ssl の変更点
- 追加された行はこの色です。
- 削除された行はこの色です。
- ssl へ行く。
#author("2021-08-25T03:37:51+00:00","default:pentacle","pentacle")
* info [#n04a6e14]
- lets enclypt でお手軽に入れる方法。真面目にやる場合は後述
* centos7 [#c5d1420f]
sudo yum install epel-release
sudo yum install certbot python-certbot-apache
* centos8 [#sf200329]
rm /usr/local/bin/certbot-auto
dnf install epel-release
dnf upgrade
dnf install snapd
systemctl enable --now snapd.socket
ln -s /var/lib/snapd/snap /snap
snap install core
snap refresh core
snap install --classic certbot
ln -s /snap/bin/certbot /usr/bin/certbot
certbot --apache
** 設定 [#k80d6ba0]
/usr/local/bin/certbot-auto certonly --webroot -w /var/www/html/ -d 【example.com】 --agree-tos -n --email=xxx@xxx.xxx
** 次に ssl モジュール [#af0bd323]
dnf install mod_ssl
cd /etc/httpd/conf.d
grep -v '^#' ssl.conf > ssl.conf.bak
とりあえずここだけ変えて確認
''ssl.conf''
SSLCertificateFile /etc/letsencrypt/live/【example.com】/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/【example.com】/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/【example.com】/chain.pem
''httpd.conf''
#pre{{
<VirtualHost *:80>
RewriteEngine on
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R,L]
</VirtualHost>
}}
service httpd restart
** apache [#cda65d2c]
yum -y install mod_ssl
* ubuntu18 [#ja2635d1]
sudo apt install apache2
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install certbot python-certbot-apache
* SSL 設定 [#wb834813]
cd /etc/httpd/conf
mkdir ssl.key -m 700
cd ssl.key
openssl genrsa 2048 > server.key
chmod 400 server.key
cd /etc/httpd/conf
openssl req -new -key ssl.key/server.key > server.csr
JP
Tokyo
Shinagawa-Ku
Exsample Company.
R&D
hostname.net
mailaddress
cd /etc/httpd/conf
mkdir ssl.crt
cd ssl.crt
本物の場合はここで、認証局に csr を送って crt を返してもらう~
オレオレ証明の場合は自分で署名する
cd ssl.crt
openssl x509 -in ../server.csr -days 365 -req -signkey ../ssl.key/server.key > server.crt
''/etc/httpd/conf.d/ssl.conf''
SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
service httpd restart
* ssl の設定 [#n81d4ccb]
''/etc/httpd/conf.d/ssl.conf''
<VirtualHost *:443>
ServerName ssl.example.com:443
SSLProtocol -ALL +TLSv1 +TLSv1.1 +TLSv1.2
SSLHonorCipherOrder on
# SSLCipherSuite EECDH+HIGH:EDH+HIGH:HIGH:MEDIUM:+3DES:!ADH:!RC4:!MD5:!aNULL:!eNULL:!SSLv2:!LOW:!EXP:!PSK:!SRP:!DSS:!KRB5
SSLCipherSuite !DSS:EDH+AESGCM:ECDSA+AESGCM:EECDH+AESGCM:-AES128
SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
# 中間証明書をダウンロードしてくる
SSLCertificateChainFile /etc/httpd/conf/ssl.crt/【取得した中間証明書】.cer
:
</VirtualHost>
* http => https にリダイレクトする [#d0aac763]
''/etc/httpd/conf/httpd.conf''
<VirtualHost *:80>
RewriteEngine on
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R,L]
</VirtualHost>
* Let's encrypt [#j6921a84]
aws cli と相性が悪いので注意
*** install [#f28846bb]
yum --enablerepo=epel install certbot python-certbot-apache
pip install --upgrade pip
# pip install requests --ignore-installed
# pip install --upgrade --force-reinstall 'requests==2.6.0'
pip install -U pip
pip install cryptography --upgrade
pip install --upgrade pip
pip install requests --ignore-installed
pip install --upgrade --force-reinstall 'requests==2.6.0'
certbot certonly --webroot -w /var/www/【documentroot】/ -d 【example.com】 --agree-tos -n --email=xxx@xxx.xxx
上記を実行すると~
/var/www/html/.well-known/ が作成され、~
http://example.com/.well-known/xxxxx~
にアクセスがあり、そのドメイン(正確にはURL)を確かに所有していることが証明される。~
ので、上記URLをアクセス可能にしておく必要がある。~
※ 例えば、apache から他のシステムに丸ごと reverse proxy 等している場合は virtual host 内に下記を追加する必要がある
ProxyPass /.well-known/ !
ProxyPass / http://localhost:8080/
ProxyPassReverse / http://localhost:8080/
''/etc/httpd/conf.d/ssl.conf''
SSLCertificateFile /etc/letsencrypt/live/【example.com】/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/【example.com】/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/【example.com】/chain.pem
# basic 認証サイトでは下記を記載しておかないと自動更新されなくなる
<LocationMatch /.well-known*>
Satisfy any
order allow,deny
allow from all
</LocationMatch>
server httpd restart
* ubuntu18 [#veef8175]
sudo apt ssl
sudo a2enmod ssl
sudo a2enmod rewrite
sudo a2enmod proxy
sudo a2enmod proxy_http
sudo a2enmod headers
/etc/apache2/sites-available/000-default.conf
*** cron update [#k4c013e7]
10日に一回更新チェックを行う
''/etc/crontab''
0 4 2 * * root /bin/certbot renew --post-hook "systemctl restart httpd" >> /var/tmp/cert.log
0 4 12 * * root /bin/certbot renew --post-hook "systemctl restart httpd" >> /var/tmp/cert.log
0 4 22 * * root /bin/certbot renew --post-hook "systemctl restart httpd" >> /var/tmp/cert.log
*** ubuntu [#zb10fc2f]
0 4 2 * * root /bin/certbot renew --post-hook "systemctl restart apache2" >> /var/tmp/cert.log
0 4 12 * * root /bin/certbot renew --post-hook "systemctl restart apache2" >> /var/tmp/cert.log
0 4 22 * * root /bin/certbot renew --post-hook "systemctl restart apache2" >> /var/tmp/cert.log
----
* ubuntu20 [#if6719d8]
snap install core
snap refresh core
snap install --classic certbot
apt-get install apache2
a2ensite default-ssl
apt-get install libapache2-mod-auth-openidc
a2enmod auth_openidc
a2enmod include
apt install php libapache2-mod-php