Help us understand the problem. What is going on with this article?

letsencrypt の 設定方法[メモ]

More than 3 years have passed since last update.

色々とオプションは存在するが、実行したコマンドと設定は以下の内容でメモとして記載しておく。


Ubuntu:
Distributor ID: Ubuntu
Description: Ubuntu 16.04.1 LTS
Release: 16.04
Codename: xenial

NGINX:
nginx version: nginx/1.10.0 (Ubuntu)

GIT:
git version 2.7.4


install letsencrypt

# git clone https://github.com/letsencrypt/letsencrypt.git

make keys for ssl

# /root/letsencrypt/letsencrypt-auto certonly --webroot -w /var/www/html/example.com -d example.com

add to crontab as root

# crontab -e

0 0 1 * * /root/letsencrypt/letsencrypt-auto certonly --webroot -w /var/www/html/example.com -d example.com --renew-by-default && service nginx restart

make dh param key (DH鍵交換用のパラメータキー)

# openssl dhparam -out dhparams.pem 2048

add to your using server directive of nginx.conf.

ssl on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/letsencrypt/live/example.com/dhparams.pem

=> SSLv3無効[POODLE対策]
=> 暗号化スイート明示

Configuring HSTS in NGINX

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

設定が完了したら、ここで確認して「A」だったらOKっしょ。
SSL LABS - SSL Server Test

[注意]letsencryptはCertbotへ変更
Certbot - Welcome to the Certbot documentation!

quack
Why not register and get more from Qiita?
  1. We will deliver articles that match you
    By following users and tags, you can catch up information on technical fields that you are interested in as a whole
  2. you can read useful information later efficiently
    By "stocking" the articles you like, you can search right away
Comments
No comments
Sign up for free and join this conversation.
If you already have a Qiita account
Why do not you register as a user and use Qiita more conveniently?
You need to log in to use this function. Qiita can be used more conveniently after logging in.
You seem to be reading articles frequently this month. Qiita can be used more conveniently after logging in.
  1. We will deliver articles that match you
    By following users and tags, you can catch up information on technical fields that you are interested in as a whole
  2. you can read useful information later efficiently
    By "stocking" the articles you like, you can search right away
ユーザーは見つかりませんでした