NginxでLet’s Encrypt

コメントを残す

HTTPSに対応してみた。

HTTPS2ではないので、速くはならないかな。

Ubunutuではまだパッケージはないので、

# apt-get git
# git clone https://github.com/letsencrypt/letsencrypt
# cd letsencrypt

実行ファイルはこのあたり

さて証明書を作ってみましょう。

# ./letsencrypt-auto --nginx
Checking for new version...
Requesting root privileges to run letsencrypt...
   /root/.local/share/letsencrypt/bin/letsencrypt --nginx
The requested nginx plugin does not appear to be installed

はい、nginxはないですw


しょうがないので手動で作りましょう。
とはいえ、簡単に作れますw

# ./letsencrypt-auto certonly --webroot -d www.neko6.info --webroot-path  /path/path/www.neko6.info/

IMPORTANT NOTES:
 - If you lose your account credentials, you can recover through
   e-mails sent to x@x
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/www.neko6.info/fullchain.pem. Your cert will
   expire on 2016-06-04. To obtain a new version of the certificate in
   the future, simply run Let's Encrypt again.
 - Your account credentials have been saved in your Let's Encrypt
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Let's
   Encrypt so making regular backups of this folder is ideal.
 - If you like Let's Encrypt, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le
#

証明書などは「/etc/letsencrypt/」ここにドメイン別に出来上がるようです。

あとは、これをnginxに食べさせてリダイレクトしてあげるだけ。

# vi /etc/nginx/sites-enabled/www.neko6.info
server {
    listen 80;
    listen [::]:80;
    server_name www.neko6.info;
    return  301 https://www.neko6.info$request_uri;
}

server {
        listen 443 ssl;
        listen [::]443 ssl;
        server_name www.neko6.info;
        ssl_certificate /etc/letsencrypt/live/www.neko6.info/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/www.neko6.info/privkey.pem;
        ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;

        root /path/path/www.neko6.info;
        index index.php;


}

こんな感じで、出来上がります。

あとはcronに登録して自動更新するようにします

# crontab -e
* * 1 * * /path/path/letsencrypt/letsencrypt-auto renew --force-renew && service  nginx restart

毎月1日に更新するようにしました。

[tegaki]便利な世の中です[/tegaki]

コメントを残す

メールアドレスが公開されることはありません。 が付いている欄は必須項目です

Enter code * Time limit is exhausted. Please reload CAPTCHA.

This site uses Akismet to reduce spam. Learn how your comment data is processed.