SSL
をテンプレートにして作成
[
トップ
] [
新規
|
一覧
|
検索
|
最終更新
|
ヘルプ
|
ログイン
]
開始行:
[[FAMPサーバ・スクラッチインストール]]~
CONTENTS
#contents
----
Lastmodified &lastmod;
----
* portinstall security/py-certbot [#dbcc2be4]
py39-certbot-2.7.3,1をインストールしています...
このポートは「スタンドアロン」クライアントのみをインスト...
certbot-auto ブートストラップ/ラッパー スクリプトではあ...
証明書を取得するための最も簡単な使用方法は次のとおりです。
# sudo certbot certonly --standalone -d <ドメイン>, [...
注記:
クライアントには、TCP ポート 80 または 443 (状況に応じて...
使用される --preferred-challenges オプションに応じて)。 ...
ポートを一時的に停止して、スタンドアロン サーバーを停止...
そのポートをリッスンして、チャレンジ認証プロセスを完了で...
「スタンドアロン」モードの詳細については、次を参照してく...
https://certbot.eff.org/docs/using.html#standalone
Apache および nginx 証明書のインストールをサポートする c...
次のポートで利用可能になります。
* Apache プラグイン: security/py-certbot-apache
* Nginx プラグイン: security/py-certbot-nginx
証明書を自動的に更新するには、次の行を
/etc/periodic.conf:
Weekly_certbot_enable="YES" ←自動登録さ...
設定の詳細については、certbot 定期スクリプトで説明します。
/usr/local/etc/periodic/weekly/500.certbot-3.
* Renew script [#wdab2fdb]
【参考URL】
https://freebsd.sing.ne.jp/daily/04/03/05.html
https://www.server-memo.net/tips/crontab.html
http://pb-times.jp/P_521ab8c540f59
Certbot_Renew.sh
#!/bin/sh
# https://freebsd.sing.ne.jp/daily/04/03/05.html
certbot \
renew \
--standalone \
--force-renewal \
--expand \
--pre-hook "/usr/local/etc/rc.d/apache24 stop" \
--post-hook "/usr/local/etc/rc.d/apache24 start"
/etc/crontab 二ヶ月に一回更新する
5 0 1 */2 * root /root/bin/Certbot_Renew.sh
* Renew [#z9ecc3ef]
デフォルト状態の証明書更新なら、オプションを省けるようだ。
certbot renew
明示的にするならこう。
certbot renew --webroot -w /usr/local/www/apache24/data/...
ドライランならオプションは、こう・・・。
--renew-by-default --dry-run
----
*SSL Let's Encrypt [#hb9078f3]
https://www.google.co.jp/search?q=FreeBSD+Let%E2%80%99s+E...
https://letsencrypt.jp/
https://letsencrypt.org/
https://scratchpad.jp/https-with-lets-encrypt/
* certbot install on FreeBSD 11.0-RELEASE-p12 [#be89650c]
【参考サイト】http://blog.goo.ne.jp/low-electric-mouse/e/...
987 8:32 locate certbot
** 988 8:35 portinstall security/py-certbot [#x4acb...
Installing py27-certbot-0.18.1,1...
========================================================...
This port installs the "standalone" Python client only, ...
is not the certbot-auto bootstrap/wrapper script.
To obtain certificates, use the 'certonly' command as fo...
# sudo certbot certonly --standalone -d [server FQDN]
Note: The client currently requires the ability to bind ...
you have a server running on this port, it will need to ...
so that the standalone server can listen on that port to...
authentication.
The certbot plugins to support apache and nginx certific...
will be made available soon in the following ports:
* Apache plugin: security/py-certbot-apache
* Nginx plugin: security/py-certbot-nginx
========================================================...
** # certbot certonly --standalone -d sun1.smb.net [#d5ae...
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and securit...
(Enter 'c' to cancel): hoge@smb.net
- - - - - - - - - - - - - - - - - - - - - - - - - - - - ...
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15...
You must agree in order to register with the ACME server...
- - - - - - - - - - - - - - - - - - - - - - - - - - - - ...
(Y)es/(N)o: Y
- - - - - - - - - - - - - - - - - - - - - - - - - - - - ...
Would you be willing, once your first certificate is suc...
share your email address with the Electronic Frontier Fo...
partner of the Let's Encrypt project and the non-profit ...
develops Certbot? We'd like to send you email about our ...
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - ...
(Y)es/(N)o: Y
Account registered.
Requesting a certificate for sun1.smb.net
- - - - - - - - - - - - - - - - - - - - - - - - - - - - ...
Could not bind TCP port 80 because it is already in use ...
this system (such as a web server). Please stop the prog...
try again.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - ...
apachectrl stop
(R)etry/(C)ancel: R
Successfully received certificate.
Certificate is saved at: /usr/local/etc/letsencrypt/live...
Key is saved at: /usr/local/etc/letsencrypt/live...
This certificate expires on 2022-12-12.
These files will be updated when the certificate renews.
NEXT STEPS:
- The certificate will need to be renewed before it expi...
- - - - - - - - - - - - - - - - - - - - - - - - - - - - ...
If you like Certbot, please consider supporting our work...
* Donating to ISRG / Let's Encrypt: https://letsencry...
* Donating to EFF: https://eff.org/d...
- - - - - - - - - - - - - - - - - - - - - - - - - - - - ...
** # apachectl stop [#w44ec8cc]
Stopping apache24.
Waiting for PIDS: 878.
** # certbot certonly --standalone -d sun1.smb.net [#eecb...
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for sun1.smb.net
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been...
/usr/local/etc/letsencrypt/live/sun1.smb.net/fullchai...
Your key file has been saved at:
/usr/local/etc/letsencrypt/live/sun1.smb.net/privkey....
Your cert will expire on 2017-12-25. To obtain a new ...
version of this certificate in the future, simply run...
again. To non-interactively renew *all* of your certi...
"certbot renew"
- If you like Certbot, please consider supporting our w...
Donating to ISRG / Let's Encrypt: https://letsencry...
Donating to EFF: https://eff.org/d...
root@sun1:~:17_09_26:10:54 #
root@sun1:/usr/local/etc/letsencrypt:17_09_26:10:57 # ll
total 24
drwx------ 3 root wheel 512 Sep 26 10:42 accounts/
drwx------ 3 root wheel 512 Sep 26 10:54 archive/
drwxr-xr-x 2 root wheel 512 Sep 26 10:54 csr/
drwx------ 2 root wheel 512 Sep 26 10:54 keys/
drwx------ 3 root wheel 512 Sep 26 10:54 live/
drwxr-xr-x 2 root wheel 512 Sep 26 10:54 renewal/
** /usr/local/etc/apache24/extra/httpd-ssl.conf [#m8888982]
Listen 443
SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES:!IDEA
SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES:!IDEA
SSLHonorCipherOrder on
SSLProtocol all -SSLv3 -SSLv2
SSLProxyProtocol all -SSLv3 -SSLv2
SSLPassPhraseDialog builtin
SSLSessionCache "shmcb:/var/run/ssl_scache(512000)"
SSLSessionCacheTimeout 300
SSLUseStapling On
SSLStaplingCache "shmcb:/var/run/ssl_stapling(32768)"
SSLStaplingStandardCacheTimeout 3600
SSLStaplingErrorCacheTimeout 600
**/usr/local/etc/apache24/extra/httpd-vhosts.conf [#q8908...
<VirtualHost _default_:443>
Protocols h2 http/1.1 # 有効化するには後...
ServerName sun1.smb.net:443
ServerAdmin webmaster@smb.net
ErrorLog "/var/log/httpd-error.log"
TransferLog "/var/log/httpd-access.log"
SSLEngine on
SSLCertificateFile "/usr/local/etc/letsencrypt/live/sun1...
SSLCertificateKeyFile "/usr/local/etc/letsencrypt/live/s...
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/usr/local/www/apache24/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-5]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog "/var/log/httpd-ssl_request.log" \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" ...
</VirtualHost>
# ファイル末尾に以下の1文を追加する。 ...
Header set Strict-Transport-Security " max-age=315360000;"
** /usr/local/etc/apache24/httpd.conf [#af263219]
以下は、コメントアウトされている場合は、コメントを外す。
LoadModule log_config_module libexec/apache24/mod_log_co...
LoadModule setenvif_module libexec/apache24/mod_setenvif...
LoadModule ssl_module libexec/apache24/mod_ssl.so
LoadModule socache_shmcb_module libexec/apache24/mod_soc...
同様に、/usr/local/etc/apache24/extra の設定ファイルを読...
Include etc/apache24/extra/httpd-vhosts.conf
Include etc/apache24/extra/httpd-ssl.conf
** # certbot renew --webroot -w /usr/local/www/apache24/d...
Saving debug log to /var/log/letsencrypt/letsencrypt.log
--------------------------------------------------------...
Processing /usr/local/etc/letsencrypt/renewal/sun1.smb.n...
--------------------------------------------------------...
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for sun1.smb.net
Using the webroot path /usr/local/www/apache24/data for ...
Waiting for verification...
Cleaning up challenges
--------------------------------------------------------...
new certificate deployed without reload, fullchain is
/usr/local/etc/letsencrypt/live/sun1.smb.net/fullchain.pem
--------------------------------------------------------...
--------------------------------------------------------...
** DRY RUN: simulating 'certbot renew' close to cert exp...
** (The test certificates below have not been s...
Congratulations, all renewals succeeded. The following c...
/usr/local/etc/letsencrypt/live/sun1.smb.net/fullchain...
** DRY RUN: simulating 'certbot renew' close to cert exp...
** (The test certificates above have not been s...
--------------------------------------------------------...
IMPORTANT NOTES:
- Your account credentials have been saved in your Cert...
configuration directory at /usr/local/etc/letsencrypt...
make a secure backup of this folder now. This configu...
directory will also contain certificates and private ...
by Certbot so making regular backups of this folder i...
** # crontab -e [#yc19ab82]
以下のコマンドを追加します。
0 2,5 * * * /usr/local/bin/certbot renew --agree-tos --w...
----
* # portinstall www/mod_http2 [#y4cc6541]
Installing ap24-mod_http2-2.0.21...
NOTE: The default www/apache24 package already contains ...
This port exists for advance bug- and security fix deliv...
The module shlib file has been renamed from mod_http2 to...
allow the www/apache24 bundled and this (usually newer) ...
coexist. Change the LoadModule line in your Apache confi...
LoadModule http2_module ${modDir}/mod_http2.so
to
LoadModule http2_module ${modDir}/mod_h2.so
to enable this port's module.
===> Cleaning for ap24-mod_http2-2.0.21
** /usr/local/etc/apache24/httpd.conf [#qb8920db]
LoadModuleの最後尾に、http2_moduleのモジュール読み込みを...
LoadModule http2_module libexec/apache24/mod_h2.so
** /usr/local/etc/apache24/extra/httpd-ssl.conf [#d627cbc6]
<VirtualHost _default_:443>の下に、次のコマンドを追記す...
Protocols h2 http/1.1
----
Total access &counter(total);:本日 &counter(today);:昨...
#counter([total|today|yesterday]);
終了行:
[[FAMPサーバ・スクラッチインストール]]~
CONTENTS
#contents
----
Lastmodified &lastmod;
----
* portinstall security/py-certbot [#dbcc2be4]
py39-certbot-2.7.3,1をインストールしています...
このポートは「スタンドアロン」クライアントのみをインスト...
certbot-auto ブートストラップ/ラッパー スクリプトではあ...
証明書を取得するための最も簡単な使用方法は次のとおりです。
# sudo certbot certonly --standalone -d <ドメイン>, [...
注記:
クライアントには、TCP ポート 80 または 443 (状況に応じて...
使用される --preferred-challenges オプションに応じて)。 ...
ポートを一時的に停止して、スタンドアロン サーバーを停止...
そのポートをリッスンして、チャレンジ認証プロセスを完了で...
「スタンドアロン」モードの詳細については、次を参照してく...
https://certbot.eff.org/docs/using.html#standalone
Apache および nginx 証明書のインストールをサポートする c...
次のポートで利用可能になります。
* Apache プラグイン: security/py-certbot-apache
* Nginx プラグイン: security/py-certbot-nginx
証明書を自動的に更新するには、次の行を
/etc/periodic.conf:
Weekly_certbot_enable="YES" ←自動登録さ...
設定の詳細については、certbot 定期スクリプトで説明します。
/usr/local/etc/periodic/weekly/500.certbot-3.
* Renew script [#wdab2fdb]
【参考URL】
https://freebsd.sing.ne.jp/daily/04/03/05.html
https://www.server-memo.net/tips/crontab.html
http://pb-times.jp/P_521ab8c540f59
Certbot_Renew.sh
#!/bin/sh
# https://freebsd.sing.ne.jp/daily/04/03/05.html
certbot \
renew \
--standalone \
--force-renewal \
--expand \
--pre-hook "/usr/local/etc/rc.d/apache24 stop" \
--post-hook "/usr/local/etc/rc.d/apache24 start"
/etc/crontab 二ヶ月に一回更新する
5 0 1 */2 * root /root/bin/Certbot_Renew.sh
* Renew [#z9ecc3ef]
デフォルト状態の証明書更新なら、オプションを省けるようだ。
certbot renew
明示的にするならこう。
certbot renew --webroot -w /usr/local/www/apache24/data/...
ドライランならオプションは、こう・・・。
--renew-by-default --dry-run
----
*SSL Let's Encrypt [#hb9078f3]
https://www.google.co.jp/search?q=FreeBSD+Let%E2%80%99s+E...
https://letsencrypt.jp/
https://letsencrypt.org/
https://scratchpad.jp/https-with-lets-encrypt/
* certbot install on FreeBSD 11.0-RELEASE-p12 [#be89650c]
【参考サイト】http://blog.goo.ne.jp/low-electric-mouse/e/...
987 8:32 locate certbot
** 988 8:35 portinstall security/py-certbot [#x4acb...
Installing py27-certbot-0.18.1,1...
========================================================...
This port installs the "standalone" Python client only, ...
is not the certbot-auto bootstrap/wrapper script.
To obtain certificates, use the 'certonly' command as fo...
# sudo certbot certonly --standalone -d [server FQDN]
Note: The client currently requires the ability to bind ...
you have a server running on this port, it will need to ...
so that the standalone server can listen on that port to...
authentication.
The certbot plugins to support apache and nginx certific...
will be made available soon in the following ports:
* Apache plugin: security/py-certbot-apache
* Nginx plugin: security/py-certbot-nginx
========================================================...
** # certbot certonly --standalone -d sun1.smb.net [#d5ae...
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and securit...
(Enter 'c' to cancel): hoge@smb.net
- - - - - - - - - - - - - - - - - - - - - - - - - - - - ...
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15...
You must agree in order to register with the ACME server...
- - - - - - - - - - - - - - - - - - - - - - - - - - - - ...
(Y)es/(N)o: Y
- - - - - - - - - - - - - - - - - - - - - - - - - - - - ...
Would you be willing, once your first certificate is suc...
share your email address with the Electronic Frontier Fo...
partner of the Let's Encrypt project and the non-profit ...
develops Certbot? We'd like to send you email about our ...
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - ...
(Y)es/(N)o: Y
Account registered.
Requesting a certificate for sun1.smb.net
- - - - - - - - - - - - - - - - - - - - - - - - - - - - ...
Could not bind TCP port 80 because it is already in use ...
this system (such as a web server). Please stop the prog...
try again.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - ...
apachectrl stop
(R)etry/(C)ancel: R
Successfully received certificate.
Certificate is saved at: /usr/local/etc/letsencrypt/live...
Key is saved at: /usr/local/etc/letsencrypt/live...
This certificate expires on 2022-12-12.
These files will be updated when the certificate renews.
NEXT STEPS:
- The certificate will need to be renewed before it expi...
- - - - - - - - - - - - - - - - - - - - - - - - - - - - ...
If you like Certbot, please consider supporting our work...
* Donating to ISRG / Let's Encrypt: https://letsencry...
* Donating to EFF: https://eff.org/d...
- - - - - - - - - - - - - - - - - - - - - - - - - - - - ...
** # apachectl stop [#w44ec8cc]
Stopping apache24.
Waiting for PIDS: 878.
** # certbot certonly --standalone -d sun1.smb.net [#eecb...
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for sun1.smb.net
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been...
/usr/local/etc/letsencrypt/live/sun1.smb.net/fullchai...
Your key file has been saved at:
/usr/local/etc/letsencrypt/live/sun1.smb.net/privkey....
Your cert will expire on 2017-12-25. To obtain a new ...
version of this certificate in the future, simply run...
again. To non-interactively renew *all* of your certi...
"certbot renew"
- If you like Certbot, please consider supporting our w...
Donating to ISRG / Let's Encrypt: https://letsencry...
Donating to EFF: https://eff.org/d...
root@sun1:~:17_09_26:10:54 #
root@sun1:/usr/local/etc/letsencrypt:17_09_26:10:57 # ll
total 24
drwx------ 3 root wheel 512 Sep 26 10:42 accounts/
drwx------ 3 root wheel 512 Sep 26 10:54 archive/
drwxr-xr-x 2 root wheel 512 Sep 26 10:54 csr/
drwx------ 2 root wheel 512 Sep 26 10:54 keys/
drwx------ 3 root wheel 512 Sep 26 10:54 live/
drwxr-xr-x 2 root wheel 512 Sep 26 10:54 renewal/
** /usr/local/etc/apache24/extra/httpd-ssl.conf [#m8888982]
Listen 443
SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES:!IDEA
SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES:!IDEA
SSLHonorCipherOrder on
SSLProtocol all -SSLv3 -SSLv2
SSLProxyProtocol all -SSLv3 -SSLv2
SSLPassPhraseDialog builtin
SSLSessionCache "shmcb:/var/run/ssl_scache(512000)"
SSLSessionCacheTimeout 300
SSLUseStapling On
SSLStaplingCache "shmcb:/var/run/ssl_stapling(32768)"
SSLStaplingStandardCacheTimeout 3600
SSLStaplingErrorCacheTimeout 600
**/usr/local/etc/apache24/extra/httpd-vhosts.conf [#q8908...
<VirtualHost _default_:443>
Protocols h2 http/1.1 # 有効化するには後...
ServerName sun1.smb.net:443
ServerAdmin webmaster@smb.net
ErrorLog "/var/log/httpd-error.log"
TransferLog "/var/log/httpd-access.log"
SSLEngine on
SSLCertificateFile "/usr/local/etc/letsencrypt/live/sun1...
SSLCertificateKeyFile "/usr/local/etc/letsencrypt/live/s...
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/usr/local/www/apache24/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-5]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog "/var/log/httpd-ssl_request.log" \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" ...
</VirtualHost>
# ファイル末尾に以下の1文を追加する。 ...
Header set Strict-Transport-Security " max-age=315360000;"
** /usr/local/etc/apache24/httpd.conf [#af263219]
以下は、コメントアウトされている場合は、コメントを外す。
LoadModule log_config_module libexec/apache24/mod_log_co...
LoadModule setenvif_module libexec/apache24/mod_setenvif...
LoadModule ssl_module libexec/apache24/mod_ssl.so
LoadModule socache_shmcb_module libexec/apache24/mod_soc...
同様に、/usr/local/etc/apache24/extra の設定ファイルを読...
Include etc/apache24/extra/httpd-vhosts.conf
Include etc/apache24/extra/httpd-ssl.conf
** # certbot renew --webroot -w /usr/local/www/apache24/d...
Saving debug log to /var/log/letsencrypt/letsencrypt.log
--------------------------------------------------------...
Processing /usr/local/etc/letsencrypt/renewal/sun1.smb.n...
--------------------------------------------------------...
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for sun1.smb.net
Using the webroot path /usr/local/www/apache24/data for ...
Waiting for verification...
Cleaning up challenges
--------------------------------------------------------...
new certificate deployed without reload, fullchain is
/usr/local/etc/letsencrypt/live/sun1.smb.net/fullchain.pem
--------------------------------------------------------...
--------------------------------------------------------...
** DRY RUN: simulating 'certbot renew' close to cert exp...
** (The test certificates below have not been s...
Congratulations, all renewals succeeded. The following c...
/usr/local/etc/letsencrypt/live/sun1.smb.net/fullchain...
** DRY RUN: simulating 'certbot renew' close to cert exp...
** (The test certificates above have not been s...
--------------------------------------------------------...
IMPORTANT NOTES:
- Your account credentials have been saved in your Cert...
configuration directory at /usr/local/etc/letsencrypt...
make a secure backup of this folder now. This configu...
directory will also contain certificates and private ...
by Certbot so making regular backups of this folder i...
** # crontab -e [#yc19ab82]
以下のコマンドを追加します。
0 2,5 * * * /usr/local/bin/certbot renew --agree-tos --w...
----
* # portinstall www/mod_http2 [#y4cc6541]
Installing ap24-mod_http2-2.0.21...
NOTE: The default www/apache24 package already contains ...
This port exists for advance bug- and security fix deliv...
The module shlib file has been renamed from mod_http2 to...
allow the www/apache24 bundled and this (usually newer) ...
coexist. Change the LoadModule line in your Apache confi...
LoadModule http2_module ${modDir}/mod_http2.so
to
LoadModule http2_module ${modDir}/mod_h2.so
to enable this port's module.
===> Cleaning for ap24-mod_http2-2.0.21
** /usr/local/etc/apache24/httpd.conf [#qb8920db]
LoadModuleの最後尾に、http2_moduleのモジュール読み込みを...
LoadModule http2_module libexec/apache24/mod_h2.so
** /usr/local/etc/apache24/extra/httpd-ssl.conf [#d627cbc6]
<VirtualHost _default_:443>の下に、次のコマンドを追記す...
Protocols h2 http/1.1
----
Total access &counter(total);:本日 &counter(today);:昨...
#counter([total|today|yesterday]);
ページ名:
![[PukiWiki]](image/pukiwiki.png "[PukiWiki]")
