[let's encrypt] apply cert

sudo apt-get install nginx

sudo add-apt-repository ppa:certbot/certbot

sudo apt-get update

sudo apt-get install python-certbot-nginx

sudo mkdir /var/www/www.test.com

設定 domain 底下的 .well-known 目錄以讓 certbot 可以順利申請憑證

sudo vi /etc/nginx/sites-available/www.test.com

server {     listen 80;     listen [::]:80;     server_name www.test.com;     location /.well-known {         alias /var/www/www.test.com/.well-known;     } }

sudo ln -s /etc/nginx/sites-available/www.test.com /etc/nginx/sites-enabled/www.test.com

sudo service nginx restart

須確保 80 443 port 有開，確認防火牆容許這些 port 開放 

sudo certbot --nginx -d www.test.com

依據不同的選項就會自動更改 nginx 設定

憑證鍊會產生在以下位置

/etc/letsencrypt/live/www.test.com/fullchain.pem

額外設定，可以讓 SSL 安全性通過評價網站變成 A 級安全網站

Updating Diffie-Hellman Parameters

sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

sudo vi /etc/nginx/sites-available/www.test.com

ssl_dhparam /etc/ssl/certs/dhparam.pem;

sudo nginx -t

sudo service nginx reload

設定憑證自動更新

sudo crontab -e

15 3 * * * /usr/bin/certbot renew --quiet --renew-hook "service nginx reload"

參考：

https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-16-04

安全性檢查：

https://www.ssllabs.com/ssltest/