Nginx TLS/SSL証明書取得設定

1 . Let's Encrypt Client をインストール

$ sudo apt-get update && sudo apt-get install letsencrypt

2 . SSL証明書の取得

server blockに、以下のlocation block を追加。

$ sudo vim /etc/nginx/sites-available/example.com
        location ~ /.well-known {
                allow all;
        }
}

構文確認と設定リロード

$ sudo nginx -t && sudo nginx -s reload
$ sudo letsencrypt certonly -a webroot --webroot-path=/var/www/html/example.com -d example.com
IMPORTANT NOTES:
 - If you lose your account credentials, you can recover through
   e-mails sent to youremailaddress@example.com.
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/example.com/fullchain.pem. Your
   cert will expire on 2017-03-01. To obtain a new version of the
   certificate in the future, simply run Let's Encrypt again.
 - Your account credentials have been saved in your Let's Encrypt
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Let's
   Encrypt so making regular backups of this folder is ideal.
 - If you like Let's Encrypt, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

更新期限の確認

$ sudo openssl x509 -in /etc/letsencrypt/live/example.com/cert.pem -noout -dates
notBefore=Jul 17 07:08:00 2016 GMT
notAfter=Oct 15 07:08:00 2016 GMT

Diffie-Hellman Group の生成

$ sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

証明書内容をインターネットで確認する例。

$ echo | openssl s_client -connect octaviadata.com:443 2>/dev/null | openssl x509 -noout -text | head
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            03:8e:fe:49:d6:03:95:68:01:3b:4a:3b:c3:54:f0:8d:94:39
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
        Validity
            Not Before: Dec 19 05:58:00 2016 GMT
            Not After : Mar 19 05:58:00 2017 GMT

3 . nginx 設定

Configuration Snippet

$ sudo vim /etc/nginx/snippets/ssl-example.com.conf
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
$ sudo vim /etc/nginx/snippets/ssl-params.conf
# from https://cipherli.st/
# and https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;

ssl_dhparam /etc/ssl/certs/dhparam.pem;

SSL用にNginxを設定 80番から443番へ転送する場合、以下のようにserverディレクティブを分割する。

$ sudo vim /etc/nginx/sites-available/example.com
server {

    # SSL configuration
#    listen 443 ssl http2 default_server;
#    listen [::]:443 ssl http2 default_server;
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    include snippets/ssl-example.com.conf;
    include snippets/ssl-params.conf;
}
server {
    listen 80 default_server;
    listen [::]:80 default_server;
    server_name example.com www.example.com;
    return 301 https://$server_name$request_uri;
}

http と https を許可する場合は、以下のように記述する。

server {
    listen 80;
    listen [::]:80;
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name example.com;
    include snippets/ssl-example.com.conf;
    include snippets/ssl-params.conf;

    ...
  • 設定の反映
$ sudo nginx -t && sudo nginx -s reload
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

確認 https://www.ssllabs.com/ssltest/analyze.html?d=example.com

4 . 証明書自動更新設定

$ sudo crontab -e
30 2 * * 1 /usr/bin/letsencrypt renew 2>&1 | tee -a /var/log/le-renew.log
45 2 * * 1 /bin/systemctl reload nginx