----------------------------------------
       acme.sh shenanigans
       March 29th, 2018
       ----------------------------------------
       
       These are notes to myself on how I finally got acme.sh and nginx
       to play nice.
       
       
       Step 1: Generate a cert
       
       I'm using the namesilo api method here, so this part is simple.
       
       acme.sh --issue --dns dns_namesilo --dnssleep 900 -d tomasino.org
       -d www.tomasino.org -w /var/www
       
       Step 2: Create a place to put those certs
       
       This part was a struggle. Since acme.sh doesn't need root to run,
       so I wasn't sure where to go. Eventually I settled on creating
       a directory at /etc/nginx/acme.sh/domain/ and changed ownership to
       www-data:www-data. I'm a member of that group and nginx works with
       that too, so it should be good.
       
       Step 3: Install the certs
       
       This is poorly documented pretty much everywhere. It will pull the
       files from the .acme.sh directory in your home folder and put them
       wherever you define here. The reload command will run as root, so
       you don't need to specify sudo. 
       
       acme.sh --install-cert -d tomasino.org --key-file
       /etc/nginx/acme.sh/tomasino.org/key.pem --cert-file
       /etc/nginx/acme.sh/tomasino.org/cert.pem --fullchain-file
       /etc/nginx/acme.sh/tomasino.org/fullchain.pem --reloadcmd
       "service nginx force-reload"
       
       Step 4: Set up the nginx configuration
       
       First, a server directive on port 80 that just redirects to the
       ssl version.
       
       Second, listen on 443, add a bunch of headers, set up ssl
       protocols, ciphers, link to the cert, key, and trusted cert
       (fullchain). Etc, etc...
       
       Step 5: Restart/Start nginx
       
       Hopefully it doesn't crap out on you like it did for me 5,000
       times.