startcomから発行してもらっていたSSLの証明書が使い物にならなくなったので、letsencryptに乗り換えてみた。
# pkg install py27-certbot # service apache24 stop # certbot certonly --standalone --standalone-supported-challenges tls-sni-01 -d rose.everblooming.net # vim /usr/local/etc/apache24/extra/httpd-ssl.conf # diff -uN httpd-ssl.conf.bak httpd-ssl.conf --- httpd-ssl.conf.bak 2017-04-24 21:40:38.569599000 +0900 +++ httpd-ssl.conf 2017-04-24 21:43:26.561690000 +0900 @@ -141,7 +141,8 @@ # Some ECC cipher suites (http://www.ietf.org/rfc/rfc4492.txt) # require an ECC certificate which can also be configured in # parallel. -SSLCertificateFile "/usr/local/etc/apache24/server.crt" +SSLCertificateFile "/usr/local/etc/letsencrypt/live/rose.everblooming.net/cert.pem" +#SSLCertificateFile "/usr/local/etc/apache24/server.crt" #SSLCertificateFile "/usr/local/etc/apache24/server-dsa.crt" #SSLCertificateFile "/usr/local/etc/apache24/server-ecc.crt" @@ -151,7 +152,8 @@ # you've both a RSA and a DSA private key you can configure # both in parallel (to also allow the use of DSA ciphers, etc.) # ECC keys, when in use, can also be configured in parallel -SSLCertificateKeyFile "/usr/local/etc/apache24/server.key" +SSLCertificateKeyFile "/usr/local/etc/letsencrypt/live/rose.everblooming.net/privkey.pem" +#SSLCertificateKeyFile "/usr/local/etc/apache24/server.key" #SSLCertificateKeyFile "/usr/local/etc/apache24/server-dsa.key" #SSLCertificateKeyFile "/usr/local/etc/apache24/server-ecc.key" @@ -162,6 +164,7 @@ # the referenced file can be the same as SSLCertificateFile # when the CA certificates are directly appended to the server # certificate for convenience. +SSLCertificateChainFile "/usr/local/etc/letsencrypt/live/rose.everblooming.net/chain.pem" #SSLCertificateChainFile "/usr/local/etc/apache24/server-ca.crt" # Certificate Authority (CA): # service apache24 start
ついでにキーの更新スクリプトも書いて/usr/local/etc/periodic/weekly に置いてみた。来週のCharlie Rootからのweekly run output reportが出てきたら確認する。
(4/26) 追記
ReadyNASの方もやってみた。
ここにある「その他のUNIX系OS」の手順でインストールはできたが、認証がうまくいかなかった。
外向けにはIPv6しかアドレスを公開してないのだけど、ログにはそのアドレスを認識しててうまくいきそうなもんだけどダメ。
色々調べたら認証で使われてる acme/standalone.py がIPv4でしかLISTENしてないっぽいのでここのコードを参考に以下の修正をしてみたらうまくいった。
$ diff -uN standalone_org.py standalone.py
--- standalone_org.py 2017-04-25 19:56:13.820337980 +0900
+++ standalone.py 2017-04-25 19:56:13.820337980 +0900
@@ -5,6 +5,7 @@
import logging
import os
import sys
+import socket
from six.moves import BaseHTTPServer # type: ignore # pylint: disable=import-error
from six.moves import http_client # pylint: disable=import-error
@@ -26,6 +27,7 @@
"""Generic TLS Server."""
def __init__(self, *args, **kwargs):
+ self.address_family = socket.AF_INET6
self.certs = kwargs.pop("certs", {})
self.method = kwargs.pop(
# pylint: disable=protected-access