Store

[VServer] Secure domains with SSL certificate free of charge and automatically

From | Feb 1, 2023 | VServer | 0 comments

Hey,
In this post I will explain you how to set up SSL certificates for domains.
For this we need a domain and Certbot. We show here how to do this best with Cloudflare.
The commands are for Ubuntu, but should also work on other operating systems.

## Install snap store for Certbot
apt install snapd && snap install snap-store

# Install Certbot
snap install -classic certbot

# Install Phython for Cloudflare DNS for Certbot
apt install python3-pip -y

# Install Cloudflare DNS
pip3 install certbot-dns-cloudflare

# create .secrets folder
mkdir /root/.secrets/

# Insert API token from Cloudflare.
For this we create a cloudflare.ini file and insert our data as follows:

dns_cloudflare_api_token = "derApiTokenhier"

# set permissions for .secrets folder
chmod 0700 /root/.secrets/ -R
chmod 0400 /root/.secrets/* -R

# create certificate
certbot certonly -dns-cloudflare -dns-cloudflare-credentials /root/.secrets/cloudflare.ini -d yourmcshop.com,*.yourmcshop.com -preferred-challenges dns-01

# Now the NGINX configuration can be adjusted (e.g. http://www. yourmcshop.com)

server {
    listen         443 ssl http2;
    listen         [::]:443 ssl http2;
    server_name    yourmcshop.com www.yourmcshop.com;
    root           /var/www/www.yourmcshop.com;
    index          index.php;
    
    # Logs (access and errors)
    error_log  /var/log/nginx/www.yourmcshop.com/error.log  info;
    access_log  /var/log/nginx/www.yourmcshop.com/access.log;
    
    ssl_certificate /etc/letsencrypt/live/yourmcshop.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/yourmcshop.com/privkey.pem;
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;

    # See https://ssl-config.mozilla.org/#server=nginx for the latest ssl settings recommendations
    # An example config is given below
    ssl_protocols TLSv1.2;
    ssl_ciphers HIGH:!aNULL:!MD5:!SHA1:!kRSA;
    ssl_prefer_server_ciphers off;
    
    client_body_buffer_size 100M;
    client_max_body_size 30M;
    
    location / {
        try_files $uri $uri/ /index.php?$args;
    }

    location ~* \.php$ {
        fastcgi_pass unix:/run/php/php7.4-fpm.sock;
        include         fastcgi_params;
        fastcgi_intercept_errors on;
        fastcgi_param   SCRIPT_FILENAME    $document_root$fastcgi_script_name;
        fastcgi_param   SCRIPT_NAME        $fastcgi_script_name;
        fastcgi_index index.php;
    }
    
    #Hide the nginx version.
    server_tokens off;
    
    #Hide the PHP version.
    fastcgi_hide_header X-Powered-By;
    proxy_hide_header X-Powered-By;
    
    autoindex off;
}