cat makeitsimple.be.crt GandiStandardSSLCA2.pem > makeitsimple.be.chain.crt
cd /etc/ssl openssl dhparam -out dh.pem 4096
nano /etc/nginx/wildcard_example_com.ssl.conf
Et voici un exemple de contenu:
ssl_certificate /etc/ssl/certs/makeitsimple.be.chain.crt; ssl_certificate_key /etc/ssl/private/makeitsimple.be.key; ssl_session_timeout 24h; ssl_session_cache shared:SSL:10m; ssl_dhparam /etc/ssl/dh.pem; ssl_protocols TLSv1.3 TLSv1.2; ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; ssl_prefer_server_ciphers on; ssl_stapling on; ssl_stapling_verify on; ssl_trusted_certificate /etc/ssl/certs/gandi-standardssl-2.chain.pem; resolver 127.0.0.1;
cd /etc/ssl/certs/ \ && echo -n '' > gandi-standardssl-2.chain.pem \ && wget -q -O - https://www.gandi.net/static/CAs/GandiStandardSSLCA2.pem | tee -a gandi-standardssl-2.chain.pem> /dev/null \ && cat USERTrust_RSA_Certification_Authority.pem | tee -a gandi-standardssl-2.chain.pem
include /etc/nginx/wildcard_example_com.ssl.conf; add_header Strict-Transport-Security max-age=31536000;
service nginx restart