Mudanças entre as edições de "SSL no Gandi"
De MochilaWiki
Ir para navegaçãoIr para pesquisar (→2015) |
|||
(10 revisões intermediárias pelo mesmo usuário não estão sendo mostradas) | |||
Linha 1: | Linha 1: | ||
# Autentique no painel | # Autentique no painel | ||
# clique em SSL | # clique em SSL | ||
− | # selecione o | + | # selecione o domínio |
# clique em get | # clique em get | ||
− | # copie o conteúdo e salve num arquivo com o nome nuevo | + | # copie o conteúdo e salve num arquivo com o nome nuevo.crt |
<source lang="bash"> | <source lang="bash"> | ||
wget https://www.gandi.net/static/CAs/GandiStandardSSLCA.pem | wget https://www.gandi.net/static/CAs/GandiStandardSSLCA.pem | ||
− | cat nuevo | + | cat nuevo.crt GandiStandardSSLCA.pem > quijaua-me.crt |
− | mv quijaua-me.crt /etc/nginx/ssl/ | + | mkdir /etc/nginx/ssl/ |
+ | mv quijaua-me.crt /etc/nginx/ssl/ | ||
</source> | </source> | ||
Linha 19: | Linha 20: | ||
* [[IRedMail com Nginx]] | * [[IRedMail com Nginx]] | ||
* [[Certifcado SSL]] | * [[Certifcado SSL]] | ||
+ | |||
+ | == 2015 == | ||
+ | |||
+ | com base em | ||
+ | * http://wiki.gandi.net/en/ssl/csr | ||
+ | |||
+ | conforme | ||
+ | * https://www.ssllabs.com/ssltest/analyze.html?d=quijaua.me | ||
+ | |||
+ | <source lang="bash"> | ||
+ | openssl req -nodes -newkey rsa:2048 -sha256 -keyout myserver.key -out server.csr | ||
+ | cd /etc/ssl/private | ||
+ | openssl dhparam -out dhparam.pem 2048 | ||
+ | chmod 600 dhparam.pem | ||
+ | </source> | ||
+ | |||
+ | documentação atual | ||
+ | * http://jlecour.github.io/ssl-gandi-nginx-debian/ | ||
+ | * https://fak3r.com/2014/08/04/howto-serve-gandi-ssl-certs-in-nginx/ | ||
+ | * http://charlieharvey.org.uk/page/gandi_sha2_intermediate_cert_ssl_tls | ||
+ | * http://fatorbinario.com/tutorial-ssl-aprenda-a-instalar-um-certificado-de-baixo-custo-para-o-seu-site/ | ||
+ | * usar sha2 | ||
+ | * https://support.mozilla.org/pt-BR/kb/conteudo-misto-bloqueado-no-firefox?redirectlocale=en-US&as=u&redirectslug=how-does-content-isnt-secure-affect-my-safety&utm_source=inproduct | ||
+ | |||
+ | |||
+ | no nginx ficou assim | ||
+ | |||
+ | <source lang="nginx">* | ||
+ | server { | ||
+ | listen 80; | ||
+ | server_name quijaua.me www.quijaua.me; | ||
+ | access_log /var/log/nginx/iredmail-access.log; | ||
+ | error_log /var/log/nginx/iredmail-error.log info; | ||
+ | |||
+ | location / { | ||
+ | rewrite ^ https://quijaua.me/mail permanent; | ||
+ | } | ||
+ | location ~ \.php$ { | ||
+ | fastcgi_pass 127.0.0.1:9000; | ||
+ | fastcgi_index index.php; | ||
+ | include fastcgi_params; | ||
+ | fastcgi_param SCRIPT_FILENAME /usr/share/apache2/roundcubemail$fastcgi_script_name; | ||
+ | } | ||
+ | |||
+ | } | ||
+ | |||
+ | server { | ||
+ | listen 443; | ||
+ | server_name quijaua.me; | ||
+ | |||
+ | location / { | ||
+ | root /usr/share/apache2/; | ||
+ | index index.php index.html; | ||
+ | } | ||
+ | location ~ \.php$ { | ||
+ | root /usr/share/apache2; | ||
+ | include fastcgi_params; | ||
+ | fastcgi_pass 127.0.0.1:9000; | ||
+ | fastcgi_index index.php; | ||
+ | fastcgi_param SCRIPT_FILENAME /usr/share/apache2$fastcgi_script_name; | ||
+ | fastcgi_param SERVER_NAME $http_host; | ||
+ | fastcgi_ignore_client_abort on; | ||
+ | } | ||
+ | ssl on; | ||
+ | ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | ||
+ | ssl_certificate /etc/nginx/ssl/quijaua-me.crt22; | ||
+ | ssl_certificate_key /etc/nginx/ssl/priv/myserver.key; | ||
+ | ssl_prefer_server_ciphers on; | ||
+ | ssl_stapling on; | ||
+ | ssl_stapling_verify on; | ||
+ | ssl_dhparam /etc/ssl/private/dhparams.pem; | ||
+ | add_header Strict-Transport-Security "max-age=31536000; includeSubdomains"; | ||
+ | ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; | ||
+ | } | ||
+ | </source> |
Edição atual tal como às 01h15min de 12 de dezembro de 2015
- Autentique no painel
- clique em SSL
- selecione o domínio
- clique em get
- copie o conteúdo e salve num arquivo com o nome nuevo.crt
wget https://www.gandi.net/static/CAs/GandiStandardSSLCA.pem
cat nuevo.crt GandiStandardSSLCA.pem > quijaua-me.crt
mkdir /etc/nginx/ssl/
mv quijaua-me.crt /etc/nginx/ssl/
referencias:
- https://library.linode.com/web-servers/nginx/configuration/ssl
- http://docs.nkosi.org/IRedMail_com_Nginx
- https://nicolas.perriault.net/code/2012/gandi-standard-ssl-certificate-nginx/
- http://wiki.gandi.net/en/hosting/using-linux/tutorials/ubuntu/ssl
- http://wiki.gandi.net/en/ssl/csr
- IRedMail com Nginx
- Certifcado SSL
2015
com base em
conforme
openssl req -nodes -newkey rsa:2048 -sha256 -keyout myserver.key -out server.csr
cd /etc/ssl/private
openssl dhparam -out dhparam.pem 2048
chmod 600 dhparam.pem
documentação atual
- http://jlecour.github.io/ssl-gandi-nginx-debian/
- https://fak3r.com/2014/08/04/howto-serve-gandi-ssl-certs-in-nginx/
- http://charlieharvey.org.uk/page/gandi_sha2_intermediate_cert_ssl_tls
- http://fatorbinario.com/tutorial-ssl-aprenda-a-instalar-um-certificado-de-baixo-custo-para-o-seu-site/
- usar sha2
- https://support.mozilla.org/pt-BR/kb/conteudo-misto-bloqueado-no-firefox?redirectlocale=en-US&as=u&redirectslug=how-does-content-isnt-secure-affect-my-safety&utm_source=inproduct
no nginx ficou assim
*
server {
listen 80;
server_name quijaua.me www.quijaua.me;
access_log /var/log/nginx/iredmail-access.log;
error_log /var/log/nginx/iredmail-error.log info;
location / {
rewrite ^ https://quijaua.me/mail permanent;
}
location ~ \.php$ {
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME /usr/share/apache2/roundcubemail$fastcgi_script_name;
}
}
server {
listen 443;
server_name quijaua.me;
location / {
root /usr/share/apache2/;
index index.php index.html;
}
location ~ \.php$ {
root /usr/share/apache2;
include fastcgi_params;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /usr/share/apache2$fastcgi_script_name;
fastcgi_param SERVER_NAME $http_host;
fastcgi_ignore_client_abort on;
}
ssl on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_certificate /etc/nginx/ssl/quijaua-me.crt22;
ssl_certificate_key /etc/nginx/ssl/priv/myserver.key;
ssl_prefer_server_ciphers on;
ssl_stapling on;
ssl_stapling_verify on;
ssl_dhparam /etc/ssl/private/dhparams.pem;
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
}