無限無料 SSL/TLS 証明書
By Nicolas Raymond - Cosmic Rose(2014) / CC BY 2.0
※ただしドメイン認証(DV)証明書に限る
- 昨日から Let's Encrypt - Free SSL/TLS Certificates が Entering Public Beta - Let's Encrypt - Free SSL/TLS Certificates になり、誰でも無料で SSL/TLS 証明書の発行を受けられるようになりました
- EFF、Webサイトを無料でHTTPS化するプロジェクト「Let's Encrypt」のパブリックβ公開 - ITmedia NEWS
- 必要なのは、ドメインのポート 443 か 80 で LISTEN できる権限だけです
- では、実際に asannou.0t0.jp の証明書を発行してみましょう
- 現環境に影響を与えたくないので docker で quay.io/letsencrypt/letsencrypt を使用します
- 連絡先 asannou@example.com と、ドメイン名 asannou.0t0.jp を指定して実行します
$ sudo docker run -it --rm -p 443:443 -v $(pwd)/letsencrypt:/etc/letsencrypt \ > quay.io/letsencrypt/letsencrypt certonly \ > -a standalone \ > -m asannou@example.com \ > -d asannou.0t0.jp \ > --standalone-supported-challenges tls-sni-01
- ポート 443 が使えない場合は 80 を使ってください
$ sudo docker run -it --rm -p 80:80 -v $(pwd)/letsencrypt:/etc/letsencrypt \ > quay.io/letsencrypt/letsencrypt certonly \ > -a standalone \ > -m asannou@example.com \ > -d asannou.0t0.jp \ > --standalone-supported-challenges http-01
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf. You
must agree in order to register with the ACME server at
https://acme-v01.api.letsencrypt.org/directory
- Terms of Service に Agree した後、下記のメッセージが出れば成功です
IMPORTANT NOTES: - If you lose your account credentials, you can recover through e-mails sent to asannou@example.com. - Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/asannou.0t0.jp/fullchain.pem. Your cert will expire on 2016-03-03. To obtain a new version of the certificate in the future, simply run Let's Encrypt again. - Your account credentials have been saved in your Let's Encrypt configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Let's Encrypt so making regular backups of this folder is ideal. - If you like Let's Encrypt, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
- カレントディレクトリの letsencrypt/ にファイル群が生成されています
$ sudo tree -A letsencrypt letsencrypt ├── accounts │ └── acme-v01.api.letsencrypt.org │ └── directory │ └── 5718fec7af7ec2b3783d69300cfc0789 │ ├── meta.json │ ├── private_key.json │ └── regr.json ├── archive │ └── asannou.0t0.jp │ ├── cert1.pem │ ├── chain1.pem │ ├── fullchain1.pem │ └── privkey1.pem ├── csr │ └── 0000_csr-letsencrypt.pem ├── keys │ └── 0000_key-letsencrypt.pem ├── live │ └── asannou.0t0.jp │ ├── cert.pem -> ../../archive/asannou.0t0.jp/cert1.pem │ ├── chain.pem -> ../../archive/asannou.0t0.jp/chain1.pem │ ├── fullchain.pem -> ../../archive/asannou.0t0.jp/fullchain1.pem │ └── privkey.pem -> ../../archive/asannou.0t0.jp/privkey1.pem └── renewal └── asannou.0t0.jp.conf 11 directories, 14 files
- 証明書は letsencrypt/live/asannou.0t0.jp/cert.pem にあります
$ sudo openssl x509 -text -noout -in letsencrypt/live/asannou.0t0.jp/cert.pem Certificate: Data: Version: 3 (0x2) Serial Number: 01:aa:6c:81:85:99:b9:f9:e9:e5:f6:f7:4d:78:df:a9:fb:d3 Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X1 Validity Not Before: Dec 4 05:49:00 2015 GMT Not After : Mar 3 05:49:00 2016 GMT Subject: CN=asannou.0t0.jp Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: ... Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: C5:85:E4:49:C5:3F:10:DD:C7:43:C6:47:33:2A:72:50:A6:4A:8E:EC X509v3 Authority Key Identifier: keyid:A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1 Authority Information Access: OCSP - URI:http://ocsp.int-x1.letsencrypt.org/ CA Issuers - URI:http://cert.int-x1.letsencrypt.org/ X509v3 Subject Alternative Name: DNS:asannou.0t0.jp X509v3 Certificate Policies: Policy: 2.23.140.1.2.1 Policy: 1.3.6.1.4.1.44947.1.1.1 CPS: http://cps.letsencrypt.org User Notice: Explicit Text: This Certificate may only be relied upon by Relying Parties and only in accordance with the Certificate Policy found at https://letsencrypt.org/repository/ Signature Algorithm: sha256WithRSAEncryption ...
$ sudo openssl s_server \ > -cert letsencrypt/live/asannou.0t0.jp/cert.pem \ > -key letsencrypt/live/asannou.0t0.jp/privkey.pem \ > -CAfile letsencrypt/live/asannou.0t0.jp/chain.pem \ > -www \ > -accept 443
- ブラウザで https://asannou.0t0.jp/ にアクセスし、サポートされている暗号スイートが表示されたら完了です
- このままでは 90 日で有効期限が切れてしまうため、60 日経過した時点で更新します
$ sudo docker run -it --rm -p 443:443 -v $(pwd)/letsencrypt:/etc/letsencrypt \ > quay.io/letsencrypt/letsencrypt certonly \ > -a standalone \ > -m asannou@example.com \ > -d asannou.0t0.jp \ > --standalone-supported-challenges tls-sni-01 \ > --renew-by-default IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/asannou.0t0.jp/fullchain.pem. Your cert will expire on 2016-04-03. To obtain a new version of the certificate in the future, simply run Let's Encrypt again. - If you like Let's Encrypt, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
ここから蛇足
- ポートが 443 も 80 も空いてない場合
- すでにウェブサーバが動いていて、停止させたくないとき、静的ファイルを設置する方法 があるが…
- どうしても既存の環境と独立して証明書の発行を受けたい
- --tls-sni-01-port --http-01-port というオプションを見かけたので期待
- サーバにログインできるユーザが誰でも使えてしまうので特権ポートに限られると思う
- https://www.ietf.org/proceedings/94/slides/slides-94-acme-0.pdf#22
- --tls-sni-01-port --http-01-port というオプションを見かけたので期待
- 調子にのって何個もサブドメインを発行したらエラーになった
Error: urn:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new cert :: Too many certificates already issued for: 0t0.jp
-
- 個数は有限だった
- ドメインごとにリミットがある
- Amazon EC2 は *.compute.amazonaws.com なパブリック DNS が与えられるが、それに対しても発行できるか?
An unexpected error occurred: The request message was malformed :: Error creating new authz :: Name is blacklisted