letsencrypt

cat /etc/systemd/system/letsencrypt.timer

[Unit]
Description=Monthly renewal of Let's Encrypt's certificates

[Timer]  
 OnCalendar=monthly  
 Persistent=true

[Install]  
 WantedBy=timers.target  

cat /etc/systemd/system/letsencrypt.service

[Unit]
Description=Let's Encrypt renewal

[Service]  
 Type=oneshot
 ExecStart=/usr/bin/letsencrypt certonly --agree-tos --renew-by-default --email postmaster@adke.org --webroot -w /srv/www -d adke.org -d www.adke.org -d siabn.adke.org ; \  
 /usr/bin/letsencrypt certonly --agree-tos --renew-by-default --email postmaster@adke.org --webroot -w /srv/mail.adke.org -d mail.adke.org  
 ExecStartPost=/usr/sbin/systemctl restart nginx.service

cat /etc/nginx/ssl.conf

ssl  on;<br></br>
ssl_certificate  /etc/letsencrypt/live/adke.org/fullchain.pem;<br></br>
ssl_certificate_key  /etc/letsencrypt/live/adke.org/privkey.pem;<br></br>
ssl_session_timeout  5m;<br></br>
ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;<br></br>
ssl_ciphers  'ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS';


ssl_prefer_server_ciphers on;  
 ssl_session_cache shared:SSL:10m;

ssl_stapling on;  
 ssl_stapling_verify on;  
 resolver 8.8.4.4 8.8.8.8 valid=300s;  
 resolver_timeout 10s;

ssl_dhparam /etc/nginx/adke.org/dhparam.pem;

add_header Strict-Transport-Security max-age=31536000;  
 add_header X-Frame-Options DENY;  
 add_header X-Content-Type-Options nosniff;  
 add_header Content-Security-Policy upgrade-insecure-requests;

cat /etc/dovecot/conf.d/10-ssl.conf

##
## SSL settings

# SSL/TLS support: yes, no, required.   
 #ssl = yes

# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before  
 # dropping root privileges, so keep the key file unreadable by anyone but  
 # root. Included doc/mkcert.sh can be used to easily generate self-signed  
 # certificate, just make sure to update the domains in dovecot-openssl.cnf  
 ssl_cert = /letsencrypt/live/adke.org/fullchain.pem ssl_key = /letsencrypt/live/adke.org/privkey.pem