#author("2023-11-01T08:53:57+09:00","default:kuji","kuji")
#author("2023-11-01T08:55:04+09:00","default:kuji","kuji")
[[FAMPサーバ・スクラッチインストール]]~
CONTENTS
#contents
----
Lastmodified &lastmod;
----
* portinstall security/py-certbot [#dbcc2be4]
 
 The client requires the ability to bind on TCP port 80 or 443 (depending
 on the --preferred-challenges option used). If a server is running on that
 port, it will need to be temporarily stopped so that the standalone server
 can listen on that port to complete the challenge authentication process.
 
 For more information on the 'standalone' mode, see:
 
   https://certbot.eff.org/docs/using.html#standalone
 
 The certbot plugins to support apache and nginx certificate installation
 will be made available in the following ports:
 
  * Apache plugin: security/py-certbot-apache
  * Nginx plugin: security/py-certbot-nginx
 
 In order to automatically renew the certificates, add this line to
 /etc/periodic.conf:
 
     weekly_certbot_enable="YES"      ←自動登録される
 
 More config details in the certbot periodic script:
 
     /usr/local/etc/periodic/weekly/500.certbot-3.6    ←自動登録される


 py39-certbot-2.7.3,1をインストールしています...
 このポートは「スタンドアロン」クライアントのみをインストールします。
 certbot-auto ブートストラップ/ラッパー スクリプトではありません。
 
 証明書を取得するための最も簡単な使用方法は次のとおりです。
 
   # sudo certbot certonly --standalone -d <ドメイン>, [ドメイン2, ... ドメインN]>
 
 注記:
 
 クライアントには、TCP ポート 80 または 443 (状況に応じて) にバインドできる機能が必要です。
 使用される --preferred-challenges オプションに応じて)。 サーバーがその上で実行されている場合
 ポートを一時的に停止して、スタンドアロン サーバーを停止する必要があります。
 そのポートをリッスンして、チャレンジ認証プロセスを完了できます。
 
 「スタンドアロン」モードの詳細については、次を参照してください。
 
    https://certbot.eff.org/docs/using.html#standalone
 
 Apache および nginx 証明書のインストールをサポートする certbot プラグイン
 次のポートで利用可能になります。
 
   * Apache プラグイン: security/py-certbot-apache
   * Nginx プラグイン: security/py-certbot-nginx
 
 証明書を自動的に更新するには、次の行を
 /etc/periodic.conf:
 
      Weekly_certbot_enable="YES"
      Weekly_certbot_enable="YES"      ←自動登録される
 
 設定の詳細については、certbot 定期スクリプトで説明します。
 
      /usr/local/etc/periodic/weekly/500.certbot-3.
 




* Renew script [#wdab2fdb]
【参考URL】
https://freebsd.sing.ne.jp/daily/04/03/05.html

https://www.server-memo.net/tips/crontab.html

http://pb-times.jp/P_521ab8c540f59

Certbot_Renew.sh

 #!/bin/sh
 # https://freebsd.sing.ne.jp/daily/04/03/05.html
 certbot \
 	renew \
 	--standalone \
 	--force-renewal \
 	--expand \
 	--pre-hook "/usr/local/etc/rc.d/apache24 stop" \
 	--post-hook "/usr/local/etc/rc.d/apache24 start"

/etc/crontab 二ヶ月に一回更新する
 5	0	1	*/2	*	root	/root/bin/Certbot_Renew.sh

 



* Renew [#z9ecc3ef]

デフォルト状態の証明書更新なら、オプションを省けるようだ。

 certbot renew

明示的にするならこう。
 certbot renew --webroot -w /usr/local/www/apache24/data/ --renew-by-default

ドライランならオプションは、こう・・・。

 --renew-by-default --dry-run
----
*SSL Let's Encrypt [#hb9078f3]
https://www.google.co.jp/search?q=FreeBSD+Let%E2%80%99s+Encrypt+&oq=FreeBSD+Let%E2%80%99s+Encrypt+&gs_l=psy-ab.3..0i8i30k1.3369.7873.0.8232.9.9.0.0.0.0.113.938.2j7.9.0....0...1.1.64.psy-ab..0.9.933...0j0i13k1j0i7i30k1j0i8i7i30k1.0.QIF2pZxQwwc

https://letsencrypt.jp/

https://letsencrypt.org/

https://scratchpad.jp/https-with-lets-encrypt/

* certbot install on FreeBSD 11.0-RELEASE-p12 [#be89650c]

【参考サイト】http://blog.goo.ne.jp/low-electric-mouse/e/912c459b71887d3ca025509f7ea9897b

   987  8:32    locate certbot
**   988  8:35    portinstall security/py-certbot [#x4acbf02]



 Installing py27-certbot-0.18.1,1...
 ===========================================================================
 
 This port installs the "standalone" Python client only, which does not use and
 is not the certbot-auto bootstrap/wrapper script.
 
 To obtain certificates, use the 'certonly' command as follows:
 
  # sudo certbot certonly --standalone -d [server FQDN]
 
 Note: The client currently requires the ability to bind on TCP port 80. If
 you have a server running on this port, it will need to be temporarily stopped
 so that the standalone server can listen on that port to complete
 authentication.
 
 The certbot plugins to support apache and nginx certificate installation
 will be made available soon in the following ports:
 
  * Apache plugin: security/py-certbot-apache
  * Nginx plugin: security/py-certbot-nginx
 
 ===========================================================================

** # certbot certonly --standalone -d sun1.smb.net [#d5ae3a2d]
 Saving debug log to /var/log/letsencrypt/letsencrypt.log
 Enter email address (used for urgent renewal and security notices)
  (Enter 'c' to cancel): hoge@smb.net

 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 Please read the Terms of Service at
 https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017-w-v1.3-notice.pdf.
 You must agree in order to register with the ACME server. Do you agree?
 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 (Y)es/(N)o: Y

 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 Would you be willing, once your first certificate is successfully issued, to
 share your email address with the Electronic Frontier Foundation, a founding
 partner of the Let's Encrypt project and the non-profit organization that
 develops Certbot? We'd like to send you email about our work encrypting the web,
 EFF news, campaigns, and ways to support digital freedom.
 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 (Y)es/(N)o: Y
 Account registered.
 Requesting a certificate for sun1.smb.net

 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 Could not bind TCP port 80 because it is already in use by another process on
 this system (such as a web server). Please stop the program in question and then
 try again.
 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

apachectrl stop

 (R)etry/(C)ancel: R

 Successfully received certificate.
 Certificate is saved at: /usr/local/etc/letsencrypt/live/sun1.smb.net/fullchain.pem
 Key is saved at:         /usr/local/etc/letsencrypt/live/sun1.smb.net/privkey.pem
 This certificate expires on 2022-12-12.
 These files will be updated when the certificate renews.

 NEXT STEPS:
 - The certificate will need to be renewed before it expires. Certbot can automatically renew the certificate in the background, but you may need to take steps to enable that functionality. See https://certbot.org/renewal-setup for instructions.

 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 If you like Certbot, please consider supporting our work by:
  * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
  * Donating to EFF:                    https://eff.org/donate-le
 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

** # apachectl stop [#w44ec8cc]
 Stopping apache24.
 Waiting for PIDS: 878.
 
** # certbot certonly --standalone -d sun1.smb.net [#eecb82dd]
 Saving debug log to /var/log/letsencrypt/letsencrypt.log
 Plugins selected: Authenticator standalone, Installer None
 Obtaining a new certificate
 Performing the following challenges:
 tls-sni-01 challenge for sun1.smb.net
 Waiting for verification...
 Cleaning up challenges
 
 IMPORTANT NOTES:
  - Congratulations! Your certificate and chain have been saved at:
    /usr/local/etc/letsencrypt/live/sun1.smb.net/fullchain.pem
    Your key file has been saved at:
    /usr/local/etc/letsencrypt/live/sun1.smb.net/privkey.pem
    Your cert will expire on 2017-12-25. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot
    again. To non-interactively renew *all* of your certificates, run
    "certbot renew"
  - If you like Certbot, please consider supporting our work by: 
 
    Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
    Donating to EFF:                    https://eff.org/donate-le
 
 root@sun1:~:17_09_26:10:54 #

 root@sun1:/usr/local/etc/letsencrypt:17_09_26:10:57 # ll
 total 24
 drwx------  3 root  wheel  512 Sep 26 10:42 accounts/
 drwx------  3 root  wheel  512 Sep 26 10:54 archive/
 drwxr-xr-x  2 root  wheel  512 Sep 26 10:54 csr/
 drwx------  2 root  wheel  512 Sep 26 10:54 keys/
 drwx------  3 root  wheel  512 Sep 26 10:54 live/
 drwxr-xr-x  2 root  wheel  512 Sep 26 10:54 renewal/

** /usr/local/etc/apache24/extra/httpd-ssl.conf [#m8888982]

 Listen 443
 SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES:!IDEA
 SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES:!IDEA
 SSLHonorCipherOrder on 
 SSLProtocol all -SSLv3 -SSLv2
 SSLProxyProtocol all -SSLv3 -SSLv2
 SSLPassPhraseDialog  builtin
 SSLSessionCache        "shmcb:/var/run/ssl_scache(512000)"
 SSLSessionCacheTimeout  300
 SSLUseStapling On
 SSLStaplingCache "shmcb:/var/run/ssl_stapling(32768)"
 SSLStaplingStandardCacheTimeout 3600
 SSLStaplingErrorCacheTimeout 600

**/usr/local/etc/apache24/extra/httpd-vhosts.conf [#q89083c2]
 <VirtualHost _default_:443>
 Protocols h2 http/1.1               # 有効化するには後述の https://piano2nd.smb.net/~kuji/pukiwiki-1.4.7/index.php?SSL#k1b68f44 DocumentRoot "/usr/local/www/apache24/data" を実行する
 ServerName sun1.smb.net:443
 ServerAdmin webmaster@smb.net
 ErrorLog "/var/log/httpd-error.log"
 TransferLog "/var/log/httpd-access.log"
 SSLEngine on
 SSLCertificateFile "/usr/local/etc/letsencrypt/live/sun1.smb.net/fullchain.pem"
 SSLCertificateKeyFile "/usr/local/etc/letsencrypt/live/sun1.smb.net/privkey.pem"
 <FilesMatch "\.(cgi|shtml|phtml|php)$">
     SSLOptions +StdEnvVars
 </FilesMatch>
 <Directory "/usr/local/www/apache24/cgi-bin">
     SSLOptions +StdEnvVars
 </Directory>
 BrowserMatch "MSIE [2-5]" \
          nokeepalive ssl-unclean-shutdown \
          downgrade-1.0 force-response-1.0
 CustomLog "/var/log/httpd-ssl_request.log" \
           "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
 </VirtualHost>
 
 # ファイル末尾に以下の1文を追加する。                              
 Header set Strict-Transport-Security " max-age=315360000;"







** /usr/local/etc/apache24/httpd.conf [#af263219]

 以下は、コメントアウトされている場合は、コメントを外す。
 LoadModule log_config_module libexec/apache24/mod_log_config.so
 LoadModule setenvif_module libexec/apache24/mod_setenvif.so
 LoadModule ssl_module libexec/apache24/mod_ssl.so
 LoadModule socache_shmcb_module libexec/apache24/mod_socache_shmcb.so
 
 同様に、/usr/local/etc/apache24/extra の設定ファイルを読み込む様に、コメント外す
 Include etc/apache24/extra/httpd-vhosts.conf
 Include etc/apache24/extra/httpd-ssl.conf





** # certbot renew --webroot -w /usr/local/www/apache24/data/ --renew-by-default --dry-run [#j5b88e41]
 Saving debug log to /var/log/letsencrypt/letsencrypt.log
 
 -------------------------------------------------------------------------------
 Processing /usr/local/etc/letsencrypt/renewal/sun1.smb.net.conf
 -------------------------------------------------------------------------------
 Plugins selected: Authenticator webroot, Installer None
 Renewing an existing certificate
 Performing the following challenges:
 http-01 challenge for sun1.smb.net
 Using the webroot path /usr/local/www/apache24/data for all unmatched domains.
 Waiting for verification...
 Cleaning up challenges
 
 -------------------------------------------------------------------------------
 new certificate deployed without reload, fullchain is
 /usr/local/etc/letsencrypt/live/sun1.smb.net/fullchain.pem
 -------------------------------------------------------------------------------
 
 -------------------------------------------------------------------------------
 ** DRY RUN: simulating 'certbot renew' close to cert expiry
 **          (The test certificates below have not been saved.)
 
 Congratulations, all renewals succeeded. The following certs have been renewed:
   /usr/local/etc/letsencrypt/live/sun1.smb.net/fullchain.pem (success)
 ** DRY RUN: simulating 'certbot renew' close to cert expiry
 **          (The test certificates above have not been saved.)
 -------------------------------------------------------------------------------
 
 IMPORTANT NOTES:
  - Your account credentials have been saved in your Certbot
    configuration directory at /usr/local/etc/letsencrypt. You should
    make a secure backup of this folder now. This configuration
    directory will also contain certificates and private keys obtained
    by Certbot so making regular backups of this folder is ideal.

** # crontab -e [#yc19ab82]

以下のコマンドを追加します。
 0 2,5 * * * /usr/local/bin/certbot renew --agree-tos --webroot -w /usr/local/www/apache24/data/ --renew-by-default && /usr/local/etc/rc.d/apache24 reload

----

* # portinstall www/mod_http2 [#y4cc6541]

 Installing ap24-mod_http2-2.0.21...
 NOTE: The default www/apache24 package already contains mod_h2.
 This port exists for advance bug- and security fix delivery.
 
 The module shlib file has been renamed from mod_http2 to mod_h2 to
 allow the www/apache24 bundled and this (usually newer) module to
 coexist. Change the LoadModule line in your Apache config from
 
     LoadModule http2_module  ${modDir}/mod_http2.so
 
 to
 
     LoadModule http2_module  ${modDir}/mod_h2.so
 
 to enable this port's module.
 
 ===>  Cleaning for ap24-mod_http2-2.0.21

** /usr/local/etc/apache24/httpd.conf [#qb8920db]
LoadModuleの最後尾に、http2_moduleのモジュール読み込みを追加する。

 LoadModule http2_module libexec/apache24/mod_h2.so

** /usr/local/etc/apache24/extra/httpd-ssl.conf [#d627cbc6]
 <VirtualHost _default_:443>の下に、次のコマンドを追記する。
 Protocols h2 http/1.1



----
Total access &counter(total);:本日 &counter(today);:昨日 &counter(yesterday);
#counter([total|today|yesterday]);

トップ   編集 差分 履歴 添付 複製 名前変更 リロード   新規 一覧 検索 最終更新   ヘルプ   最終更新のRSS