Let's encrypt で無料SSL運用

Let's Encrypt(以下LE) の導入手順

導入手順

  • LE のダウンロード
  • 前処理: Port80 でドメインの所有証明
  • LEで証明書取得
  • DH対応
  • LE導入後のPort443,80設定
  • 自動更新設定

secure.example.com で導入例

LE のダウンロード

$ git clone https://github.com/letsencrypt/letsencrypt.git

前処理: Port80 でドメインの所有証明

導入前のnginx のconfig

$ cat /etc/nginx/sites-enabled/secure.example.com
server {
  listen              80;
  server_name         secure.example.com;
  location '/.well-known/acme-challenge' {
  default_type "text/plain";
    root        /tmp/letsencrypt-auto;
  }

  location / {
    root        /tmp/letsencrypt-auto;
    #return              301 https://$server_name$request_uri;
  }
}

nginx に設定を反映しておく

$ sudo service nginx configtest && sudo service nginx reload

エラーだとnginxの設定がなにかおかしい。修正するまでくりかえす。

LEで証明書取得

$ MAIL="your_mail_address@example.com"
$ /home/cameong/letsencrypt/letsencrypt-auto certonly --webroot --webroot-path /tmp/letsencrypt-auto/ -d secure.example.com --server https://acme-v01.api.letsencrypt.org/directory -m $MAIL

下みたいになればok

Checking for new version...
Requesting root privileges to run letsencrypt...
   sudo /home/cameong/.local/share/letsencrypt/bin/letsencrypt certonly --webroot --webroot-path /tmp/letsencrypt-auto/ -d secure.example.com --server https://acme-v01.api.letsencrypt.org/directory -m your_mail_address@example.com

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/secure.example.com/fullchain.pem. Your
   cert will expire on 2016-07-20. To obtain a new version of the
   certificate in the future, simply run Let's Encrypt again.
 - If you like Let's Encrypt, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

この際、公開鍵, 秘密鍵が以下のPATHに設置される

path
証明書 /etc/letsencrypt/live/secure.example.com/fullchain.pem
秘密鍵 /etc/letsencrypt/live/secure.example.com/privkey.pem

Diffie-Hellman対応

暗号強度を強めるために、DH対応を行う。

$ sudo openssl dhparam -out /etc/ssl/private/dhparam.pem 2048

LE導入後のPort443,80設定

$ cat /etc/nginx/conf.d/secure.example.com
# HTTPS サーバの設定
server {
    listen 443 ssl;
    # nginx 1.9.5 以降の場合
    # listen 443 ssl http2;

    server_name secure.example.com;
    server_tokens off;

    ssl_certificate /etc/letsencrypt/live/secure.example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/secure.example.com/privkey.pem;
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    # 環境によっては off にすると動かないので注意 (default は on)
    ssl_session_tickets on;

    # 2048bit 推奨
    ssl_dhparam /etc/ssl/private/dhparam.pem;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
    ssl_prefer_server_ciphers on;

    ## HTTPS のみでサービスを提供する場合にだけ設定します
    #add_header Strict-Transport-Security max-age=15768000;

    # HPKP (HTTP Public Key Pinning) に対応すると更に安全性の高い設定になりますが、運用コストが上がるのでここでは省略します。

    # OCSP Stapling に対応すると暗号化通信の開始を早めることが出来ます。ここでは省略します。

    # ドキュメントルート
    root /var/www/html/secure.example.com;
    error_page 404 /404.html;
    access_log /var/log/nginx/secure.example.com_access.log main;
    error_log  /var/log/nginx/secure.example.com_error.log error;
}

server {
  listen              80;
  server_name         secure.example.com;
  location '/.well-known/acme-challenge' {
  default_type "text/plain";
    root        /tmp/letsencrypt-auto;
  }

  location / {
    return              301 https://$server_name$request_uri;
  }
}

自動更新設定

cat /usr/local/bin/auto-update_le.sh
#!/bin/bash
DOMAINS="-d secure.example.com -d www.example.com"
DIR=/tmp/letsencrypt-auto
LETSENCRYPT="/home/cameong/letsencrypt/letsencrypt-auto"
[ -d $DIR ] || mkdir -p $DIR
$LETSENCRYPT certonly --server https://acme-v01.api.letsencrypt.org/directory -a webroot --webroot-path=$DIR $DOMAINS --force-renew && service nginx reload

cronに設定する

cat /etc/cron.d/auto-update_le
# 毎月2日10:00に鍵を更新する
0 10 2 * * root bash /usr/local/bin/auto-update_le.sh > /var/log/auto-update_le.log 2>&1

HTTPS の強度測定

ssllabsでhttpsの強度を測定する。

参照

qiita.com

cameong.hatenablog.com