Nginx TLS/SSL証明書取得設定

1 . Certbot をインストール

$ sudo apt-get update
$ sudo apt-get install software-properties-common
$ sudo add-apt-repository ppa:certbot/certbot
$ sudo apt-get update
$ sudo apt-get install python-certbot-nginx 

2 . SSL証明書の取得

server blockに、以下のlocation block を追加。

$ sudo vim /etc/nginx/sites-available/example.com
        location ~ /.well-known {
                allow all;
        }
}

構文確認と設定リロード

$ sudo nginx -t && sudo nginx -s reload
$ sudo certbot --nginx certonly --webroot-path=/var/www/html/example.com -d example.com

更新期限の確認

$ sudo openssl x509 -in /etc/letsencrypt/live/example.com/cert.pem -noout -dates
notBefore=Jul 17 07:08:00 2016 GMT
notAfter=Oct 15 07:08:00 2016 GMT

Diffie-Hellman Group の生成

$ sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

証明書内容をインターネットで確認する例。

$ echo | openssl s_client -connect octaviadata.com:443 2>/dev/null | openssl x509 -noout -text | head
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            03:8e:fe:49:d6:03:95:68:01:3b:4a:3b:c3:54:f0:8d:94:39
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
        Validity
            Not Before: Dec 19 05:58:00 2016 GMT
            Not After : Mar 19 05:58:00 2017 GMT

3 . nginx 設定

Configuration Snippet

$ sudo vim /etc/nginx/snippets/ssl-example.com.conf
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
$ sudo vim /etc/nginx/snippets/ssl-params.conf
# from https://cipherli.st/
# and https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;

ssl_dhparam /etc/ssl/certs/dhparam.pem;

SSL用にNginxを設定 80番から443番へ転送する場合、以下のようにserverディレクティブを分割する。

$ sudo vim /etc/nginx/sites-available/example.com
server {

    # SSL configuration
#    listen 443 ssl http2 default_server;
#    listen [::]:443 ssl http2 default_server;
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    include snippets/ssl-example.com.conf;
    include snippets/ssl-params.conf;
}
server {
    listen 80 default_server;
    listen [::]:80 default_server;
    server_name example.com www.example.com;
    return 301 https://$server_name$request_uri;
}

http と https を許可する場合は、以下のように記述する。

server {
    listen 80;
    listen [::]:80;
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name example.com;
    include snippets/ssl-example.com.conf;
    include snippets/ssl-params.conf;

    ...
  • 設定の反映
$ sudo nginx -t && sudo nginx -s reload
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

確認 https://www.ssllabs.com/ssltest/analyze.html?d=example.com

4 . 証明書自動更新設定

設定確認。
$ cat /etc/cron.d/certbot
# /etc/cron.d/certbot: crontab entries for the certbot package
#
# Upstream recommends attempting renewal twice a day
#
# Eventually, this will be an opportunity to validate certificates
# haven't been revoked, etc.  Renewal will only occur if expiration
# is within 30 days.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew
動作確認
$ sudo certbot renew --dry-run