Finally got letsencrypt done

Finally got letsencrypt done.

I don't quite understand why the official scripts were so complicated,
but finally I got it done with letsencrypt.sh (Thanks Ash for
recommending it) along with some scripts from letsencrypt-nosudo.

This is a note for what I've done in case I need to do this again.
First let's clone it first:

git clone git@github.com:lukas2511/letsencrypt.sh.git
cd letsencrypt.sh

Then let's generate a private key and a signing request:
(This was from letsencrypt-nosudo)

openssl genrsa 4096 > domain.key
openssl req -new -sha256 -key domain.key -subj "/" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:example.com,DNS:www.example.com")) > domain.csr

Note that the second command cannot run under Fish,
and I would like to know if there's any way to create a wildcard certificate?
I tried to use *.godfat.org however it seems letencrypt doesn't allow it.

Let's setup the other configs:

echo example.com www.example.com > domains.txt
mkdir .acme-challenges

Finally setup Nginx for acme-challenge:
(Note that letsencrypt.sh would write files into it and clear it after done)

# /etc/nginx/nginx.conf
location /.well-known/acme-challenge {
  alias /home/example/letsencrypt.sh/.acme-challenges;
}

Begin hitting letencrypt:

./letsencrypt.sh --signcsr domain.csr

You'll get the certificate printed on stdout. Not sure if there's a way to
output it to a file, but anyway you could just copy it and put it in a file.
I'll assume you put it in domain.crt and we could continue
setting up Nginx:

mkdir dist
# Download the other certificate from letsencrypt (source)
wget https://letsencrypt.org/certs/lets-encrypt-x1-cross-signed.pem
# Bundle it for the final certificate:
cat domain.crt lets-encrypt-x1-cross-signed.pem > dist/ssl.crt
# Setting up the final files
cp domain.key dist/ssl.key
chmod 600 dist/ssl.key
chmod 644 dist/ssl.crt
sudo chown root:root dist/ssl.*
sudo cp dist/ssl.* /etc/nginx/

And here's the relevant Nginx config:

# /etc/nginx/nginx.conf
server {
  listen 80;
  listen 443 ssl http2;
  ssl_certificate ssl.crt;
  ssl_certificate_key ssl.key;
  ssl_session_timeout 5m;
  ssl_prefer_server_ciphers on;
  ssl_protocols TLSv1.2;
  ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
}

After restarting Nginx, you could verify it with ssltest.

P.S. Thanks to StartSSL started involving something with China
pushing me forward this. I was so lazy figuring out how it works
before. The world deserves free/cheap secure connections for
independent developers/organizations.