Let's encrypt で無料SSL運用
Let's Encrypt(以下LE) の導入手順
導入手順
- LE のダウンロード
- 前処理: Port80 でドメインの所有証明
- LEで証明書取得
- DH対応
- LE導入後のPort443,80設定
- 自動更新設定
secure.example.com で導入例
LE のダウンロード
$ git clone https://github.com/letsencrypt/letsencrypt.git
前処理: Port80 でドメインの所有証明
導入前のnginx のconfig
$ cat /etc/nginx/sites-enabled/secure.example.com server { listen 80; server_name secure.example.com; location '/.well-known/acme-challenge' { default_type "text/plain"; root /tmp/letsencrypt-auto; } location / { root /tmp/letsencrypt-auto; #return 301 https://$server_name$request_uri; } }
nginx に設定を反映しておく
$ sudo service nginx configtest && sudo service nginx reload
エラーだとnginxの設定がなにかおかしい。修正するまでくりかえす。
LEで証明書取得
$ MAIL="your_mail_address@example.com" $ /home/cameong/letsencrypt/letsencrypt-auto certonly --webroot --webroot-path /tmp/letsencrypt-auto/ -d secure.example.com --server https://acme-v01.api.letsencrypt.org/directory -m $MAIL
下みたいになればok
Checking for new version... Requesting root privileges to run letsencrypt... sudo /home/cameong/.local/share/letsencrypt/bin/letsencrypt certonly --webroot --webroot-path /tmp/letsencrypt-auto/ -d secure.example.com --server https://acme-v01.api.letsencrypt.org/directory -m your_mail_address@example.com IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/secure.example.com/fullchain.pem. Your cert will expire on 2016-07-20. To obtain a new version of the certificate in the future, simply run Let's Encrypt again. - If you like Let's Encrypt, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
この際、公開鍵, 秘密鍵が以下のPATHに設置される
鍵 | path |
---|---|
証明書 | /etc/letsencrypt/live/secure.example.com/fullchain.pem |
秘密鍵 | /etc/letsencrypt/live/secure.example.com/privkey.pem |
Diffie-Hellman対応
暗号強度を強めるために、DH対応を行う。
$ sudo openssl dhparam -out /etc/ssl/private/dhparam.pem 2048
LE導入後のPort443,80設定
$ cat /etc/nginx/conf.d/secure.example.com # HTTPS サーバの設定 server { listen 443 ssl; # nginx 1.9.5 以降の場合 # listen 443 ssl http2; server_name secure.example.com; server_tokens off; ssl_certificate /etc/letsencrypt/live/secure.example.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/secure.example.com/privkey.pem; ssl_session_timeout 1d; ssl_session_cache shared:SSL:50m; # 環境によっては off にすると動かないので注意 (default は on) ssl_session_tickets on; # 2048bit 推奨 ssl_dhparam /etc/ssl/private/dhparam.pem; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; ssl_prefer_server_ciphers on; ## HTTPS のみでサービスを提供する場合にだけ設定します #add_header Strict-Transport-Security max-age=15768000; # HPKP (HTTP Public Key Pinning) に対応すると更に安全性の高い設定になりますが、運用コストが上がるのでここでは省略します。 # OCSP Stapling に対応すると暗号化通信の開始を早めることが出来ます。ここでは省略します。 # ドキュメントルート root /var/www/html/secure.example.com; error_page 404 /404.html; access_log /var/log/nginx/secure.example.com_access.log main; error_log /var/log/nginx/secure.example.com_error.log error; } server { listen 80; server_name secure.example.com; location '/.well-known/acme-challenge' { default_type "text/plain"; root /tmp/letsencrypt-auto; } location / { return 301 https://$server_name$request_uri; } }
自動更新設定
cat /usr/local/bin/auto-update_le.sh #!/bin/bash DOMAINS="-d secure.example.com -d www.example.com" DIR=/tmp/letsencrypt-auto LETSENCRYPT="/home/cameong/letsencrypt/letsencrypt-auto" [ -d $DIR ] || mkdir -p $DIR $LETSENCRYPT certonly --server https://acme-v01.api.letsencrypt.org/directory -a webroot --webroot-path=$DIR $DOMAINS --force-renew && service nginx reload
cronに設定する
cat /etc/cron.d/auto-update_le # 毎月2日10:00に鍵を更新する 0 10 2 * * root bash /usr/local/bin/auto-update_le.sh > /var/log/auto-update_le.log 2>&1
HTTPS の強度測定
ssllabsでhttpsの強度を測定する。