----------------------------------------
acme.sh shenanigans
March 29th, 2018
----------------------------------------

These are notes to myself on how I finally got acme.sh and nginx
to play nice.


Step 1: Generate a cert

I'm using the namesilo api method here, so this part is simple.

acme.sh --issue --dns dns_namesilo --dnssleep 900 -d tomasino.org
-d www.tomasino.org -w /var/www

Step 2: Create a place to put those certs

This part was a struggle. Since acme.sh doesn't need root to run,
so I wasn't sure where to go. Eventually I settled on creating
a directory at /etc/nginx/acme.sh/domain/ and changed ownership to
www-data:www-data. I'm a member of that group and nginx works with
that too, so it should be good.

Step 3: Install the certs

This is poorly documented pretty much everywhere. It will pull the
files from the .acme.sh directory in your home folder and put them
wherever you define here. The reload command will run as root, so
you don't need to specify sudo. 

acme.sh --install-cert -d tomasino.org --key-file
/etc/nginx/acme.sh/tomasino.org/key.pem --cert-file
/etc/nginx/acme.sh/tomasino.org/cert.pem --fullchain-file
/etc/nginx/acme.sh/tomasino.org/fullchain.pem --reloadcmd
"service nginx force-reload"

Step 4: Set up the nginx configuration

First, a server directive on port 80 that just redirects to the
ssl version.

Second, listen on 443, add a bunch of headers, set up ssl
protocols, ciphers, link to the cert, key, and trusted cert
(fullchain). Etc, etc...

Step 5: Restart/Start nginx

Hopefully it doesn't crap out on you like it did for me 5,000
times.