nginx: Document TLS certificates

[jpmckinney]

https://docs.saltproject.io/en/latest/ref/states/all/salt.states.acme.html doesn't have a way to use the nginx certbot plugin (python3-certbot-nginx).

Rough steps:

1. Add an nginx site, using the acme configuration

2. Run certbot --nginx -d DOMAIN

   This outputs "Certbot has set up a scheduled task to automatically renew this certificate in the background." I assume this is true, so that no crontab needs to be manually configured.

3. Change the configuration to e.g. dream-bi

---

Certbot does this for port 80:

server {
    if ($host = ocp25.open-contracting.org) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    listen 80;
    listen [::]:80;
    server_name ocp25.open-contracting.org ;
    return 404; # managed by Certbot

}

I'm not sure what this looks like when multiple domains are on the same cert. In any case, we do this, from Mozilla:

server {
    listen 80;
    listen [::]:80;
    server_name {{ servername }} {{ serveraliases|join(' ') }};

    location / {
        return 301 https://$host$request_uri;
    }
}

/etc/letsencrypt/options-ssl-nginx.conf contains the following, which is close enough to Mozilla:

• ssl_session_cache shared:le_nginx_SSL:10m; (different cache name)
• ssl_session_timeout 1440m; (equal to 1d)
• ssl_session_tickets off; (same)
• ssl_protocols TLSv1.2 TLSv1.3; (same)
• ssl_prefer_server_ciphers off; (same)
• ssl_ciphers ...; (DHE-RSA-CHACHA20-POLY1305 is removed)