d87356e7af099fbf176b84491333ef7470ae8935
Linux/Apache.md
| ... | ... | @@ -261,16 +261,91 @@ SSLCertificateChainFile /etc/letsencrypt/live/<ドメイン1>/chain.pem |
| 261 | 261 | |
| 262 | 262 | - /etc/httpd/conf.d/ssl.conf (抜粋) |
| 263 | 263 | ``` |
| 264 | +Listen 443 https |
|
| 265 | +SSLEngine on |
|
| 264 | 266 | SSLCertificateFile /etc/letsencrypt/live/<ドメイン>/cert.pem |
| 265 | 267 | SSLCertificateKeyFile /etc/letsencrypt/live/<ドメイン>/privkey.pem |
| 266 | 268 | SSLCertificateChainFile /etc/letsencrypt/live/<ドメイン>/chain.pem |
| 267 | 269 | ``` |
| 268 | 270 | |
| 271 | +- /etc/httpd/conf.d/VirtualHosts.conf (抜粋) |
|
| 272 | +バーチャルホスト毎に SSL 設定が必要。 |
|
| 273 | +``` |
|
| 274 | +<VirtualHost *:80 *:443> |
|
| 275 | + ServerName vh1.<ドメイン1> |
|
| 276 | + DocumentRoot /var/www/vh1-html/ |
|
| 277 | + SSLEngine on |
|
| 278 | + SSLCertificateFile /etc/letsencrypt/live/<ドメイン1>/cert.pem |
|
| 279 | + SSLCertificateKeyFile /etc/letsencrypt/live/<ドメイン1>/privkey.pem |
|
| 280 | + SSLCertificateChainFile /etc/letsencrypt/live/<ドメイン1>/chain.pem |
|
| 281 | + <Directory "/var/www/vh1-html"> |
|
| 282 | + AllowOverride All |
|
| 283 | + </Directory> |
|
| 284 | +</VirtualHost> |
|
| 285 | +``` |
|
| 286 | + |
|
| 269 | 287 | - apache 再起動 |
| 270 | 288 | ``` |
| 271 | -# systemctl restart httpd.service |
|
| 289 | +# systemctl restart httpd |
|
| 272 | 290 | ``` |
| 273 | 291 | |
| 292 | +- 動作確認 |
|
| 293 | + ``` |
|
| 294 | + $ openssl s_client -connect <ホスト>:443 |
|
| 295 | + ``` |
|
| 296 | + - 設定失敗 |
|
| 297 | + ``` |
|
| 298 | + CONNECTED(00000003) |
|
| 299 | + 140139752064912:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:794: |
|
| 300 | + --- |
|
| 301 | + no peer certificate available |
|
| 302 | + --- |
|
| 303 | + No client certificate CA names sent |
|
| 304 | + --- |
|
| 305 | + SSL handshake has read 7 bytes and written 289 bytes |
|
| 306 | + --- |
|
| 307 | + New, (NONE), Cipher is (NONE) |
|
| 308 | + Secure Renegotiation IS NOT supported |
|
| 309 | + Compression: NONE |
|
| 310 | + Expansion: NONE |
|
| 311 | + No ALPN negotiated |
|
| 312 | + SSL-Session: |
|
| 313 | + Protocol : TLSv1.2 |
|
| 314 | + Cipher : 0000 |
|
| 315 | + Session-ID: |
|
| 316 | + Session-ID-ctx: |
|
| 317 | + Master-Key: |
|
| 318 | + Key-Arg : None |
|
| 319 | + Krb5 Principal: None |
|
| 320 | + PSK identity: None |
|
| 321 | + PSK identity hint: None |
|
| 322 | + Start Time: 1535884386 |
|
| 323 | + Timeout : 300 (sec) |
|
| 324 | + Verify return code: 0 (ok) |
|
| 325 | + --- |
|
| 326 | + ``` |
|
| 327 | + - 設定成功 |
|
| 328 | + ``` |
|
| 329 | + CONNECTED(00000003) |
|
| 330 | + depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3 |
|
| 331 | + verify return:1 |
|
| 332 | + depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 |
|
| 333 | + verify return:1 |
|
| 334 | + depth=0 CN = *.<ドメイン1> |
|
| 335 | + verify return:1 |
|
| 336 | + --- |
|
| 337 | + Certificate chain |
|
| 338 | + 0 s:/CN=*.<ドメイン1> |
|
| 339 | + i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 |
|
| 340 | + 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 |
|
| 341 | + i:/O=Digital Signature Trust Co./CN=DST Root CA X3 |
|
| 342 | + --- |
|
| 343 | + Server certificate |
|
| 344 | + -----BEGIN CERTIFICATE----- |
|
| 345 | + MIIGETCCBPmgAwIBAgISA3VBvI0cSyzAQGtpIaQKQRZxMA0GCSqGSIb3DQEBCwUA |
|
| 346 | + ... |
|
| 347 | + ``` |
|
| 348 | + |
|
| 274 | 349 | - 証明書更新<br /> |
| 275 | 350 | 「--manual」で取得した場合は「renew」による自動更新ができないので、既存の証明書を削除し同名で取得し直す。 |
| 276 | 351 | ``` |