「Linux/LetsEncrypt導入」の版間の差分
提供: 初心者エンジニアの簡易メモ
| 行26: | 行26: | ||
# ls /etc/letsencrypt/live/[ドメイン]/ | # ls /etc/letsencrypt/live/[ドメイン]/ | ||
cert.pem chain.pem fullchain.pem privkey.pem | cert.pem chain.pem fullchain.pem privkey.pem | ||
| + | |||
| + | ==nginx設定に追加== | ||
| + | server { | ||
| + | listen 80; | ||
| + | server_name example.net; | ||
| + | rewrite ^ https://$server_name$request_uri? permanent; | ||
| + | } | ||
| + | server { | ||
| + | listen 443 ssl; | ||
| + | server_name example.net; | ||
| + | ssl_certificate /etc/letsencrypt/live/example.net/fullchain.pem; | ||
| + | ssl_certificate_key /etc/letsencrypt/live/example.net/privkey.pem; | ||
| + | ssl_session_timeout 1d; | ||
| + | ssl_session_cache shared:SSL:50m; | ||
| + | ssl_session_tickets on; | ||
| + | ssl_dhparam /etc/ssl/private/dhparam.pem; | ||
| + | ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | ||
| + | ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; | ||
| + | ssl_prefer_server_ciphers on; | ||
| + | |||
| + | ==参考== | ||
| + | *http://sankame.github.io/ssl-tls/letsencrypt_setup/ | ||
2016年7月2日 (土) 08:09時点における版
certbot-autoのインストール
$ git clone https://github.com/certbot/certbot $ cd certbot $ ./certbot-auto
証明書取得
./certbot-auto certonly --webroot \ -w /var/www/example/public -d example.com \ -m sample@example.com \ --agree-tos
以下エラーが発生する場合はPython 2.7を入れる必要がある
./certbot-auto: line 558: virtualenv
Python 2.7のインストール
$ sudo yum install centos-release-scl $ sudo yum install python27 python27-python-tools $ python -V Python 2.6.6 # デフォだと2.6なので以下コマンドで一時的に2.7へ $ sudo scl enable python27 bash $ python -V Python 2.7.8
証明書取得が出来たら以下ファイルが出来てることを確認
# ls /etc/letsencrypt/live/[ドメイン]/ cert.pem chain.pem fullchain.pem privkey.pem
nginx設定に追加
server {
listen 80; server_name example.net; rewrite ^ https://$server_name$request_uri? permanent;
} server {
listen 443 ssl; server_name example.net; ssl_certificate /etc/letsencrypt/live/example.net/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/example.net/privkey.pem; ssl_session_timeout 1d; ssl_session_cache shared:SSL:50m; ssl_session_tickets on; ssl_dhparam /etc/ssl/private/dhparam.pem; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; ssl_prefer_server_ciphers on;
