Lets Encrypt nginx SSL certificate renewal via cron
Add below as a cron entry.
#!/bin/bash
/path/letsencrypt/letsencrypt-auto --server https://acme-v01.api.letsencrypt.org/directory --renew-by-default -a webroot --webroot-path /webroot/ --email youremail --text --agree-tos --agree-dev-preview -d 7979.us -d www.7979.us auth
/etc/init.d/nginx reload
Then configure nginx SSL like below.
listen 443 ssl;
ssl_certificate /etc/letsencrypt/live/7979.us/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/7979.us/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers HIGH:!aNULL:!MD5:!3DES;
You may want to replace openssl default Diffie-Hellman (DH) key for enhanced security.
/usr/bin/openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096
Then add below into nignx SSL config:
ssl_dhparam /etc/ssl/certs/dhparam.pem;
Q: What if I want to put SNI for all the domain including reverse proxy?
A: Put conditional redirect in nginx for ACME to point the same path and add sni with -d switch
location /.well-known/acme-challenge { alias /weboot/.well-known/acme-challenge; }
location / { return 301 https://$server_name$request_uri; }