Nginx TLS/SSL証明書取得設定
Nid: 736
1 . Certbot をインストール
$ sudo apt-get update $ sudo apt-get install software-properties-common $ sudo add-apt-repository ppa:certbot/certbot $ sudo apt-get update $ sudo apt-get install python-certbot-nginx
2 . SSL証明書の取得
server blockに、以下のlocation block を追加。
$ sudo vim /etc/nginx/sites-available/example.com
location ~ /.well-known {
allow all;
}
}
構文確認と設定リロード
$ sudo nginx -t && sudo nginx -s reload $ sudo certbot --nginx certonly --webroot-path=/var/www/html/example.com -d example.com
更新期限の確認
$ sudo openssl x509 -in /etc/letsencrypt/live/example.com/cert.pem -noout -dates notBefore=Jul 17 07:08:00 2016 GMT notAfter=Oct 15 07:08:00 2016 GMT
Diffie-Hellman Group の生成
$ sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
証明書内容をインターネットで確認する例。
$ echo | openssl s_client -connect octaviadata.com:443 2>/dev/null | openssl x509 -noout -text | head
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
03:8e:fe:49:d6:03:95:68:01:3b:4a:3b:c3:54:f0:8d:94:39
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
Validity
Not Before: Dec 19 05:58:00 2016 GMT
Not After : Mar 19 05:58:00 2017 GMT
3 . nginx 設定
Configuration Snippet
$ sudo vim /etc/nginx/snippets/ssl-example.com.conf ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
$ sudo vim /etc/nginx/snippets/ssl-params.conf # from https://cipherli.st/ # and https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; ssl_ecdh_curve secp384r1; ssl_session_cache shared:SSL:10m; ssl_session_tickets off; ssl_stapling on; ssl_stapling_verify on; resolver 8.8.8.8 8.8.4.4 valid=300s; resolver_timeout 5s; add_header Strict-Transport-Security "max-age=63072000; includeSubdomains"; add_header X-Frame-Options DENY; add_header X-Content-Type-Options nosniff; ssl_dhparam /etc/ssl/certs/dhparam.pem;
SSL用にNginxを設定 80番から443番へ転送する場合、以下のようにserverディレクティブを分割する。
$ sudo vim /etc/nginx/sites-available/example.com
server {
# SSL configuration
# listen 443 ssl http2 default_server;
# listen [::]:443 ssl http2 default_server;
listen 443 ssl http2;
listen [::]:443 ssl http2;
include snippets/ssl-example.com.conf;
include snippets/ssl-params.conf;
}
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name example.com www.example.com;
return 301 https://$server_name$request_uri;
}
http と https を許可する場合は、以下のように記述する。
server {
listen 80;
listen [::]:80;
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name example.com;
include snippets/ssl-example.com.conf;
include snippets/ssl-params.conf;
...
- 設定の反映
$ sudo nginx -t && sudo nginx -s reload nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful
確認 https://www.ssllabs.com/ssltest/analyze.html?d=example.com
4 . 証明書自動更新設定
設定確認。$ cat /etc/cron.d/certbot # /etc/cron.d/certbot: crontab entries for the certbot package # # Upstream recommends attempting renewal twice a day # # Eventually, this will be an opportunity to validate certificates # haven't been revoked, etc. Renewal will only occur if expiration # is within 30 days. SHELL=/bin/sh PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin 0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew動作確認
$ sudo certbot renew --dry-run