Install and configure Let's Encrypt SSL on Ubuntu / DEBIAN and Nginx

For Ubuntu/DEBIAN, this article was successfully installed under Ubuntu 14.04.
For example: the domain name is zhujiwiki.com and the IP address is 111.111.111.111

Under SSH:
1. Install git and bc
sudo apt-get install git bc

2. Copy the source code
cd /tmp/
git clone https://github.com/Neilpang/le.git

3. Install le.sh
cd le
sudo ./le.sh install

Then
source ~/.bashrc

4. Test whether the installation is successful
sudo -s
le

When using le, you must use the command sudo -s

5. Create the /.well-known/acme-challenge/ directory
mkdir -p /var/www/html/.well-known/acme-challenge/
chown -R www-data:www-data /var/www/html/.well-known/acme-challenge/
chmod -R 0444 /var/www/html/.well-known/acme-challenge/

6. Create a directory to store SS certificates
mkdir -p /etc/nginx/ssl/zhujiwiki.com/

Then
openssl dhparam -out dhparams.pem 4096

7. Issue SSL certificates for zhujiwiki.com and www.zhujiwiki.com
le issue /var/www/html zhujiwiki.com www.zhujiwiki.com

The default is 2048 bits, and 4096 bits can also be issued, as shown in the following command:
le issue /var/www/html zhujiwiki.com www.zhujiwiki.com 4096

The order issued is as follows:
le issue /DocumentRootPath/ example.com
le issue /DocumentRootPath/ example.com www.foo.com,bar.com
le issue /DocumentRootPath/ example.com 2048

8. Configure TLS/SSL on Nginx
vi /etc/nginx/sites-available/default
Press i to enter edit mode and paste the following content:

 ## START: SSL/HTTPS zhujiwiki.com ### server { #------- Start SSL config ----## listen 111.111.111.111:443; server_name zhujiwiki.com; ssl on; ssl_certificate /etc/nginx/ssl/theos.in/zhujiwiki.com.cer; ssl_certificate_key /etc/nginx/ssl/theos.in/zhujiwiki.com.key; ssl_session_timeout 30m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS; ssl_session_cache shared:SSL:10m; ssl_dhparam /etc/nginx/ssl/zhujiwiki.com/dhparams.pem; ssl_prefer_server_ciphers on; ## Improves TTFB by using a smaller SSL buffer than the nginx default ssl_buffer_size 8k; ## Enables OCSP stapling ssl_stapling on; resolver 8.8.8.8; ssl_stapling_verify on; ## Send header to tell the browser to prefer https to http traffic add_header Strict-Transport-Security max-age=31536000; ## SSL logs ## access_log /var/log/nginx/zhujiwiki.com/ssl_access.log; error_log /var/log/nginx/zhujiwiki.com/ssl_error.log; #-------- END SSL config -------## # Add rest of your config below like document path and more ## } ## END SSL zhujiwiki.com ######

Press the Esc key to exit the edit mode, then hold down the shift key and press z twice to return to the shell interface.

9. Install the issued certificate on Nginx
le installcert theos.in /etc/nginx/ssl/theos.in/theos.in.cer /etc/nginx/ssl/theos.in/theos.in.key /etc/nginx/ssl/theos.in/ca.cer 'service nginx reload'

To avoid linking problems, enter the following command:
cd /etc/nginx/ssl/theos.in/
cat theos.in.cer ca.cer > foo
mv foo theos.in.cer
service nginx reload

10. Use port 443
ufw allow proto tcp from any to 111.111.111.111 port 443

Test on the browser: https://zhujiwiki.com/, or use SSL labs to test

11. The validity period of the free certificate is 90 days. If you need to renew the certificate, the command is as follows:
le renew zhujiwiki.com

Add automatic renewal so you don’t have to worry about certificate expiration.
crontab -e

Press i to enter edit mode
0 0 * LE_WORKING_DIR="/root/.le" "/root/.le"/le.sh cron > /dev/null
Press the Esc key to exit the edit mode, then hold down the shift key and press z twice to return to the shell interface.

via: cyberciti.biz