road to v1.2.1

2020-12-06 22:22:58 +01:00 · 2020-12-06 22:22:58 +01:00 · f618c73e6c
parent 78c1e5c676
commit f618c73e6c
21 changed files with 130 additions and 74 deletions
--- a/5
+++ b/5
@ -28,7 +28,10 @@ RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban c
    chown root:nginx /var/log/nginx && \
    chmod 750 /var/log/nginx && \
    touch /var/log/nginx/error.log /var/log/nginx/modsec_audit.log && \
-    chown nginx:nginx /var/log/nginx/*.log
+    chown nginx:nginx /var/log/nginx/*.log && \
+    mkdir /acme-challenge && \
+    chown root:nginx /acme-challenge && \
+    chmod 750 /acme-challenge

 # Fix CVE-2020-28928
 RUN apk --no-cache add "musl-utils>1.1.24-r2"
--- a/5
+++ b/5
@ -28,7 +28,10 @@ RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban c
    chown root:nginx /var/log/nginx && \
    chmod 750 /var/log/nginx && \
    touch /var/log/nginx/error.log /var/log/nginx/modsec_audit.log && \
-    chown nginx:nginx /var/log/nginx/*.log
+    chown nginx:nginx /var/log/nginx/*.log && \
+    mkdir /acme-challenge && \
+    chown root:nginx /acme-challenge && \
+    chmod 750 /acme-challenge

 # Fix CVE-2020-28928
 RUN apk --no-cache add "musl-utils>1.1.24-r2"
--- a/4
+++ b/4
@ -35,7 +35,9 @@ RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban c
    chown root:nginx /var/log/nginx && \
    chmod 750 /var/log/nginx && \
    touch /var/log/nginx/error.log /var/log/nginx/modsec_audit.log && \
-    chown nginx:nginx /var/log/nginx/*.log
+    chown nginx:nginx /var/log/nginx/*.log && \
+    chown root:nginx /acme-challenge && \
+    chmod 750 /acme-challenge

 # Fix CVE-2020-28928
 RUN apk --no-cache add "musl-utils>1.1.24-r2"
--- a/4
+++ b/4
@ -35,7 +35,9 @@ RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban c
    chown root:nginx /var/log/nginx && \
    chmod 750 /var/log/nginx && \
    touch /var/log/nginx/error.log /var/log/nginx/modsec_audit.log && \
-    chown nginx:nginx /var/log/nginx/*.log
+    chown nginx:nginx /var/log/nginx/*.log && \
+    chown root:nginx /acme-challenge && \
+    chmod 750 /acme-challenge

 # Fix CVE-2020-28928
 RUN apk --no-cache add "musl-utils>1.1.24-r2"
--- a/4
+++ b/4
@ -28,7 +28,9 @@ RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban c
    chown root:nginx /var/log/nginx && \
    chmod 750 /var/log/nginx && \
    touch /var/log/nginx/error.log /var/log/nginx/modsec_audit.log && \
-    chown nginx:nginx /var/log/nginx/*.log
+    chown nginx:nginx /var/log/nginx/*.log && \
+    chown root:nginx /acme-challenge && \
+    chmod 750 /acme-challenge

 # Fix CVE-2020-28928
 RUN apk --no-cache add "musl-utils>1.1.24-r2"
--- a/confs/global/multisite-disable-default-server-https.conf
+++ b/confs/global/multisite-disable-default-server-https.conf
@ -8,3 +8,4 @@ ssl_session_timeout 1d;
 ssl_session_cache shared:MozSSL:10m;
 %SSL_DHPARAM%
 %SSL_CIPHERS%
+%LETS_ENCRYPT_WEBROOT%
--- a/confs/global/multisite-default-server-lets-encrypt-webroot.conf
+++ b/confs/global/multisite-default-server-lets-encrypt-webroot.conf
@ -0,0 +1,3 @@
+location ~ ^/.well-known/acme-challenge/ {
+	root /acme-challenge;
+}
--- a/confs/global/multisite-default-server.conf
+++ b/confs/global/multisite-default-server.conf
@ -0,0 +1,6 @@
+server {
+	%LISTEN_HTTP%
+	server_name _;
+	%USE_HTTPS%
+	%MULTISITE_DISABLE_DEFAULT_SERVER%
+}
--- a/confs/global/multisite-disable-default-server.conf
+++ b/confs/global/multisite-disable-default-server.conf
@ -1,6 +1,3 @@
-server {
-	%LISTEN_HTTP%
-	%USE_HTTPS%
-	server_name _;
+location / {
 	return 444;
 }
--- a/confs/global/nginx-temp.conf
+++ b/confs/global/nginx-temp.conf
@ -0,0 +1,20 @@
+daemon on;
+pid /tmp/nginx.pid;
+
+events {
+        worker_connections 1024;
+        use epoll;
+}
+
+http {
+	server {
+		listen 0.0.0.0:%HTTP_PORT% default_server;
+		server_name _;
+		location ~ ^/.well-known/acme-challenge/ {
+			root /acme-challenge;
+		}
+		location / {
+			return 444;
+		}
+	}
+}
--- a/confs/global/nginx.conf
+++ b/confs/global/nginx.conf
@ -100,8 +100,8 @@ http {
 	# custom http confs
 	include /http-confs/*.conf;

-	# disable default server when MULTISITE=yes
-	%MULTISITE_DISABLE_DEFAULT_SERVER%
+	# default server when MULTISITE=yes
+	%MULTISITE_DEFAULT_SERVER%

 	# server config(s)
 	%INCLUDE_SERVER%
--- a/confs/site/https.conf
+++ b/confs/site/https.conf
@ -9,3 +9,4 @@ ssl_session_cache shared:MozSSL:10m;
 %STRICT_TRANSPORT_SECURITY%
 %SSL_DHPARAM%
 %SSL_CIPHERS%
+%LETS_ENCRYPT_WEBROOT%
--- a/confs/site/lets-encrypt-webroot.conf
+++ b/confs/site/lets-encrypt-webroot.conf
@ -0,0 +1,3 @@
+location ^~ ^/.well-known/acme-challenge/ {
+	root /acme-challenge;
+}
--- a/entrypoint/defaults.sh
+++ b/entrypoint/defaults.sh
@ -1,7 +1,7 @@
 #!/bin/bash

 MULTISITE="${MULTISITE-no}"
-LOG_FORMAT="${LOG_FORMAT-\$remote_addr - \$remote_user \$host [\$time_local] \"$request\" \$status \$body_bytes_sent \"\$http_referer\" \"\$http_user_agent\"}"
+LOG_FORMAT="${LOG_FORMAT-\$remote_addr - \$remote_user \$host [\$time_local] \"\$request\" \$status \$body_bytes_sent \"\$http_referer\" \"\$http_user_agent\"}"
 HTTP_PORT="${HTTP_PORT-8080}"
 HTTPS_PORT="${HTTPS_PORT-8443}"
 MAX_CLIENT_SIZE="${MAX_CLIENT_SIZE-10m}"
--- a/entrypoint/entrypoint.sh
+++ b/entrypoint/entrypoint.sh
@ -64,6 +64,9 @@ rsyslogd
 crond

 # start nginx
+if [ -f "/tmp/nginx.pid" ] ; then
+	nginx -s quit
+fi
 echo "[*] Running nginx ..."
 su -s "/usr/sbin/nginx" nginx

@ -97,6 +100,7 @@ fi
 # start the autoconf manager
 if [ -S "/var/run/docker.sock" ] ; then
 	echo "[*] Running autoconf ..."
+	touch /var/log/autoconf.log
 	/opt/autoconf/autoconf.py > /var/log/autoconf.log 2>&1 &
 	LOGS="$LOGS /var/log/autoconf.log"
 fi
--- a/entrypoint/global-config.sh
+++ b/entrypoint/global-config.sh
@ -20,6 +20,12 @@ if [ "$ADDITIONAL_MODULES" != "" ] ; then
 	apk add $ADDITIONAL_MODULES
 fi

+# start nginx with temp conf for let's encrypt challenges
+if [ "$(has_value AUTO_LETS_ENCRYPT yes)" != "" ] ; then
+	replace_in_file "/etc/nginx/nginx-temp.conf" "%HTTP_PORT%" "$HTTP_PORT"
+	nginx -c /etc/nginx/nginx-temp.conf
+fi
+
 # include server block(s)
 if [ "$MULTISITE" = "yes" ] ; then
 	includes=""
@ -31,6 +37,48 @@ else
 	replace_in_file "/etc/nginx/nginx.conf" "%INCLUDE_SERVER%" "include /etc/nginx/server.conf;"
 fi

+# setup default server block if multisite
+if [ "$MULTISITE" = "yes" ] ; then
+	replace_in_file "/etc/nginx/nginx.conf" "%MULTISITE_DEFAULT_SERVER%" "include /etc/nginx/multisite-default-server.conf;"
+	if [ "$(has_value LISTEN_HTTP yes)" != "" ] ; then
+		replace_in_file "/etc/nginx/multisite-default-server.conf" "%LISTEN_HTTP%" "listen 0.0.0.0:${HTTP_PORT} default_server;"
+	else
+		replace_in_file "/etc/nginx/multisite-default-server.conf" "%LISTEN_HTTP%" ""
+	fi
+	if [ "$(has_value AUTO_LETS_ENCRYPT yes)" != "" ] || [ "$(has_value USE_CUSTOM_HTTPS yes)" != "" ] || [ "$(has_value GENERATE_SELF_SIGNED_SSL yes)" != "" ] ; then
+		replace_in_file "/etc/nginx/multisite-default-server.conf" "%USE_HTTPS%" "include /etc/nginx/multisite-default-server-https.conf;"
+		replace_in_file "/etc/nginx/multisite-default-server-https.conf" "%HTTPS_PORT%" "$HTTPS_PORT"
+		if [ "$(has_value HTTP2 yes)" != "" ] ; then
+			replace_in_file "/etc/nginx/multisite-default-server-https.conf" "%HTTP2%" "http2"
+		else
+			replace_in_file "/etc/nginx/multisite-default-server-https.conf" "%HTTP2%" ""
+		fi
+		replace_in_file "/etc/nginx/multisite-default-server-https.conf" "%HTTPS_PROTOCOLS%" "$HTTPS_PROTOCOLS"
+		if [ "$(echo $HTTPS_PROTOCOLS | grep TLSv1.2)" != "" ] ; then
+			replace_in_file "/etc/nginx/multisite-default-server-https.conf" "%SSL_DHPARAM%" "ssl_dhparam /etc/nginx/dhparam;"
+			replace_in_file "/etc/nginx/multisite-default-server-https.conf" "%SSL_CIPHERS%" "ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;"
+		else
+			replace_in_file "/etc/nginx/multisite-default-server-https.conf" "%SSL_DHPARAM%" ""
+			replace_in_file "/etc/nginx/multisite-default-server-https.conf" "%SSL_CIPHERS%" ""
+		fi
+		openssl req -nodes -x509 -newkey rsa:4096 -keyout /etc/nginx/default-key.pem -out /etc/nginx/default-cert.pem -days $SELF_SIGNED_SSL_EXPIRY -subj "/C=$SELF_SIGNED_SSL_COUNTRY/ST=$SELF_SIGNED_SSL_STATE/L=$SELF_SIGNED_SSL_CITY/O=$SELF_SIGNED_SSL_ORG/OU=$SELF_SIGNED_SSL_OU/CN=$SELF_SIGNED_SSL_CN"
+		if [ "$(has_value AUTO_LETS_ENCRYPT yes)" != "" ] ; then
+			replace_in_file "/etc/nginx/multisite-default-server-https.conf" "%LETS_ENCRYPT_WEBROOT%" "include /etc/nginx/multisite-default-server-lets-encrypt-webroot.conf;"
+		else
+			replace_in_file "/etc/nginx/multisite-default-server-https.conf" "%LETS_ENCRYPT_WEBROOT%" ""
+		fi
+	else
+		replace_in_file "/etc/nginx/multisite-default-server.conf" "%USE_HTTPS%" ""
+	fi
+	if [ "$DISABLE_DEFAULT_SERVER" = "yes" ] ; then
+		replace_in_file "/etc/nginx/multisite-default-server.conf" "%MULTISITE_DISABLE_DEFAULT_SERVER%" "include /etc/nginx/multisite-disable-default-server.conf;"
+	else
+		replace_in_file "/etc/nginx/multisite-default-server.conf" "%MULTISITE_DISABLE_DEFAULT_SERVER%" ""
+	fi
+else
+	replace_in_file "/etc/nginx/nginx.conf" "%MULTISITE_DEFAULT_SERVER%" ""
+fi
+
 # custom log format
 replace_in_file "/etc/nginx/nginx.conf" "%LOG_FORMAT%" "$LOG_FORMAT"

@ -49,7 +97,7 @@ if [ "$AUTO_LETS_ENCRYPT" = "yes" ] ; then
 		EMAIL_LETS_ENCRYPT="${EMAIL_LETS_ENCRYPT-contact@$FIRST_SERVER_NAME}"
 		if [ ! -f /etc/letsencrypt/live/${FIRST_SERVER_NAME}/fullchain.pem ] ; then
 			echo "[*] Performing Let's Encrypt challenge for $SERVER_NAME ..."
-			certbot certonly --standalone -n --preferred-challenges http -d "$DOMAINS_LETS_ENCRYPT" --email "$EMAIL_LETS_ENCRYPT" --agree-tos --http-01-port $HTTP_PORT
+			/opt/scripts/certbot-new.sh "$DOMAINS_LETS_ENCRYPT" "$EMAIL_LETS_ENCRYPT"
 		fi
 	fi
 	echo "0 0 * * * /opt/scripts/certbot-renew.sh > /dev/null 2>&1" >> /etc/crontabs/root
@ -208,30 +256,9 @@ replace_in_file "/usr/local/lib/lua/dnsbl.lua" "%DNSBL_LIST%" "$list"

 # disable default site
 if [ "$DISABLE_DEFAULT_SERVER" = "yes" ] && [ "$MULTISITE" = "yes" ] ; then
-	replace_in_file "/etc/nginx/nginx.conf" "%MULTISITE_DISABLE_DEFAULT_SERVER%" "include /etc/nginx/multisite-disable-default-server.conf;"
-	replace_in_file "/etc/nginx/multisite-disable-default-server.conf" "%LISTEN_HTTP%" "listen 0.0.0.0:${HTTP_PORT} default_server;"
-	if [ "$(has_value AUTO_LETS_ENCRYPT yes)" != "" ] || [ "$(has_value USE_CUSTOM_HTTPS yes)" != "" ] || [ "$(has_value GENERATE_SELF_SIGNED_SSL yes)" != "" ] ; then
-		replace_in_file "/etc/nginx/multisite-disable-default-server.conf" "%USE_HTTPS%" "include /etc/nginx/multisite-disable-default-server-https.conf;"
-		replace_in_file "/etc/nginx/multisite-disable-default-server-https.conf" "%HTTPS_PORT%" "$HTTPS_PORT"
-		if [ "$(has_value HTTP2 yes)" != "" ] ; then
-			replace_in_file "/etc/nginx/multisite-disable-default-server-https.conf" "%HTTP2%" "http2"
-		else
-			replace_in_file "/etc/nginx/multisite-disable-default-server-https.conf" "%HTTP2%" ""
-		fi
-		replace_in_file "/etc/nginx/multisite-disable-default-server-https.conf" "%HTTPS_PROTOCOLS%" "$HTTPS_PROTOCOLS"
-		if [ "$(echo $HTTPS_PROTOCOLS | grep TLSv1.2)" != "" ] ; then
-			replace_in_file "/etc/nginx/multisite-disable-default-server-https.conf" "%SSL_DHPARAM%" "ssl_dhparam /etc/nginx/dhparam;"
-			replace_in_file "/etc/nginx/multisite-disable-default-server-https.conf" "%SSL_CIPHERS%" "ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;"
-		else
-			replace_in_file "/etc/nginx/multisite-disable-default-server-https.conf" "%SSL_DHPARAM%" ""
-			replace_in_file "/etc/nginx/multisite-disable-default-server-https.conf" "%SSL_CIPHERS%" ""
-		fi
-		openssl req -nodes -x509 -newkey rsa:4096 -keyout /etc/nginx/default-key.pem -out /etc/nginx/default-cert.pem -days $SELF_SIGNED_SSL_EXPIRY -subj "/C=$SELF_SIGNED_SSL_COUNTRY/ST=$SELF_SIGNED_SSL_STATE/L=$SELF_SIGNED_SSL_CITY/O=$SELF_SIGNED_SSL_ORG/OU=$SELF_SIGNED_SSL_OU/CN=$SELF_SIGNED_SSL_CN"
-	else
-		replace_in_file "/etc/nginx/multisite-disable-default-server.conf" "%USE_HTTPS%" ""
-	fi
+	replace_in_file "/etc/nginx/multisite-default-server.conf" "%MULTISITE_DISABLE_DEFAULT_SERVER%" "include /etc/nginx/multisite-disable-default-server.conf;"
 else
-	replace_in_file "/etc/nginx/nginx.conf" "%MULTISITE_DISABLE_DEFAULT_SERVER%" ""
+	replace_in_file "/etc/nginx/multisite-default-server.conf" "%MULTISITE_DISABLE_DEFAULT_SERVER%" ""
 fi

 # fail2ban setup
--- a/entrypoint/site-config.sh
+++ b/entrypoint/site-config.sh
@ -22,6 +22,9 @@ if [ "$MULTISITE" = "yes" ] ; then
 	ROOT_FOLDER="${ROOT_FOLDER}/$1"
 fi

+# generate Let's Encrypt certificate before copying configs
+# in case we are in autoconf mode and nginx is already running
+
 # copy stub confs
 if [ "$MULTISITE" = "yes" ] ; then
 	mkdir "$NGINX_PREFIX"
@ -138,7 +141,7 @@ if [ "$REMOTE_PHP" != "" ] ; then
 	replace_in_file "${NGINX_PREFIX}server.conf" "%FASTCGI_PATH%" "include ${NGINX_PREFIX}fastcgi.conf;"
 	replace_in_file "${NGINX_PREFIX}php.conf" "%REMOTE_PHP%" "$REMOTE_PHP"
 	if [ "$MULTISITE" = "yes" ] ; then
-		cp /etc/nginx/fastcgi.conf ${NGINX_PREFIX}fastcgi.conf
+		cp /etc/nginx/fastcgi.conf ${NGINX_PREFIX}fastcgi.conf && chown root:nginx ${NGINX_PREFIX}fastcgi.conf
 	fi
 	replace_in_file "${NGINX_PREFIX}fastcgi.conf" "\$document_root" "${REMOTE_PHP_PATH}/"
 else
@ -322,20 +325,23 @@ if [ "$AUTO_LETS_ENCRYPT" = "yes" ] || [ "$USE_CUSTOM_HTTPS" = "yes" ] || [ "$GE
 			FIRST_SERVER_NAME=$(echo "$SERVER_NAME" | cut -d " " -f 1)
 		else
 			FIRST_SERVER_NAME="$1"
-			EMAIL_LETS_ENCRYPT="${EMAIL_LETS_ENCRYPT-contact@$1}"
 			if [ ! -f /etc/letsencrypt/live/${1}/fullchain.pem ] ; then
 				echo "[*] Performing Let's Encrypt challenge for $1 ..."
-				certbot certonly --standalone -n --preferred-challenges http -d "$1" --email "$EMAIL_LETS_ENCRYPT" --agree-tos --http-01-port $HTTP_PORT
+				EMAIL_LETS_ENCRYPT="${EMAIL_LETS_ENCRYPT-contact@$1}"
+				/opt/scripts/certbot-new.sh "$1" "$EMAIL_LETS_ENCRYPT"
 			fi
 		fi
 		replace_in_file "${NGINX_PREFIX}https.conf" "%HTTPS_CERT%" "/etc/letsencrypt/live/${FIRST_SERVER_NAME}/fullchain.pem"
 		replace_in_file "${NGINX_PREFIX}https.conf" "%HTTPS_KEY%" "/etc/letsencrypt/live/${FIRST_SERVER_NAME}/privkey.pem"
+		replace_in_file "${NGINX_PREFIX}https.conf" "%LETS_ENCRYPT_WEBROOT%" "include ${NGINX_PREFIX}lets-encrypt-webroot.conf;"
 	elif [ "$USE_CUSTOM_HTTPS" = "yes" ] ; then
 		replace_in_file "${NGINX_PREFIX}https.conf" "%HTTPS_CERT%" "$CUSTOM_HTTPS_CERT"
 		replace_in_file "${NGINX_PREFIX}https.conf" "%HTTPS_KEY%" "$CUSTOM_HTTPS_KEY"
+		replace_in_file "${NGINX_PREFIX}https.conf" "%LETS_ENCRYPT_WEBROOT%" ""
 	elif [ "$GENERATE_SELF_SIGNED_SSL" = "yes" ] ; then
 		replace_in_file "${NGINX_PREFIX}https.conf" "%HTTPS_CERT%" "/etc/nginx/self-signed-ssl/cert.pem"
 		replace_in_file "${NGINX_PREFIX}https.conf" "%HTTPS_KEY%" "/etc/nginx/self-signed-ssl/key.pem"
+		replace_in_file "${NGINX_PREFIX}https.conf" "%LETS_ENCRYPT_WEBROOT%" ""
 	fi
 else
 	replace_in_file "${NGINX_PREFIX}server.conf" "%USE_HTTPS%" ""
--- a/examples/multisite-basic/server-confs/app3.website.com/reverse-proxy.conf
+++ b/examples/multisite-basic/server-confs/app3.website.com/reverse-proxy.conf
@ -1,6 +0,0 @@
-proxy_set_header Host $host;
-proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-
-location / {
-	proxy_pass http://myapp3:3000;
-}
--- a/examples/tomcat/server-confs/reverse-proxy.conf
+++ b/examples/tomcat/server-confs/reverse-proxy.conf
@ -1,6 +0,0 @@
-proxy_set_header Host $host;
-proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-
-location / {
-	proxy_pass http://mytomcat:8080/sample;
-}
--- a/scripts/certbot-new.sh
+++ b/scripts/certbot-new.sh
@ -0,0 +1,9 @@
+#!/bin/sh
+
+# generate certificate
+certbot certonly --webroot -w /acme-challenge -n -d "$1" --email "$2" --agree-tos
+
+# fix rights
+chown -R root:nginx /etc/letsencrypt
+chmod -R 740 /etc/letsencrypt
+find /etc/letsencrypt -type d -exec chmod 750 {} \;
--- a/scripts/certbot-renew.sh
+++ b/scripts/certbot-renew.sh
@ -1,30 +1,9 @@
 #!/bin/sh

-function replace_in_file() {
-	# escape slashes
-	pattern=$(echo "$2" | sed "s/\//\\\\\//g")
-	replace=$(echo "$3" | sed "s/\//\\\\\//g")
-	sed -i "s/$pattern/$replace/g" "$1"
-}
-
-# disable HTTP
-servers="$(find /etc/nginx -name server.conf)"
-for f in $servers ; do
-	replace_in_file "$f" "listen" "#listen"
-done
-if [ -f /tmp/nginx.pid ] ; then
-	/usr/sbin/nginx -s reload
-	sleep 10
-fi
-
-# ask a new certificate if needed
+# ask new certificates if needed
 certbot renew

-# enable HTTP again
-for f in $servers ; do
-	replace_in_file "$f" "#listen" "listen"
-done
-
+# fix rights
 chown -R root:nginx /etc/letsencrypt
 chmod -R 740 /etc/letsencrypt
 find /etc/letsencrypt -type d -exec chmod 750 {} \;