{"id":2375,"date":"2015-12-10T01:58:59","date_gmt":"2015-12-09T16:58:59","guid":{"rendered":"http:\/\/tech.akat.info\/?p=2375"},"modified":"2015-12-10T02:00:33","modified_gmt":"2015-12-09T17:00:33","slug":"lets-encrypt-debian9","status":"publish","type":"post","link":"https:\/\/tech.akat.info\/?p=2375","title":{"rendered":"Let&#8217;s Encrypt + debian9"},"content":{"rendered":"<p>\u516c\u958b\u30d9\u30fc\u30bf\u30d7\u30ed\u30b0\u30e9\u30e0(Public Beta Program)\u304c\u958b\u59cb\u3055\u308c\u305f<br \/>\ndebian9\u3067\u8a66\u3057\u3066\u307f\u308b<\/p>\n<h1>\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb<\/h1>\n<pre class=\"brush: plain; title: ; notranslate\" title=\"\">\r\nroot@debian9:\/usr\/local\/src# apt-get install git\r\n...\r\nroot@debian9:\/usr\/local\/src# git clone https:\/\/github.com\/letsencrypt\/letsencrypt\r\n...\r\nroot@debian9:\/usr\/local\/src# cd letsencrypt\r\n<\/pre>\n<h1>Let&#8217;s Encrypt \u30af\u30e9\u30a4\u30a2\u30f3\u30c8\u30bd\u30d5\u30c8\u30a6\u30a7\u30a2\u3092\u5b9f\u884c\u3067\u304d\u308b\u74b0\u5883\u304b\u78ba\u8a8d\u3059\u308b<\/h1>\n<p>\u78ba\u8a8d\u304c\u5b8c\u4e86\u3059\u308b\u3068Let&#8217;s Encrypt \u306e\u30d8\u30eb\u30d7\u304c\u8868\u793a\u3055\u308c\u308b<br \/>\n\u3069\u3046\u3082Debian\u7cfb\u304c\u30aa\u30b9\u30b9\u30e1\u306e\u6a21\u69d8(AmazonLinux\u306f\u73fe\u72b6experimental\u3089\u3057\u3044)<\/p>\n<pre class=\"brush: plain; title: ; notranslate\" title=\"\">\r\nroot@debian9:\/usr\/local\/src\/letsencrypt# .\/letsencrypt-auto --help\r\n...\r\n   apt-get install -y --no-install-recommends git python python-dev virtualenv \r\n   python-virtualenv gcc dialog libaugeas0 libssl-dev libffi-dev ca-certificates\r\n   \u3068\u3044\u3046\u30b3\u30de\u30f3\u30c9\u304c\u5b9f\u884c\u3055\u308c\u305f\r\n...\r\n  letsencrypt &#x5B;SUBCOMMAND] &#x5B;options] &#x5B;-d domain] &#x5B;-d domain] ...\r\n\r\nThe Let's Encrypt agent can obtain and install HTTPS\/TLS\/SSL certificates.  By\r\ndefault, it will attempt to use a webserver both for obtaining and installing\r\nthe cert. Major SUBCOMMANDS are:\r\n\r\n  (default) run        Obtain &amp; install a cert in your current webserver\r\n  certonly             Obtain cert, but do not install it (aka &quot;auth&quot;)\r\n  install              Install a previously obtained cert in a server\r\n  revoke               Revoke a previously obtained certificate\r\n  rollback             Rollback server configuration changes made during install\r\n  config_changes       Show changes made to server config during installation\r\n  plugins              Display information about installed plugins\r\n...\r\n\r\n<\/pre>\n<h1>nginx\u306e\u8a3c\u660e\u66f8\u3092\u4f5c\u6210\u3059\u308b<\/h1>\n<p>\u4ee5\u4e0b\u3092nginx\u306e\u30b5\u30a4\u30c8\u8a2d\u5b9a\u306b\u8ffd\u8a18<\/p>\n<pre class=\"brush: plain; title: ; notranslate\" title=\"\">\r\nlocation '\/.well-known\/acme-challenge' {\r\ndefault_type &quot;text\/plain&quot;;\r\nroot \/tmp\/letsencrypt-auto;\r\n}\r\n<\/pre>\n<p>\u8a3c\u660e\u66f8\u3092\u4f5c\u6210\u3059\u308b<br \/>\n\u9014\u4e2d\u3067Email\u767b\u9332\u753b\u9762\u304c\u3067\u3066\u304f\u308b<br \/>\n<a href=\"http:\/\/tech.akat.info\/wp-content\/uploads\/2015\/12\/2015-12-09_231055.png\" rel=\"attachment wp-att-2378\"><img loading=\"lazy\" decoding=\"async\" src=\"http:\/\/tech.akat.info\/wp-content\/uploads\/2015\/12\/2015-12-09_231055.png\" alt=\"2015-12-09_231055\" width=\"300\" height=\"120\" class=\"alignnone size-medium wp-image-2378\" \/><\/a><\/p>\n<pre class=\"brush: plain; title: ; notranslate\" title=\"\">\r\nroot@debian9:\/home\/shimizu# export DOMAIN=&quot;-d tech.akat.info -d akat.info&quot;\r\nroot@debian9:\/home\/shimizu# export DIR=\/tmp\/letsencrypt-auto\r\nroot@debian9:\/home\/shimizu# mkdir -p $DIR &amp;&amp; \/usr\/local\/src\/letsencrypt\/letsencrypt-auto certonly --server https:\/\/acme-v01.api.letsencrypt.org\/directory -a webroot --webroot-path=$DIR --agree-tos $DOMAIN\r\nUpdating letsencrypt and virtual environment dependencies.......\r\nRunning with virtualenv: \/root\/.local\/share\/letsencrypt\/bin\/letsencrypt certonly --server https:\/\/acme-v01.api.letsencrypt.org\/directory -a webroot --webroot-path=\/tmp\/letsencrypt-auto --agree-tos -d tech.akat.info -d akat.info\r\n\r\n\r\nIMPORTANT NOTES:\r\n - Congratulations! Your certificate and chain have been saved at\r\n   \/etc\/letsencrypt\/live\/tech.akat.info\/fullchain.pem. Your cert will\r\n   expire on 2016-03-08. To obtain a new version of the certificate in\r\n   the future, simply run Let's Encrypt again.\r\n - If like Let's Encrypt, please consider supporting our work by:\r\n\r\n   Donating to ISRG \/ Let's Encrypt:   https:\/\/letsencrypt.org\/donate\r\n   Donating to EFF:                    https:\/\/eff.org\/donate-le\r\n\r\nroot@debian9:\/home\/shimizu# ls \/etc\/letsencrypt\/live\/tech.akat.info\/\r\ncert.pem  chain.pem  fullchain.pem  privkey.pem\r\n<\/pre>\n<h1>SSL\u8a3c\u660e\u66f8\u3092\u8a2d\u7f6e\u3059\u308b<\/h1>\n<p>SSL\u8a2d\u5b9a\u306b\u3064\u3044\u3066\u306f<a href=\"https:\/\/mozilla.github.io\/server-side-tls\/ssl-config-generator\/\">Mozilla SSL Configuration Generator<\/a>\u3092\u5229\u7528\u3057\u305f<\/p>\n<pre class=\"brush: plain; title: ; notranslate\" title=\"\">\r\nlisten 443 ssl;\r\n# certs sent to the client in SERVER HELLO are concatenated in ssl_certificate\r\nssl_certificate \/etc\/letsencrypt\/live\/akat.info\/fullchain.pem;\r\nssl_certificate_key \/etc\/letsencrypt\/live\/akat.info\/privkey.pem;\r\nssl_session_timeout 1d;\r\nssl_session_cache shared:SSL:50m;\r\nssl_session_tickets off;\r\n\r\n# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits\r\nssl_dhparam \/etc\/ssl\/private\/dhparam.pem;\r\n\r\n# intermediate configuration. tweak to your needs.\r\nssl_protocols TLSv1 TLSv1.1 TLSv1.2;\r\nssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';\r\nssl_prefer_server_ciphers on;\r\n<\/pre>\n<p>\u30a2\u30af\u30bb\u30b9\u3059\u308b\u3068<br \/>\n<a href=\"http:\/\/tech.akat.info\/wp-content\/uploads\/2015\/12\/2015-12-10_013930.png\" rel=\"attachment wp-att-2377\"><img loading=\"lazy\" decoding=\"async\" src=\"http:\/\/tech.akat.info\/wp-content\/uploads\/2015\/12\/2015-12-10_013930.png\" alt=\"2015-12-10_013930\" width=\"300\" height=\"138\" class=\"alignnone size-medium wp-image-2377\" \/><\/a><br \/>\n<a href=\"http:\/\/tech.akat.info\/wp-content\/uploads\/2015\/12\/2015-12-10_015401.png\" rel=\"attachment wp-att-2376\"><img loading=\"lazy\" decoding=\"async\" src=\"http:\/\/tech.akat.info\/wp-content\/uploads\/2015\/12\/2015-12-10_015401.png\" alt=\"2015-12-10_015401\" width=\"913\" height=\"516\" class=\"alignnone size-full wp-image-2376\" \/><\/a><\/p>\n<h1>\u56f0\u3063\u305f\u3068\u304d\u306e\u8a3c\u660e\u66f8\u78ba\u8a8d\u65b9\u6cd5<\/h1>\n<pre class=\"brush: plain; title: ; notranslate\" title=\"\">\r\nroot@debian9:\/home\/shimizu# openssl x509 -text -noout -in \/etc\/letsencrypt\/live\/tech.akat.info\/fullchain.pem\r\nCertificate:\r\n    Data:\r\n        Version: 3 (0x2)\r\n        Serial Number:\r\n            01:10:86:c4:52:70:57:06:82:e6:bc:1a:ee:bc:ba:1b:1e:28\r\n    Signature Algorithm: sha256WithRSAEncryption\r\n        Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X1\r\n        Validity\r\n            Not Before: Dec  9 15:13:00 2015 GMT\r\n            Not After : Mar  8 15:13:00 2016 GMT\r\n        Subject: CN=tech.akat.info\r\n...\r\n\r\nroot@debian9:\/home\/shimizu# openssl s_client -connect tech.akat.info:443 -showcerts\r\n### s:\u8a3c\u660e\u66f8\u60c5\u5831\u3001i:\u8a3c\u660e\u66f8\u767a\u884c\u8005\u60c5\u5831 ###\r\n...\r\nCertificate chain\r\n 0 s:\/CN=tech.akat.info\r\n   i:\/C=US\/O=Let's Encrypt\/CN=Let's Encrypt Authority X1\r\n...\r\n\r\n<\/pre>\n<h1>\u53c2\u8003URL<\/h1>\n<p><a href=\"https:\/\/letsencrypt.jp\/usage\/\">Let&#8217;s Encrypt \u306e\u4f7f\u3044\u65b9<\/a><br \/>\n<a href=\"https:\/\/letsencrypt.org\/howitworks\/\">How It Works<\/a><br \/>\n<a href=\"https:\/\/gist.github.com\/renchap\/c093702f06df69ba5cac\">One-line certificate generation\/renews with Letsencrypt and nginx<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u516c\u958b\u30d9\u30fc\u30bf\u30d7\u30ed\u30b0\u30e9\u30e0(Public Beta Program)\u304c\u958b\u59cb\u3055\u308c\u305f debian9\u3067\u8a66\u3057\u3066\u307f\u308b \u30a4\u30f3\u30b9\u30c8\u30fc\u30eb root@debian9:\/usr\/local\/src# apt-get install git .. [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[18],"tags":[],"_links":{"self":[{"href":"https:\/\/tech.akat.info\/index.php?rest_route=\/wp\/v2\/posts\/2375"}],"collection":[{"href":"https:\/\/tech.akat.info\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/tech.akat.info\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/tech.akat.info\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/tech.akat.info\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2375"}],"version-history":[{"count":3,"href":"https:\/\/tech.akat.info\/index.php?rest_route=\/wp\/v2\/posts\/2375\/revisions"}],"predecessor-version":[{"id":2381,"href":"https:\/\/tech.akat.info\/index.php?rest_route=\/wp\/v2\/posts\/2375\/revisions\/2381"}],"wp:attachment":[{"href":"https:\/\/tech.akat.info\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2375"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/tech.akat.info\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2375"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/tech.akat.info\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2375"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}