月: 2017年4月

startcomから発行してもらっていたSSLの証明書が使い物にならなくなったので、letsencryptに乗り換えてみた。

# pkg install py27-certbot

# service apache24 stop

# certbot certonly --standalone --standalone-supported-challenges tls-sni-01 -d rose.everblooming.net

# vim /usr/local/etc/apache24/extra/httpd-ssl.conf

# diff -uN httpd-ssl.conf.bak httpd-ssl.conf
--- httpd-ssl.conf.bak 2017-04-24 21:40:38.569599000 +0900
+++ httpd-ssl.conf 2017-04-24 21:43:26.561690000 +0900
@@ -141,7 +141,8 @@
 # Some ECC cipher suites (http://www.ietf.org/rfc/rfc4492.txt)
 # require an ECC certificate which can also be configured in
 # parallel.
-SSLCertificateFile "/usr/local/etc/apache24/server.crt"
+SSLCertificateFile "/usr/local/etc/letsencrypt/live/rose.everblooming.net/cert.pem"
+#SSLCertificateFile "/usr/local/etc/apache24/server.crt"
 #SSLCertificateFile "/usr/local/etc/apache24/server-dsa.crt"
 #SSLCertificateFile "/usr/local/etc/apache24/server-ecc.crt"
 
@@ -151,7 +152,8 @@
 # you've both a RSA and a DSA private key you can configure
 # both in parallel (to also allow the use of DSA ciphers, etc.)
 # ECC keys, when in use, can also be configured in parallel
-SSLCertificateKeyFile "/usr/local/etc/apache24/server.key"
+SSLCertificateKeyFile "/usr/local/etc/letsencrypt/live/rose.everblooming.net/privkey.pem"
+#SSLCertificateKeyFile "/usr/local/etc/apache24/server.key"
 #SSLCertificateKeyFile "/usr/local/etc/apache24/server-dsa.key"
 #SSLCertificateKeyFile "/usr/local/etc/apache24/server-ecc.key"
 
@@ -162,6 +164,7 @@
 # the referenced file can be the same as SSLCertificateFile
 # when the CA certificates are directly appended to the server
 # certificate for convenience.
+SSLCertificateChainFile "/usr/local/etc/letsencrypt/live/rose.everblooming.net/chain.pem"
 #SSLCertificateChainFile "/usr/local/etc/apache24/server-ca.crt"
 
 # Certificate Authority (CA):

# service apache24 start

ついでにキーの更新スクリプトも書いて/usr/local/etc/periodic/weekly に置いてみた。来週のCharlie Rootからのweekly run output reportが出てきたら確認する。

(4/26) 追記

ReadyNASの方もやってみた。

ここにある「その他のUNIX系OS」の手順でインストールはできたが、認証がうまくいかなかった。

外向けにはIPv6しかアドレスを公開してないのだけど、ログにはそのアドレスを認識しててうまくいきそうなもんだけどダメ。

色々調べたら認証で使われてる acme/standalone.py がIPv4でしかLISTENしてないっぽいのでここのコードを参考に以下の修正をしてみたらうまくいった。

$ diff -uN standalone_org.py standalone.py
--- standalone_org.py 2017-04-25 19:56:13.820337980 +0900
+++ standalone.py 2017-04-25 19:56:13.820337980 +0900
@@ -5,6 +5,7 @@
 import logging 
 import os 
 import sys 
+import socket 
 
 from six.moves import BaseHTTPServer # type: ignore # pylint: disable=import-error 
 from six.moves import http_client  # pylint: disable=import-error 
@@ -26,6 +27,7 @@ 
     """Generic TLS Server.""" 
 
     def __init__(self, *args, **kwargs): 
+        self.address_family = socket.AF_INET6 
         self.certs = kwargs.pop("certs", {}) 
         self.method = kwargs.pop( 
             # pylint: disable=protected-access

roseに入れていたFreeBSD 10.3-Rを11.0-Rにアップグレードした．

こことかここに書いてある手順で実行．

# : > /usr/bin/bspatch
# freebsd-update upgrade -r 11.0-RELEASE
# freebsd-update install

 <reboot the system>
# shutdown -r now

# freebsd-update install

<rebuild third-party software>
# pkg-static install -fy pkg
# pkg upgrade -y

# freebsd-update install

 <reboot the system>
# shutdown -r now

これでこんな感じになった．

% uname -a
FreeBSD rose 11.0-RELEASE-p9 FreeBSD 11.0-RELEASE-p9 #0: Tue Apr 11 08:48:40 UTC 2017 root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC amd64
% freebsd-version -ku
11.0-RELEASE-p9
11.0-RELEASE-p9