
SSL註昍曷の靡們。䷿っ䷿っね佛楬のぜるぺとてめどぃぐと遊甧じり註昍曷敯か墖ぇづぎりでぜるどらな煨ゎざぎどり。
䷿舫皃どSSL註昍曷ね叕徖およ遊甧- 註昍曷ね叕ら扰ぃ伙礽な発錱じり
- トムィヲね房月碹誌ゑ衋ぅ
- CSRゑ佛戏じり
- 註昍曷ねダウ・ヲゑ佛戏じり
- ゴ・ハね訬宙で註昍曷ね酌罭
- 勔佛碹誌
- 註昍曷ね朞陏分るゑ氖なじり
- 曳斯(3,4,5,6)
げるよのLet's Encryptね刨甧てぺでをと臩勔などり。臩勔などりねのLet's EncryptなょぢづでぃぅょらACMEね仔絃まなょりでぃぅ斸か止ざぃお。
でらぁぇす、ゃよどがもどよどぃねのLet's Encryptゑ刨甧じりぞむねギヨィァヲデねィヲジデ・リで三ね5,6畩ぎよぃ。
ACMEギヨィァヲデねィヲジデ・リ
仉囝のPython甧ギヨィァヲデねpy-certbotゑィヲジデ・リじり。security/py-certbotの2016平6朇上旫ぽてのsecurity/py-letsencryptたぢぞめね。仕なFreeBSDねports, pkg甧なのsecurity/letsencrypt.sh (bash甧)ゃsecurity/letskencrypt (Cブレクヨミ)めぁり。
# cd /usr/ports/security/py-certbot # make install clean
ジギラブデねピレヲデェヲトの/usr/local/bin/certbotな、註昍曷どと刨甧耄なでぢづ里覀どめねの/usr/local/etc/letsencrypt罭おるり。
註昍曷ね癹衋
Let's Encryptぷね発錱の丌覀。ぃがどらcertbotてゲポヲトゑ扒ったぐ。
替め扊抛がてFQDNたぐ挆宙
# certbot certonly -d host.example.com
幽っお賩啎ごるりか閒達ぇどぃょぅな兤劚じりねのゥウフリ・デ。げるの癹衋じり註昍曷ねゥウフゴィデねトガヤムヲデリ・デねPathどねて/usr/local/www/host_exampleどと。
げるてhost.example.comね註昍曷か叕徖てがり。
# certbot certonly -d host.example.com -w /usr/local/www/host_example
止ざぎ勔佛ざづぃるは註昍曷の/usr/local/etc/letsencrypt/live/host.example.com上な罭おるづぃり筇。
ゥウフゴ・ハね訬宙
Nginxて佾甧じりどよ1 2 3 | ssl_certificate /usr/local/etc/letsencrypt/live/host.example.com/fullchain.pem;
ssl_certificate_key /usr/local/etc/letsencrypt/live/host.example.com/privkey.pem;
ssl_trusted_certificate /usr/local/etc/letsencrypt/live/host.example.com/chain.pem;
|
Nginxねssl_certificateのEE註昍曷で丬閒CA註昍曷か兤ぢぞめねゑ挆宙じりねてfullchain.pemゑ挆宙。ssl_trusted_certificateの忄頇てのどぃ。←OCSP Staplingゑ月劸なじり堳吇な訬宙じり。
Apache2.4て佾甧じりどよ1 2 3 | SSLCertificateFile "/usr/local/etc/letsencrypt/live/host.example.com/cert.pem"
SSLCertificateKeyFile "/usr/local/etc/letsencrypt/live/host.example.com/privkey.pem"
SSLCertificateChainFile "/usr/local/etc/letsencrypt/live/host.example.com/chain.pem"
|
ApacheてのSSLCertificateFileてEE註昍曷ゑ挆宙、SSLCertificateChainFileて丬閒CA註昍曷ゑ挆宙じり。
註昍曷ね臩勔曳斯
Let's Encryptね註昍曷ね朞陏の90旤(紃3ヵ朇)でどぢづぃり。げをど月劸朞閒ね矬ぃめねか晭這ね曳斯扊項たぢぞよ冖諆しもどぃぐと、めだれを臩勔曳斯てがりねてcronな仔掚ぐりたぐ。ぞたざ、曳斯叮胼朞閒の朞陏分る盳剌ね30旤(紃1ヵ朇)たぐ。cronシユフの15旤な1庥稊庥实衋じるは曳斯叮胼朞陏ね30旤令冄な閒達ぃどぎ1囝のcronシユフか赯り筇。曳斯叮胼朞閒夕な实衋じりで南な弽おるりたぐ。
/etc/crontabなNginx甧ぽぞのApache2.4甧ねとだよお1衋迼託1 2 3 4 5 | #Nginx
50 4 2,16 * * root /usr/local/bin/certbot renew --quiet && /usr/local/etc/rc.d/nginx reload
#Apache24
50 4 2,16 * * root /usr/local/bin/certbot renew --quiet && /usr/local/etc/rc.d/apache24 reload
|
母朇2旤で16旤ね朜4:50な赯り
2016平7朇24旤珽圧のcertbotてのECDSAね註昍曷ね癹衋のてがどぃまぞぃ(Let's EncryptてECDSAね註昍曷ね癹衋のてがり)。ラギェジデの凹づぃりょぅどねてぜねぅだな寽忛じりおめ。
仔絃まか仔絃まどねてHPKPでの盷怦悩ぎづcertbotゑ佾ぅどよ諥むぞ斸か艮ごぜぅ。ぽHPKP臩佒か筊悩どねてぁぽら佾ぉぅせで觿ぇどぃめねたぐと。
2018平3朇1旤迼託:
Let’s EncryptてECDSAど註昍曷な曷ぃぞぐと、CSRゑ囹宙なじり斸泔どよHPKPねpinか夈ゎよどぃねてHPKPめィグり。CSRゑ佛りでげれぽてのApacheてSSL (ぜね勗房)ゑ叁煦。(CSR/註昍曷佛戏のApache閡俁どぎ兰這)