- 追加された行はこの色です。
- 削除された行はこの色です。
#author("2018-08-26T00:45:16+09:00","","")
#author("2018-08-26T03:34:53+09:00","","")
[[CentOS7]]
*Webサーバー間通信内容暗号化(Apache+nginx) [#o02bf971]
[[Let's Encrypt>https://letsencrypt.jp/]]は無料で利用できて商用利用可能な証明書発行サービスです。''https''化に必要な''SSL''証明書が無料で発行されるなんて、良い時代になりましたね。
しかし証明書の有効期限は&color(red){''90''日};なのでその度に、更新作業は面倒なので、自動化してしまいましょう。
*Lets's Encryptの導入 [#vbe41c1e]
|BGCOLOR(black):COLOR(white):|c
|[root@localhost ~]# cd /usr/local/ &color(lime){← ディレクトリ移動};|
|[root@localhost local]# git clone https://github.com/certbot/certbot &color(lime){← Certbotクライアントダウンロード};|
[root@localhost local]# cd &color(lime){← ディレクトリ移動};|
[root@localhost ~]# /usr/local/certbot/certbot-auto -n &color(lime){← Certbotクライアントインストール};|
*SSL証明書発行 [#d6341c49]
|BGCOLOR(black):COLOR(white):|c
|[root@localhost ~]# sudo ./certbot-auto certonly|
|Saving debug log to /var/log/letsencrypt/letsencrypt.log &br; &br; How would you like to authenticate with the ACME CA? &br; - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - &br; 1: Apache Web Server plugin - Beta (apache) &br; 2: Nginx Web Server plugin (nginx) &br; 3: Spin up a temporary webserver (standalone) &br; 4: Place files in webroot directory (webroot) &br; - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - &br; Select the appropriate number [1-4] then [enter] (press 'c' to cancel): &color(lime){2}; &color(lime){←2(Nginx)を選択}; &br; &br; |Plugins selected: Authenticator nginx, Installer None &br; Please enter in your domain name(s) (comma and/or space separated) (Enter 'c' &br; to cancel): &color(lime){hoge.jp}; &color(lime){←ドメイン名(FQDN)を入力}; &br; &br; Obtaining a new certificate &br; Performing the following challenges: &br; http-01 challenge for &color(lime){hoge.jp}; &br; Waiting for verification... &br; Cleaning up challenges &br; &br; IMPORTANT NOTES: &br; - Congratulations! Your certificate and chain have been saved at: &br; /etc/letsencrypt/live/&color(lime){hoge.jp};/fullchain.pem &br; Your key file has been saved at: &br; /etc/letsencrypt/live/&color(lime){hoge.jp};/privkey.pem &br; Your cert will expire on 2018-11-23. To obtain a new or tweaked &br; version of this certificate in the future, simply run certbot-auto &br; again. To non-interactively renew *all* of your certificates, run &br; "certbot-auto renew" &br; - If you like Certbot, please consider supporting our work by: &br; &br; Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate &br; Donating to EFF: https://eff.org/donate-le|
|&color(lime){指示に従ってすすめていきます。};|
|Saving debug log to /var/log/letsencrypt/letsencrypt.log &br; &br; How would you like to authenticate with the ACME CA? &br; - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - &br; 1: Apache Web Server plugin - Beta (apache) &br; 2: Nginx Web Server plugin (nginx) &br; 3: Spin up a temporary webserver (standalone) &br; 4: Place files in webroot directory (webroot) &br; - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - &br; Select the appropriate number [1-4] then [enter] (press 'c' to cancel): &color(lightpink){2}; &color(lime){←2(Nginx)を選択}; &br; &br; |Plugins selected: Authenticator nginx, Installer None &br; Please enter in your domain name(s) (comma and/or space separated) (Enter 'c' &br; to cancel): &color(lightpink){hoge.jp}; &color(lime){←ドメイン名(FQDN)を入力}; &br; &br; Obtaining a new certificate &br; Performing the following challenges: &br; http-01 challenge for &color(lime){hoge.jp}; &br; Waiting for verification... &br; Cleaning up challenges &br; &br; IMPORTANT NOTES: &br; - Congratulations! Your certificate and chain have been saved at: &br; /etc/letsencrypt/live/&color(lime){hoge.jp};/fullchain.pem &br; Your key file has been saved at: &br; /etc/letsencrypt/live/&color(lime){hoge.jp};/privkey.pem &br; Your cert will expire on 2018-11-23. To obtain a new or tweaked &br; version of this certificate in the future, simply run certbot-auto &br; again. To non-interactively renew *all* of your certificates, run &br; "certbot-auto renew" &br; - If you like Certbot, please consider supporting our work by: &br; &br; Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate &br; Donating to EFF: https://eff.org/donate-le |
指示に従ってすすめていきます。
*dhparam用ファイルの作成 [#w6ca0363]
''nginx''の''SSL''を設定する際に、必要なパラメーターとして”''ssl_dhparam''”があります。これは''nginx''の''1.11.0''から必須になったパラメーターで、鍵交換アルゴリズムで使用される素数を格納するファイルになります。
このファイルは''openssl''コマンドで作成する必要があります。ファイルを保存するパスは”''/etc/nginx/ssl/''”を指定します。
**ファイルの保存用ディレクトリ作成 [#i457c354]
|BGCOLOR(black):COLOR(white):|c
|[root@localhost ~]# mkdir /etc/nginx/ssl|
**opensslコマンドによるファイルの作成 [#k3728ea6]
|BGCOLOR(black):COLOR(white):|c
|[root@localhost ~]# openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048|
|Generating DH parameters, 2048 bit long safe prime, generator 2 &br; This is going to take a long time &br; ................................................+.................................................. &br; ....................+.............................................................................. &br; 【略】 &br; ........................................+..........................................+............... &br; .............++*++*|
サーバーの性能によっては、かなり時間が掛かりますが、途中で止めずに暫く待ってみて下さい。エラーが表示されずにプロンプトに戻れば、コマンドの実行は完了です。
*Webサーバ(Ngninx)の設定 [#f55b3c0e]
|BGCOLOR(black):COLOR(white):|c
|[root@localhost ~]# vi /etc/nginx/sites-available/hoge.com.conf|
|server { &br; listen 80; &br; server_name hoge.com www.hoge.com; &br; rewrite ^ https://$server_name$request_uri? permanent; &br; } &br; &br; server { &br; listen 443 ssl; &br; server_name hoge.com www.hoge.com; &br; access_log /var/log/nginx/hoge.com-access.log main; &br; error_log /var/log/nginx/hoge.com-error.log; &br; root /home/www/hoge.com; &br; &br; ssl_certificate /etc/letsencrypt/live/hoge.com/fullchain.pem; &br; ssl_certificate_key /etc/letsencrypt/live/hoge.com/privkey.pem; &br; ssl_session_timeout 1d; &br; ssl_session_cache shared:SSL:50m; &br; ssl_session_tickets on; &br; ssl_dhparam /etc/nginx/ssl/dhparam.pem; &br; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; &br; ssl_ciphers HIGH:!aNULL:!MD5; &br; ssl_prefer_server_ciphers on; &br; &br; location / { &br; index index.php index.html; &br; } &br; &br; location ~ \.php$ { &br; root /home/www/hoge.com &br; try_files $uri $uri/ =404; &br; fastcgi_index index.php; &br; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; &br; include fastcgi_params; &br; } &br; }|
|[root@localhost ~]# systemctl restart nginx &color(lime){←nginx再起動|
*cronで自動更新の設定 [#kf676d12]
''Certbot''のサーバー証明書の有効期間は3ヶ月のため、毎月自動でサーバー証明書を更新するようにする。
|BGCOLOR(black):COLOR(white):|c
|[root@localhost ~]# vi /etc/cron.monthly/certbot &color(lime){← サーバー証明書自動更新スクリプト作成};|
|#!/bin/sh &br; log=`mktemp` &br; code=0 &br; &br; # &br; # 証明書更新 &br; # &br; for conf in `ls /etc/letsencrypt/renewal/` &br; do &br; # ドメイン名取得 &br; domain=`echo ${conf} | sed -e 's/\([^ ]*\)\.conf/\1/p' -e d` &br; &br; # 認証方式取得 &br; authenticator=`grep authenticator /etc/letsencrypt/renewal/${conf} | awk '{print $3}'` &br; &br; if [ ${authenticator} = 'webroot' ]; then &br; # Web認証の場合 &br; &br; # ドキュメントルート取得 &br; webroot=`grep -A 1 webroot_map /etc/letsencrypt/renewal/${conf} | grep = | awk '{print $3}'` &br; &br; # 証明書更新 &br; /usr/local/certbot/certbot-auto certonly --webroot \ &br; -w ${webroot} -d ${domain} --renew-by-default >> ${log} 2>&1 &br; [ $? -ne 0 ] && cat ${log} &br; else &br; # スタンドアロン認証の場合 &br; &br; # 証明書更新 &br; lsof -i:80 > /dev/null 2>&1 &br; if [ $? -eq 0 ]; then &br; echo 'Webサーバー稼働中のためスタンドアロン認証不可' &br; else &br; /usr/local/certbot/certbot-auto certonly -a standalone \ &br; -d ${domain} --renew-by-default >> ${log} 2>&1 &br; [ $? -ne 0 ] && cat ${log} &br; fi &br; fi &br; done &br; &br; # &br; # 証明書更新反映 &br; # &br; &br; # Webサーバー設定再読込み &br; lsof -i:443 > /dev/null 2>&1 &br; if [ $? -eq 0 ]; then &br; rpm -q systemd > /dev/null 2>&1 &br; if [ $? -eq 0 ]; then &br; systemctl reload httpd &br; else &br; /etc/rc.d/init.d/httpd reload > /dev/null 2>&1 &br; fi &br; fi &br; &br; # SMTPサーバー設定再読込み &br; lsof -i:465 > /dev/null 2>&1 &br; if [ $? -eq 0 ]; then &br; rpm -q systemd > /dev/null 2>&1 &br; if [ $? -eq 0 ]; then &br; systemctl reload postfix &br; else &br; /etc/rc.d/init.d/postfix reload > /dev/null 2>&1 &br; fi &br; fi &br; &br; # IMAPサーバー設定再読込み &br; lsof -i:995 > /dev/null 2>&1 &br; if [ $? -eq 0 ]; then &br; rpm -q systemd > /dev/null 2>&1 &br; if [ $? -eq 0 ]; then &br; systemctl reload dovecot &br; else &br; /etc/rc.d/init.d/dovecot reload > /dev/null 2>&1 &br; fi &br; fi &br; &br; # &br; # ログをsyslogへ出力後削除 &br; # &br; cat ${log} | logger -t `basename ${0}` ; rm -f ${log}|
|[root@localhost ~]# chmod +x /etc/cron.monthly/certbot &color(lime){← サーバー証明書自動更新スクリプトへ実行権限付加};|