SSL letsencrypt de Virtual_Host

SSL

CONTENTS

SSL letsencrypt de Virtual_Host
- portinstall security/py-certbot
  - certbot certonly --standalone -d www.smb.net
- portinstall www/mod_http2-devel
/usr/local/etc/apache24/httpd.conf 設定変更
vi /usr/local/etc/apache24/extra/httpd-ssl.conf
HOST 証明書作成
IP Based Vertuao HOST 証明書作成
httpd-vhosts.conf

Lastmodified　2018-06-08 (金) 16:23:19

SSL letsencrypt de Virtual_Host†

↑

portinstall security/py-certbot†

↑

certbot certonly --standalone -d www.smb.net†

これで、/usr/local/etc/letsencrypt　が作成される。

↑

portinstall www/mod_http2-devel†

↑

/usr/local/etc/apache24/httpd.conf 設定変更†

以下は、コメントアウトされている場合は、コメントを外す。

LoadModule log_config_module libexec/apache24/mod_log_config.so
LoadModule setenvif_module libexec/apache24/mod_setenvif.so
LoadModule ssl_module libexec/apache24/mod_ssl.so
LoadModule socache_shmcb_module libexec/apache24/mod_socache_shmcb.so

追加設定

LoadModule http2_module libexec/apache24/mod_h2.so

LoadModuleの下に、以下の設定（SSL設定を読み込む）を設定する。

Include etc/apache24/extra/httpd-ssl.conf

↑

vi /usr/local/etc/apache24/extra/httpd-ssl.conf†

Listen 443
SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES:!IDEA
SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES:!IDEA
SSLHonorCipherOrder on 
SSLProtocol all -SSLv3 -SSLv2
SSLProxyProtocol all -SSLv3 -SSLv2
SSLPassPhraseDialog  builtin
SSLSessionCache        "shmcb:/var/run/ssl_scache(512000)"
SSLSessionCacheTimeout  300
SSLUseStapling On
SSLStaplingCache "shmcb:/var/run/ssl_stapling(32768)"
SSLStaplingStandardCacheTimeout 3600
SSLStaplingErrorCacheTimeout 600

<VirtualHost _default_:443>
Protocols h2 http/1.1               #　有効化するには portinstall www/mod_http2-devel 
ServerName sun1.smb.net:443
ServerAdmin webmaster＠smb.net
ErrorLog "/var/log/httpd-error.log"
TransferLog "/var/log/httpd-access.log"
SSLEngine on
SSLCertificateFile "/usr/local/etc/letsencrypt/live/www.smb.net/fullchain.pem"
SSLCertificateKeyFile "/usr/local/etc/letsencrypt/live/www.smb.net/privkey.pem"
<FilesMatch "\.(cgi|shtml|phtml|php)$">
    SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/usr/local/www/apache24/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-5]" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0
CustomLog "/var/log/httpd-ssl_request.log" \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>

# ファイル末尾に以下の１文を追加する。                              
Header set Strict-Transport-Security " max-age=315360000;"

↑

HOST 証明書作成†

↑

# apachectl stop†

    Stopping apache24.
    Waiting for PIDS: 878.

↑

# certbot certonly --standalone -d www.smb.net†

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for www.smb.net
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /usr/local/etc/letsencrypt/live/www.smb.net/fullchain.pem
   Your key file has been saved at:
   /usr/local/etc/letsencrypt/live/www.smb.net/privkey.pem
   Your cert will expire on 2018-09-06. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

↑

# apachectl start†

Performing sanity check on apache24 configuration:
Syntax OK
Starting apache24.

↑

IP Based Vertuao HOST 証明書作成†

# apachectl stop
# certbot certonly --standalone -d virtualhost_FQDN
# apachectl start

これで、/usr/local/etc/letsencrypt/archive/virtualhost_FQDN　に*.pem が生成される。

↑

httpd-vhosts.conf†

Total access 1543：本日 1：昨日 1

Counter: 1543, today: 1, yesterday: 1

備忘録

Base System:FreeBSD