無限無料 SSL/TLS 証明書
By Nicolas Raymond - Cosmic Rose(2014) / CC BY 2.0
※ただしドメイン認証(DV)証明書に限る
- 昨日から Let's Encrypt - Free SSL/TLS Certificates が Entering Public Beta - Let's Encrypt - Free SSL/TLS Certificates になり、誰でも無料で SSL/TLS 証明書の発行を受けられるようになりました
- EFF、Webサイトを無料でHTTPS化するプロジェクト「Let's Encrypt」のパブリックβ公開 - ITmedia NEWS
- 必要なのは、ドメインのポート 443 か 80 で LISTEN できる権限だけです
- では、実際に asannou.0t0.jp の証明書を発行してみましょう
- 現環境に影響を与えたくないので docker で quay.io/letsencrypt/letsencrypt を使用します
- 連絡先 asannou@example.com と、ドメイン名 asannou.0t0.jp を指定して実行します
$ sudo docker run -it --rm -p 443:443 -v $(pwd)/letsencrypt:/etc/letsencrypt \ > quay.io/letsencrypt/letsencrypt certonly \ > -a standalone \ > -m asannou@example.com \ > -d asannou.0t0.jp \ > --standalone-supported-challenges tls-sni-01
- ポート 443 が使えない場合は 80 を使ってください
$ sudo docker run -it --rm -p 80:80 -v $(pwd)/letsencrypt:/etc/letsencrypt \ > quay.io/letsencrypt/letsencrypt certonly \ > -a standalone \ > -m asannou@example.com \ > -d asannou.0t0.jp \ > --standalone-supported-challenges http-01
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf. You
must agree in order to register with the ACME server at
https://acme-v01.api.letsencrypt.org/directory
- Terms of Service に Agree した後、下記のメッセージが出れば成功です
IMPORTANT NOTES: - If you lose your account credentials, you can recover through e-mails sent to asannou@example.com. - Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/asannou.0t0.jp/fullchain.pem. Your cert will expire on 2016-03-03. To obtain a new version of the certificate in the future, simply run Let's Encrypt again. - Your account credentials have been saved in your Let's Encrypt configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Let's Encrypt so making regular backups of this folder is ideal. - If you like Let's Encrypt, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
- カレントディレクトリの letsencrypt/ にファイル群が生成されています
$ sudo tree -A letsencrypt
letsencrypt
├── accounts
│ └── acme-v01.api.letsencrypt.org
│ └── directory
│ └── 5718fec7af7ec2b3783d69300cfc0789
│ ├── meta.json
│ ├── private_key.json
│ └── regr.json
├── archive
│ └── asannou.0t0.jp
│ ├── cert1.pem
│ ├── chain1.pem
│ ├── fullchain1.pem
│ └── privkey1.pem
├── csr
│ └── 0000_csr-letsencrypt.pem
├── keys
│ └── 0000_key-letsencrypt.pem
├── live
│ └── asannou.0t0.jp
│ ├── cert.pem -> ../../archive/asannou.0t0.jp/cert1.pem
│ ├── chain.pem -> ../../archive/asannou.0t0.jp/chain1.pem
│ ├── fullchain.pem -> ../../archive/asannou.0t0.jp/fullchain1.pem
│ └── privkey.pem -> ../../archive/asannou.0t0.jp/privkey1.pem
└── renewal
└── asannou.0t0.jp.conf
11 directories, 14 files
- 証明書は letsencrypt/live/asannou.0t0.jp/cert.pem にあります
$ sudo openssl x509 -text -noout -in letsencrypt/live/asannou.0t0.jp/cert.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
01:aa:6c:81:85:99:b9:f9:e9:e5:f6:f7:4d:78:df:a9:fb:d3
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X1
Validity
Not Before: Dec 4 05:49:00 2015 GMT
Not After : Mar 3 05:49:00 2016 GMT
Subject: CN=asannou.0t0.jp
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
...
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
C5:85:E4:49:C5:3F:10:DD:C7:43:C6:47:33:2A:72:50:A6:4A:8E:EC
X509v3 Authority Key Identifier:
keyid:A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1
Authority Information Access:
OCSP - URI:http://ocsp.int-x1.letsencrypt.org/
CA Issuers - URI:http://cert.int-x1.letsencrypt.org/
X509v3 Subject Alternative Name:
DNS:asannou.0t0.jp
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.1
Policy: 1.3.6.1.4.1.44947.1.1.1
CPS: http://cps.letsencrypt.org
User Notice:
Explicit Text: This Certificate may only be relied upon by Relying Parties and only in accordance with the Certificate Policy found at https://letsencrypt.org/repository/
Signature Algorithm: sha256WithRSAEncryption
...
$ sudo openssl s_server \ > -cert letsencrypt/live/asannou.0t0.jp/cert.pem \ > -key letsencrypt/live/asannou.0t0.jp/privkey.pem \ > -CAfile letsencrypt/live/asannou.0t0.jp/chain.pem \ > -www \ > -accept 443
- ブラウザで https://asannou.0t0.jp/ にアクセスし、サポートされている暗号スイートが表示されたら完了です
- このままでは 90 日で有効期限が切れてしまうため、60 日経過した時点で更新します
$ sudo docker run -it --rm -p 443:443 -v $(pwd)/letsencrypt:/etc/letsencrypt \ > quay.io/letsencrypt/letsencrypt certonly \ > -a standalone \ > -m asannou@example.com \ > -d asannou.0t0.jp \ > --standalone-supported-challenges tls-sni-01 \ > --renew-by-default IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/asannou.0t0.jp/fullchain.pem. Your cert will expire on 2016-04-03. To obtain a new version of the certificate in the future, simply run Let's Encrypt again. - If you like Let's Encrypt, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
ここから蛇足
- ポートが 443 も 80 も空いてない場合
- すでにウェブサーバが動いていて、停止させたくないとき、静的ファイルを設置する方法 があるが…
- どうしても既存の環境と独立して証明書の発行を受けたい
- --tls-sni-01-port --http-01-port というオプションを見かけたので期待
- サーバにログインできるユーザが誰でも使えてしまうので特権ポートに限られると思う
- https://www.ietf.org/proceedings/94/slides/slides-94-acme-0.pdf#22
- --tls-sni-01-port --http-01-port というオプションを見かけたので期待
- 調子にのって何個もサブドメインを発行したらエラーになった
Error: urn:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new cert :: Too many certificates already issued for: 0t0.jp
-
- 個数は有限だった
- ドメインごとにリミットがある
- Amazon EC2 は *.compute.amazonaws.com なパブリック DNS が与えられるが、それに対しても発行できるか?
An unexpected error occurred: The request message was malformed :: Error creating new authz :: Name is blacklisted
