From: nutra-bot <nutradigest@gmail.com>
Date: Wed, 24 Dec 2025 11:41:51 +0000 (+0000)
Subject: nginx: drop support for ECDHE-RSA-AES128-SHA
X-Git-Url: https://git.nutra.tk/v2?a=commitdiff_plain;h=45cfcfe273a4bf4e33c1466aae416323bd08f9c6;p=nutratech%2Fvps-root.git

nginx: drop support for ECDHE-RSA-AES128-SHA
---

diff --git a/etc/letsencrypt/options-ssl-nginx.conf b/etc/letsencrypt/options-ssl-nginx.conf
new file mode 100644
index 0000000..d7e52ea
--- /dev/null
+++ b/etc/letsencrypt/options-ssl-nginx.conf
@@ -0,0 +1,15 @@
+# This file contains important security parameters. If you modify this file
+# manually, Certbot will be unable to automatically provide future security
+# updates. Instead, Certbot will print and log an error message with a path to
+# the up-to-date file that you will need to refer to when manually updating
+# this file. Contents are based on https://ssl-config.mozilla.org
+
+ssl_session_cache shared:le_nginx_SSL:10m;
+ssl_session_timeout 1440m;
+ssl_session_tickets off;
+
+ssl_protocols TLSv1.2 TLSv1.3;
+ssl_prefer_server_ciphers on;
+
+#ssl_ciphers"ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA";
+ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
diff --git a/etc/letsencrypt/renewal/nutra.tk.conf b/etc/letsencrypt/renewal/nutra.tk.conf
new file mode 100644
index 0000000..90b295e
--- /dev/null
+++ b/etc/letsencrypt/renewal/nutra.tk.conf
@@ -0,0 +1,18 @@
+# renew_before_expiry = 30 days
+version = 5.1.0
+archive_dir = /etc/letsencrypt/archive/nutra.tk
+cert = /etc/letsencrypt/live/nutra.tk/cert.pem
+privkey = /etc/letsencrypt/live/nutra.tk/privkey.pem
+chain = /etc/letsencrypt/live/nutra.tk/chain.pem
+fullchain = /etc/letsencrypt/live/nutra.tk/fullchain.pem
+
+# Options used in the renewal process
+[renewalparams]
+account = 4ef7f79d3251f720306e0cd6ca6e3196
+key_type = rsa
+preferred_chain = ISRG Root X1
+authenticator = nginx
+installer = nginx
+server = https://acme-v02.api.letsencrypt.org/directory
+[acme_renewal_info]
+ari_retry_after = 2025-12-27T18:01:29