#
+# Domains to be certified are defined in /etc/nginx/domains.
+#
+# The pre-hook is used to remove snakeoil certificates that are
+# required to bootstrap nginx configurations (nginx fails to start
+# without ssl certificates). The hook is required because certbot does
+# not overwrite foreign certificates, as described in this issue
+# https://github.com/certbot/certbot/issues/3396
+set -o exiterr
+set -o unset
+
+email="jakob@odersky.com"
+
+extra_flags=""
+if [ "$1" = --test ]; then
+    extra_flags="--test-cert"
+fi
+
+certbot certonly $extra_flags \
+	--noninteractive \
+	--agree-tos \
+	--email "$email" \
+	--cert-name nginx \
+	--webroot --webroot-path /var/www/letsencrypt \
+	--pre-hook "sh -c '(openssl x509 -in /etc/letsencrypt/live/nginx/fullchain.pem -noout -text) | grep --quiet letsencrypt || rm -r /etc/letsencrypt/live/nginx'" \
+	--post-hook "systemctl reload nginx" \
+	-d "$(grep "^[^#;]" /etc/nginx/letsencryptdomains | paste --delimiter=, --serial)"
diff --git a/letsencrypt b/letsencrypt
new file mode 100644
index 0000000..9e2c06b
--- /dev/null
+++ b/letsencrypt
@@ -0,0 +1,31 @@
+# Include this file in an nginx server block to enable ssl
+
+# Location for automatic renewal
+location ^~ /.well-known/acme-challenge/ {
+    default_type "text/plain";
+    root         /var/www/letsencrypt;
+}
+
+# Hide /acme-challenge subdirectory and return 404 on all requests.
+# It is somewhat more secure than letting Nginx return 403.
+# Ending slash is important!
+location = /.well-known/acme-challenge/ {
+    return 404;
+}
+
+listen 443 ssl;
+listen [::]:443 ssl;
+
+ssl_certificate /etc/letsencrypt/live/nginx/fullchain.pem;
+ssl_certificate_key /etc/letsencrypt/live/nginx/privkey.pem;
+ssl_session_timeout 1d;
+ssl_session_cache shared:SSL:50m;
+ssl_session_tickets off;
+
+ssl_protocols TLSv1.1 TLSv1.2;
+ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
+ssl_prefer_server_ciphers on;
+
+ssl_stapling on;
+ssl_stapling_verify on;
+ssl_trusted_certificate /etc/letsencrypt/live/nginx/fullchain.pem;
diff --git a/letsencryptdomains b/letsencryptdomains
new file mode 100644
index 0000000..71a63ba
--- /dev/null
+++ b/letsencryptdomains
@@ -0,0 +1,8 @@
+# Virtual hosts for which SSL certificates will be issued. One fully
+# qualified host name per line. Lines starting with # are ignored.
+#
+# Be sure to 'include letsencrypt' in any server blocks that enable
+# https.
+#
+# Example line:
+#www.example.org