月別アーカイブ: 2015年12月

Let’s Encrypt で、SSL/TLS証明書を取得


とりあえずやったログ

$ git clone https://github.com/letsencrypt/letsencrypt
Cloning into ‘letsencrypt’…
remote: Counting objects: 25463, done.
remote: Compressing objects: 100% (4/4), done.
remote: Total 25463 (delta 0), reused 0 (delta 0), pack-reused 25459
Receiving objects: 100% (25463/25463), 6.69 MiB | 2.66 MiB/s, done.
Resolving deltas: 100% (17848/17848), done.
Checking connectivity… done.
$ cd letsencrypt/
$ ./letsencrypt-auto –help
Bootstrapping dependencies for RedHat-based OSes…
[sudo] password for xxxx
yum は /bin/yum です

なんか色々インストールされます。なんか怖いなぁ。

完了しました!
Creating virtual environment…
Updating letsencrypt and virtual environment dependencies……/home/xxxx/.local/share/letsencrypt/lib/python2.7/site-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:90: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
InsecurePlatformWarning
.
Running with virtualenv: sudo /home/xxxx/.local/share/letsencrypt/bin/letsencrypt –help

letsencrypt [SUBCOMMAND] [options] [-d domain] [-d domain] …

The Let’s Encrypt agent can obtain and install HTTPS/TLS/SSL certificates. By
default, it will attempt to use a webserver both for obtaining and installing
the cert. Major SUBCOMMANDS are:

(default) run Obtain & install a cert in your current webserver
certonly Obtain cert, but do not install it (aka “auth”)
install Install a previously obtained cert in a server
revoke Revoke a previously obtained certificate
rollback Rollback server configuration changes made during install
config_changes Show changes made to server config during installation
plugins Display information about installed plugins

Choice of server plugins for obtaining and installing cert:

–apache Use the Apache plugin for authentication & installation
–standalone Run a standalone webserver for authentication
(nginx support is experimental, buggy, and not installed by default)
–webroot Place files in a server’s webroot folder for authentication

OR use different plugins to obtain (authenticate) the cert and then install it:

–authenticator standalone –installer apache

More detailed help:

-h, –help [topic] print this message, or detailed help on a topic;
the available topics are:

all, automation, paths, security, testing, or any of the subcommands or
plugins (certonly, install, nginx, apache, standalone, webroot, etc)

$ ./letsencrypt-auto certonly –webroot -d xxxx.xx –webroot-path /www/
Updating letsencrypt and virtual environment dependencies…….
Running with virtualenv: sudo /home/xxxx/.local/share/letsencrypt/bin/letsencrypt certonly –webroot -d xxxx.xxx –webroot-path /www/

┌──────────────────────────────────────────────────────────────────────┐
│ Enter email address (used for urgent notices and lost key recovery) │
│ ┌──────────────────────────────────────────────────────────────────┐ │
│ │xxxx@xxxx.xx │ │
│ └──────────────────────────────────────────────────────────────────┘ │
├──────────────────────────────────────────────────────────────────────┤
│ < 了解 > < 取消 > │
└──────────────────────────────────────────────────────────────────────┘

┌──────────────────────────────────────────────────────────────────────┐
│ Please read the Terms of Service at │
│ https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf. You │
│ must agree in order to register with the ACME server at │
│ https://acme-v01.api.letsencrypt.org/directory │
│ │
│ │
│ │
│ │
│ │
│ │
│ │
│ │
│ │
│ │
│ │
│ │
├──────────────────────────────────────────────────────────────────────┤

└──────────────────────────────────────────────────────────────────────┘

IMPORTANT NOTES:
– If you lose your account credentials, you can recover through
e-mails sent to xxxx@xxxx.xx.
– Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/lowom.com/fullchain.pem. Your cert will
expire on 2016-03-10. To obtain a new version of the certificate in
the future, simply run Let’s Encrypt again.
– Your account credentials have been saved in your Let’s Encrypt
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Let’s
Encrypt so making regular backups of this folder is ideal.
– If like Let’s Encrypt, please consider supporting our work by:

Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

有効期限が90日っぽいので、自動化して60日単位とかで更新するのが良いのかな。
その辺考えて、ちょっと組んで見たいと思うけど、その辺はまた今度。

こういうの出てくるってことは、そのうちほぼ全てがSSL通信がデフォルトになってきたりするのかな