d87356e7af099fbf176b84491333ef7470ae8935
Linux/Apache.md
... | ... | @@ -261,16 +261,91 @@ SSLCertificateChainFile /etc/letsencrypt/live/<ドメイン1>/chain.pem |
261 | 261 | |
262 | 262 | - /etc/httpd/conf.d/ssl.conf (抜粋) |
263 | 263 | ``` |
264 | +Listen 443 https |
|
265 | +SSLEngine on |
|
264 | 266 | SSLCertificateFile /etc/letsencrypt/live/<ドメイン>/cert.pem |
265 | 267 | SSLCertificateKeyFile /etc/letsencrypt/live/<ドメイン>/privkey.pem |
266 | 268 | SSLCertificateChainFile /etc/letsencrypt/live/<ドメイン>/chain.pem |
267 | 269 | ``` |
268 | 270 | |
271 | +- /etc/httpd/conf.d/VirtualHosts.conf (抜粋) |
|
272 | +バーチャルホスト毎に SSL 設定が必要。 |
|
273 | +``` |
|
274 | +<VirtualHost *:80 *:443> |
|
275 | + ServerName vh1.<ドメイン1> |
|
276 | + DocumentRoot /var/www/vh1-html/ |
|
277 | + SSLEngine on |
|
278 | + SSLCertificateFile /etc/letsencrypt/live/<ドメイン1>/cert.pem |
|
279 | + SSLCertificateKeyFile /etc/letsencrypt/live/<ドメイン1>/privkey.pem |
|
280 | + SSLCertificateChainFile /etc/letsencrypt/live/<ドメイン1>/chain.pem |
|
281 | + <Directory "/var/www/vh1-html"> |
|
282 | + AllowOverride All |
|
283 | + </Directory> |
|
284 | +</VirtualHost> |
|
285 | +``` |
|
286 | + |
|
269 | 287 | - apache 再起動 |
270 | 288 | ``` |
271 | -# systemctl restart httpd.service |
|
289 | +# systemctl restart httpd |
|
272 | 290 | ``` |
273 | 291 | |
292 | +- 動作確認 |
|
293 | + ``` |
|
294 | + $ openssl s_client -connect <ホスト>:443 |
|
295 | + ``` |
|
296 | + - 設定失敗 |
|
297 | + ``` |
|
298 | + CONNECTED(00000003) |
|
299 | + 140139752064912:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:794: |
|
300 | + --- |
|
301 | + no peer certificate available |
|
302 | + --- |
|
303 | + No client certificate CA names sent |
|
304 | + --- |
|
305 | + SSL handshake has read 7 bytes and written 289 bytes |
|
306 | + --- |
|
307 | + New, (NONE), Cipher is (NONE) |
|
308 | + Secure Renegotiation IS NOT supported |
|
309 | + Compression: NONE |
|
310 | + Expansion: NONE |
|
311 | + No ALPN negotiated |
|
312 | + SSL-Session: |
|
313 | + Protocol : TLSv1.2 |
|
314 | + Cipher : 0000 |
|
315 | + Session-ID: |
|
316 | + Session-ID-ctx: |
|
317 | + Master-Key: |
|
318 | + Key-Arg : None |
|
319 | + Krb5 Principal: None |
|
320 | + PSK identity: None |
|
321 | + PSK identity hint: None |
|
322 | + Start Time: 1535884386 |
|
323 | + Timeout : 300 (sec) |
|
324 | + Verify return code: 0 (ok) |
|
325 | + --- |
|
326 | + ``` |
|
327 | + - 設定成功 |
|
328 | + ``` |
|
329 | + CONNECTED(00000003) |
|
330 | + depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3 |
|
331 | + verify return:1 |
|
332 | + depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 |
|
333 | + verify return:1 |
|
334 | + depth=0 CN = *.<ドメイン1> |
|
335 | + verify return:1 |
|
336 | + --- |
|
337 | + Certificate chain |
|
338 | + 0 s:/CN=*.<ドメイン1> |
|
339 | + i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 |
|
340 | + 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 |
|
341 | + i:/O=Digital Signature Trust Co./CN=DST Root CA X3 |
|
342 | + --- |
|
343 | + Server certificate |
|
344 | + -----BEGIN CERTIFICATE----- |
|
345 | + MIIGETCCBPmgAwIBAgISA3VBvI0cSyzAQGtpIaQKQRZxMA0GCSqGSIb3DQEBCwUA |
|
346 | + ... |
|
347 | + ``` |
|
348 | + |
|
274 | 349 | - 証明書更新<br /> |
275 | 350 | 「--manual」で取得した場合は「renew」による自動更新ができないので、既存の証明書を削除し同名で取得し直す。 |
276 | 351 | ``` |