Qiita Teams that are logged in
You are not logged in to any team

Log in to Qiita Team
Community
OrganizationEventAdvent CalendarQiitadon (β)
Service
Qiita JobsQiita ZineQiita Blog
1
Help us understand the problem. What are the problem?

More than 3 years have passed since last update.

@quack

letsencrypt の 設定方法[メモ]

色々とオプションは存在するが、実行したコマンドと設定は以下の内容でメモとして記載しておく。


Ubuntu:
Distributor ID: Ubuntu
Description: Ubuntu 16.04.1 LTS
Release: 16.04
Codename: xenial

NGINX:
nginx version: nginx/1.10.0 (Ubuntu)

GIT:
git version 2.7.4


install letsencrypt

# git clone https://github.com/letsencrypt/letsencrypt.git

make keys for ssl

# /root/letsencrypt/letsencrypt-auto certonly --webroot -w /var/www/html/example.com -d example.com

add to crontab as root

# crontab -e

0 0 1 * * /root/letsencrypt/letsencrypt-auto certonly --webroot -w /var/www/html/example.com -d example.com --renew-by-default && service nginx restart

make dh param key (DH鍵交換用のパラメータキー)

# openssl dhparam -out dhparams.pem 2048

add to your using server directive of nginx.conf.

ssl on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/letsencrypt/live/example.com/dhparams.pem

=> SSLv3無効[POODLE対策]
=> 暗号化スイート明示

Configuring HSTS in NGINX

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

設定が完了したら、ここで確認して「A」だったらOKっしょ。
SSL LABS - SSL Server Test

[注意]letsencryptはCertbotへ変更
Certbot - Welcome to the Certbot documentation!

Why not register and get more from Qiita?
  1. We will deliver articles that match you
    By following users and tags, you can catch up information on technical fields that you are interested in as a whole
  2. you can read useful information later efficiently
    By "stocking" the articles you like, you can search right away
1
Help us understand the problem. What are the problem?