色々とオプションは存在するが、実行したコマンドと設定は以下の内容でメモとして記載しておく。
Ubuntu:
Distributor ID: Ubuntu
Description: Ubuntu 16.04.1 LTS
Release: 16.04
Codename: xenial
NGINX:
nginx version: nginx/1.10.0 (Ubuntu)
GIT:
git version 2.7.4
install letsencrypt
# git clone https://github.com/letsencrypt/letsencrypt.git
make keys for ssl
# /root/letsencrypt/letsencrypt-auto certonly --webroot -w /var/www/html/example.com -d example.com
add to crontab as root
# crontab -e
0 0 1 * * /root/letsencrypt/letsencrypt-auto certonly --webroot -w /var/www/html/example.com -d example.com --renew-by-default && service nginx restart
make dh param key (DH鍵交換用のパラメータキー)
# openssl dhparam -out dhparams.pem 2048
add to your using server directive of nginx.conf.
ssl on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/letsencrypt/live/example.com/dhparams.pem
=> SSLv3無効[POODLE対策]
=> 暗号化スイート明示
Configuring HSTS in NGINX
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
設定が完了したら、ここで確認して「A」だったらOKっしょ。
SSL LABS - SSL Server Test
[注意]letsencryptはCertbotへ変更
Certbot - Welcome to the Certbot documentation!