{"id":163,"date":"2017-01-15T21:00:25","date_gmt":"2017-01-15T12:00:25","guid":{"rendered":"https:\/\/vicsfactory.com\/?p=163"},"modified":"2020-02-13T12:17:05","modified_gmt":"2020-02-13T03:17:05","slug":"certbot%e3%82%92%e4%bd%bf%e3%81%a3%e3%81%a6web%e3%82%b5%e3%83%bc%e3%83%90%e3%83%bc%e3%82%92ssl%e5%8c%96","status":"publish","type":"post","link":"https:\/\/vicsfactory.com\/?p=163","title":{"rendered":"certbot\u3092\u4f7f\u3063\u3066WEB\u30b5\u30fc\u30d0\u30fc\u3092SSL\u5316"},"content":{"rendered":"

LET’S ENCRYPT<\/a>\u306ecertbot\u30af\u30e9\u30a4\u30a2\u30f3\u30c8\u3092\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3057\u3066\u30b5\u30fc\u30d0\u30fc\u8a3c\u660e\u66f8\u3092\u53d6\u5f97\u3057\u3001mod_SSL\u3092\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3057\u3066WEB\u30b5\u30fc\u30d0\u30fc\u9593\u306e\u901a\u4fe1\u3092\u6697\u53f7\u5316\uff08SSL\u5316\uff09\u3057\u307e\u3059\u3002<\/p>\n

\u203bCentOS7\u95a2\u9023\u306e\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u30fb\u8a2d\u5b9a\u306b\u3064\u3044\u3066\u306f\u300cCentOS\u3067\u81ea\u5b85\u30b5\u30fc\u30d0\u30fc\u69d8<\/a>\u300d\u3092\u53c2\u8003\u306b\u81ea\u5206\u306e\u74b0\u5883\u306b\u5408\u308f\u305b\u3066\u8a2d\u5b9a\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n

\u25cfEPEL\u30ea\u30dd\u30b8\u30c8\u30ea\u6709\u52b9\u5316
\n# yum -y install epel-release<\/p>\n

\"certbot1\"<\/a><\/p>\n

\u25cfcertbot\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb
\n# yum -y install certbot<\/p>\n

\"certbot2\"<\/a><\/p>\n

\u25cfcertbot\u30c6\u30b9\u30c8\u5b9f\u884c
\n# certbot<\/p>\n

\u4e0b\u8a18\u753b\u9762\u304c\u8868\u793a\u3055\u308c\u305f\u3089\u305d\u306e\u307e\u307e\u30b5\u30fc\u30d0\u30fc\u8a3c\u660e\u66f8\u306e\u53d6\u5f97\u306b\u9032\u3080\u3002<\/p>\n

<\/a><\/p>\n

\u4e0b\u8a18\u753b\u9762\u304c\u8868\u793a\u3055\u308c\u305f\u3089\uff1cNo\uff1e\u3092\u9078\u629e\u3057\u3066\u30b5\u30fc\u30d0\u30fc\u8a3c\u660e\u66f8\u306e\u53d6\u5f97\u306b\u9032\u3080\u3002<\/p>\n

\"certbot-exec-test\"<\/a><\/p>\n

\u25cf\u30b5\u30fc\u30d0\u30fc\u8a3c\u660e\u66f8\u53d6\u5f97
\n# certbot certonly –webroot -w \u30c9\u30ad\u30e5\u30e1\u30f3\u30c8\u30eb\u30fc\u30c8(EX:\/var\/www\/html\/) -d WEB\u30b5\u30fc\u30d0\u30fc\u540d(EX:vicsfactory.com) -d www.WEB\u30b5\u30fc\u30d0\u30fc\u540d(EX:www.vicsfactory.com) -m \u30e1\u30fc\u30eb\u30a2\u30c9\u30ec\u30b9 –agree-tos<\/p>\n

\u203b\u3053\u3053\u3067\u5165\u529b\u3057\u305f\u30e1\u30fc\u30eb\u30a2\u30c9\u30ec\u30b9\u306f\u3001\u7dca\u6025\u306e\u901a\u77e5\u3001\u9375\u3092\u7d1b\u5931\u3057\u305f\u3068\u304d\u306e\u5fa9\u65e7\u3001\u8a3c\u660e\u66f8\u306e\u6709\u52b9\u671f\u9650\u304c\u8fd1\u4ed8\u3044\u305f\u5834\u5408\u306e\u901a\u77e5\u306b\u4f7f\u7528\u3055\u308c\u307e\u3059\u3002<\/p>\n

\u7121\u4e8b\u30b5\u30fc\u30d0\u30fc\u8a3c\u660e\u66f8\u304c\u767a\u884c\u3055\u308c\u308b\u3068\u4e0b\u56f3\u306e\u753b\u9762\u304c\u8868\u793a\u3055\u308c\u307e\u3059\u3002<\/p>\n

\"certbot06\"<\/a><\/p>\n

\u25cfmod_SSL\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb
\n# yum -y install mod_ssl<\/p>\n

\u25cfSSL\u8a2d\u5b9a\u30d5\u30a1\u30a4\u30eb\u7de8\u96c6
\n# vi \/etc\/httpd\/conf.d\/ssl.conf<\/p>\n

\u4ee5\u4e0b\u3092\u8a18\u8ff0<\/p>\n

#SSLCertificateFile \/etc\/pki\/tls\/certs\/localhost.crt
\n\u2193
\nSSLCertificateFile \/etc\/letsencrypt\/live\/WEB\u30b5\u30fc\u30d0\u30fc\u540d\/cert.pem<\/p>\n

#SSLCertificateKeyFile \/etc\/pki\/tls\/private\/localhost.key
\n\u2193
\nSSLCertificateKeyFile \/etc\/letsencrypt\/live\/WEB\u30b5\u30fc\u30d0\u30fc\u540d\/privkey.pem<\/p>\n

#SSLCertificateChainFile \/etc\/pki\/tls\/certs\/server-chain.crt
\n\u2193
\nSSLCertificateChainFile \/etc\/letsencrypt\/live\/WEB\u30b5\u30fc\u30d0\u30fc\u540d\/chain.pem<\/p>\n

\u25cfhttpd\u8a2d\u5b9a\u53cd\u6620
\n# systemctl reload httpd<\/p>\n

\u30eb\u30fc\u30bf\u30fc\u3067TCP443\u756a\u3092\u30b5\u30fc\u30d0\u30fc\u306b\u901a\u3059\u3088\u3046\u306b\u8a2d\u5b9a\u3059\u308b\u3002<\/p>\n

\u30d6\u30e9\u30a6\u30b6\u3067https:\/\/WEB\u30b5\u30fc\u30d0\u30fc\u540d\u3067\u30a2\u30af\u30bb\u30b9\u3057\u3001\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u8b66\u544a\u304c\u51fa\u305a\u306b\u30b5\u30a4\u30c8\u304c\u8868\u793a\u3055\u308c\u308b\u3053\u3068\u3092\u78ba\u8a8d\u3002<\/p>\n

LET’S ENCRYPT\u3067\u53d6\u5f97\u3057\u305fSSL\u30b5\u30fc\u30d0\u30fc\u8a3c\u660e\u66f8
\n\"certbot19\"<\/a><\/p>\n

\u25cf\u30b5\u30fc\u30d0\u30fc\u8a3c\u660e\u66f8\u306e\u66f4\u65b0<\/p>\n

LET’S ENCRYPT\u306e\u30b5\u30fc\u30d0\u30fc\u8a3c\u660e\u66f8\u306e\u6709\u52b9\u671f\u9650\u306f\uff19\uff10\u65e5\u9593\u306a\u306e\u3067\u3001\u671f\u9650\u306e\u8fd1\u3065\u3044\u305f\u8a3c\u660e\u66f8\u3092\u81ea\u52d5\u7684\u306b\u66f4\u65b0\u3059\u308b\u3088\u3046\u306b\u3057\u307e\u3059\u3002<\/p>\n

\u66f4\u65b0\u30c6\u30b9\u30c8
\n# certbot renew –dry-run<\/p>\n

\u203brenew\u30b3\u30de\u30f3\u30c9\u306f\u53d6\u5f97\u3057\u305f\u5168\u3066\u306e\u30b5\u30fc\u30d0\u30fc\u8a3c\u660e\u66f8\u306e\u4e2d\u3067\u6709\u52b9\u671f\u9650\u304c1\u30f6\u6708\u3092\u5207\u3063\u305f\u8a3c\u660e\u66f8\u3060\u3051\u3092\u66f4\u65b0\u3057\u307e\u3059\u3002
\n\u203b\u6b8b\u308a\u6709\u52b9\u671f\u9650\u3092\u7121\u8996\u3057\u3066\u5f37\u5236\u7684\u306b\u66f4\u65b0\u3059\u308b\u5834\u5408\u306fcertbot renew\u306b–force-renew\u30aa\u30d7\u30b7\u30e7\u30f3\u3092\u4ed8\u3051\u307e\u3059\u3002
\n\uff08LET’S ENCRYPT\u306e\u30b5\u30fc\u30d0\u30fc\u8a3c\u660e\u66f8\u306e\u767a\u884c\u306f\u9031\u306b20\u500b\u307e\u3067\u306a\u306e\u3067\u3001\u3042\u307e\u308a\u983b\u7e41\u306b–force-renew\u3067\u66f4\u65b0\u3059\u308b\u306e\u306f\u6b62\u3081\u307e\u3057\u3087\u3046\uff09
\n\u203brenew\u30b3\u30de\u30f3\u30c9\u306b–dry-run\u30aa\u30d7\u30b7\u30e7\u30f3\u3092\u4ed8\u3051\u308b\u3068\u30b5\u30fc\u30d0\u30fc\u8a3c\u660e\u66f8\u306e\u66f4\u65b0\u306f\u3055\u308c\u305a\u306b\u52d5\u4f5c\u306e\u307f\u78ba\u8a8d\u51fa\u6765\u307e\u3059\u3002<\/p>\n

\u30c6\u30b9\u30c8\u3067\u52d5\u4f5c\u78ba\u8a8d\u304c\u51fa\u6765\u305f\u3089crontab\u306b\u4ee5\u4e0b\u3092\u767b\u9332\u3057\u3066\u6708\u306b\u4e00\u5ea6certbot renew\u3092\u5b9f\u884c\u3055\u305b\u307e\u3059\u3002<\/p>\n

00 00 01 * * \/usr\/bin\/certbot renew && \/bin\/systemctl reload httpd<\/p>\n

\u4e0a\u8a18\u306e\u4f8b\u3067\u306f\u6bce\u6708\uff11\u65e5\u306e\u5348\u524d\uff10\u6642\u306b\u30b5\u30fc\u30d0\u30fc\u8a3c\u660e\u66f8\u306e\u66f4\u65b0\u3092\u884c\u3044\u3001httpd\u8a2d\u5b9a\u30d5\u30a1\u30a4\u30eb\u3092\u30ea\u30ed\u30fc\u30c9\u3057\u3066\u66f4\u65b0\u3055\u308c\u305f\u30b5\u30fc\u30d0\u30fc\u8a3c\u660e\u66f8\u3092\u6709\u52b9\u5316\u3057\u307e\u3059\u3002<\/p>\n

\u25cfSSL Server Test\u3067A+\u8a55\u4fa1\u3092\u5f97\u308b\u305f\u3081\u306e\u8a2d\u5b9a
\n# vi \/etc\/httpd\/conf.d\/ssl.conf<\/p>\n

\u30fbSSL\u30d7\u30ed\u30c8\u30b3\u30eb\u3092TLSv1.2\u306e\u307f\u306b\u9650\u5b9a
\nSSLProtocol all -SSLv2
\n\u2193
\nSSLProtocol +TLSv1.2<\/p>\n

\u30fb#SSLHonorCipherOrder on\u306e\u4e0b\u306b\u4ee5\u4e0b\u3092\u8ffd\u8a18
\nSSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:
\nECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS (\u3053\u3053\u307e\u30671\u884c\u3067\u8a18\u8ff0)
\nSSLHonoeCipherOrder on<\/p>\n

\u30fb<\/VirtualHost>\u306e\u4e0a\u306b\u4ee5\u4e0b\u3092\u8ffd\u8a18
\nHeader always set Strict-Transport-Security “max-age=15768000”<\/p>\n

\u25cfhttpd\u8a2d\u5b9a\u53cd\u6620
\nsystemctl reload httpd<\/p>\n

\u25cfSSL Server Test<\/a> \u3067WEB\u30b5\u30fc\u30d0\u30fc\u540d\u3092\u5165\u529b\u3057\u3001\u30c6\u30b9\u30c8\u7d50\u679c\u304c\u4e0b\u56f3\u306e\u3088\u3046\u306bA+\u306b\u306a\u308b\u3053\u3068\u3092\u78ba\u8a8d\u3059\u308b\u3002<\/p>\n

\"certbot13\"<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

LET’S ENCRYPT\u306ecertbot\u30af\u30e9\u30a4\u30a2\u30f3\u30c8\u3092\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3057\u3066\u30b5\u30fc\u30d0\u30fc\u8a3c\u660e\u66f8\u3092\u53d6\u5f97\u3057\u3001mod_SSL\u3092\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3057\u3066WEB\u30b5\u30fc\u30d0\u30fc\u9593\u306e\u901a\u4fe1\u3092\u6697\u53f7\u5316\uff08SSL\u5316\uff09\u3057\u307e\u3059\u3002 \u203bCentOS7\u95a2\u9023\u306e\u30a4\u30f3\u30b9 … \u7d9a\u304d\u3092\u8aad\u3080 →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[2],"tags":[],"_links":{"self":[{"href":"https:\/\/vicsfactory.com\/index.php?rest_route=\/wp\/v2\/posts\/163"}],"collection":[{"href":"https:\/\/vicsfactory.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/vicsfactory.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/vicsfactory.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/vicsfactory.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=163"}],"version-history":[{"count":19,"href":"https:\/\/vicsfactory.com\/index.php?rest_route=\/wp\/v2\/posts\/163\/revisions"}],"predecessor-version":[{"id":332,"href":"https:\/\/vicsfactory.com\/index.php?rest_route=\/wp\/v2\/posts\/163\/revisions\/332"}],"wp:attachment":[{"href":"https:\/\/vicsfactory.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=163"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/vicsfactory.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=163"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/vicsfactory.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=163"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}