[[SSL]]
CONTENTS
#contents
----
Lastmodified &lastmod;
----
*SSL letsencrypt de Virtual_Host [#bacb641e]
** portinstall security/py-certbot [#n753d43f]
*** certbot certonly --standalone -d www.smb.net [#c101a022]
これで、/usr/local/etc/letsencrypt が作成される。
** portinstall www/mod_http2-devel [#i818a033]
* /usr/local/etc/apache24/httpd.conf 設定変更 [#o643027c]
以下は、コメントアウトされている場合は、コメントを外す。
LoadModule log_config_module libexec/apache24/mod_log_config.so
LoadModule setenvif_module libexec/apache24/mod_setenvif.so
LoadModule ssl_module libexec/apache24/mod_ssl.so
LoadModule socache_shmcb_module libexec/apache24/mod_socache_shmcb.so
追加設定
LoadModule http2_module libexec/apache24/mod_h2.so
LoadModuleの下に、以下の設定(SSL設定を読み込む)を設定する。
Include etc/apache24/extra/httpd-ssl.conf
* vi /usr/local/etc/apache24/extra/httpd-ssl.conf [#w28a6929]
Listen 443
SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES:!IDEA
SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES:!IDEA
SSLHonorCipherOrder on
SSLProtocol all -SSLv3 -SSLv2
SSLProxyProtocol all -SSLv3 -SSLv2
SSLPassPhraseDialog builtin
SSLSessionCache "shmcb:/var/run/ssl_scache(512000)"
SSLSessionCacheTimeout 300
SSLUseStapling On
SSLStaplingCache "shmcb:/var/run/ssl_stapling(32768)"
SSLStaplingStandardCacheTimeout 3600
SSLStaplingErrorCacheTimeout 600
<VirtualHost _default_:443>
Protocols h2 http/1.1 # 有効化するには portinstall www/mod_http2-devel
ServerName sun1.smb.net:443
ServerAdmin webmaster@smb.net
ErrorLog "/var/log/httpd-error.log"
TransferLog "/var/log/httpd-access.log"
SSLEngine on
SSLCertificateFile "/usr/local/etc/letsencrypt/live/www.smb.net/fullchain.pem"
SSLCertificateKeyFile "/usr/local/etc/letsencrypt/live/www.smb.net/privkey.pem"
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/usr/local/www/apache24/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-5]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog "/var/log/httpd-ssl_request.log" \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
# ファイル末尾に以下の1文を追加する。
Header set Strict-Transport-Security " max-age=315360000;"
* HOST 証明書作成 [#mb038f0c]
** # apachectl stop [#sbacb2eb]
Stopping apache24.
Waiting for PIDS: 878.
** # certbot certonly --standalone -d www.smb.net [#u3c17247]
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for www.smb.net
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/usr/local/etc/letsencrypt/live/www.smb.net/fullchain.pem
Your key file has been saved at:
/usr/local/etc/letsencrypt/live/www.smb.net/privkey.pem
Your cert will expire on 2018-09-06. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
** # apachectl start [#zc138a28]
Performing sanity check on apache24 configuration:
Syntax OK
Starting apache24.
* IP Based Vertuao HOST 証明書作成 [#dc65f060]
# apachectl stop
# certbot certonly --standalone -d virtualhost_FQDN
# apachectl start
これで、/usr/local/etc/letsencrypt/archive/virtualhost_FQDN に*.pem が生成される。
* httpd-vhosts.conf [#y192bc4d]
----
Total access &counter(total);:本日 &counter(today);:昨日 &counter(yesterday);
#counter([total|today|yesterday]);
![[PukiWiki]](image/pukiwiki.png "[PukiWiki]")
