Mudanças entre as edições de "SSL no Gandi"

De MochilaWiki
Ir para navegaçãoIr para pesquisar
 
(10 revisões intermediárias pelo mesmo usuário não estão sendo mostradas)
Linha 1: Linha 1:
 
# Autentique no painel
 
# Autentique no painel
 
# clique em SSL
 
# clique em SSL
# selecione o dominio
+
# selecione o domínio
 
# clique em get
 
# clique em get
# copie o conteúdo e salve num arquivo com o nome nuevo-2013-2014.crt
+
# copie o conteúdo e salve num arquivo com o nome nuevo.crt
  
 
<source lang="bash">
 
<source lang="bash">
 
wget https://www.gandi.net/static/CAs/GandiStandardSSLCA.pem
 
wget https://www.gandi.net/static/CAs/GandiStandardSSLCA.pem
cat nuevo-2013-2014.crt GandiStandardSSLCA.pem > quijaua-me.crt
+
cat nuevo.crt GandiStandardSSLCA.pem > quijaua-me.crt
mv quijaua-me.crt /etc/nginx/ssl/quijaua-me.crt
+
mkdir /etc/nginx/ssl/
 +
mv quijaua-me.crt /etc/nginx/ssl/
 
</source>
 
</source>
  
Linha 19: Linha 20:
 
* [[IRedMail com Nginx]]
 
* [[IRedMail com Nginx]]
 
* [[Certifcado SSL]]
 
* [[Certifcado SSL]]
 +
 +
== 2015 ==
 +
 +
com base em
 +
* http://wiki.gandi.net/en/ssl/csr
 +
 +
conforme
 +
* https://www.ssllabs.com/ssltest/analyze.html?d=quijaua.me
 +
 +
<source lang="bash">
 +
openssl req -nodes -newkey rsa:2048 -sha256 -keyout myserver.key -out server.csr
 +
cd /etc/ssl/private
 +
openssl dhparam -out dhparam.pem 2048
 +
chmod 600 dhparam.pem
 +
</source>
 +
 +
documentação atual
 +
* http://jlecour.github.io/ssl-gandi-nginx-debian/
 +
* https://fak3r.com/2014/08/04/howto-serve-gandi-ssl-certs-in-nginx/
 +
* http://charlieharvey.org.uk/page/gandi_sha2_intermediate_cert_ssl_tls
 +
* http://fatorbinario.com/tutorial-ssl-aprenda-a-instalar-um-certificado-de-baixo-custo-para-o-seu-site/
 +
* usar sha2
 +
* https://support.mozilla.org/pt-BR/kb/conteudo-misto-bloqueado-no-firefox?redirectlocale=en-US&as=u&redirectslug=how-does-content-isnt-secure-affect-my-safety&utm_source=inproduct
 +
 +
 +
no nginx ficou assim
 +
 +
<source lang="nginx">*
 +
    server {
 +
        listen          80;
 +
        server_name quijaua.me www.quijaua.me;
 +
        access_log  /var/log/nginx/iredmail-access.log;
 +
        error_log  /var/log/nginx/iredmail-error.log info;
 +
 +
        location / {
 +
                rewrite ^ https://quijaua.me/mail permanent;
 +
        }
 +
    location ~ \.php$ {
 +
            fastcgi_pass  127.0.0.1:9000;
 +
            fastcgi_index  index.php;
 +
            include fastcgi_params;
 +
            fastcgi_param SCRIPT_FILENAME /usr/share/apache2/roundcubemail$fastcgi_script_name;
 +
    }
 +
 +
}
 +
 +
server {
 +
    listen      443;
 +
    server_name  quijaua.me;
 +
 +
    location / {
 +
        root  /usr/share/apache2/;
 +
        index  index.php index.html;
 +
    }
 +
    location ~ \.php$ {
 +
        root            /usr/share/apache2;
 +
        include        fastcgi_params;
 +
        fastcgi_pass    127.0.0.1:9000;
 +
        fastcgi_index  index.php;
 +
        fastcgi_param  SCRIPT_FILENAME /usr/share/apache2$fastcgi_script_name;
 +
        fastcgi_param  SERVER_NAME $http_host;
 +
        fastcgi_ignore_client_abort on;
 +
    }
 +
    ssl                  on;
 +
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
 +
    ssl_certificate    /etc/nginx/ssl/quijaua-me.crt22;
 +
    ssl_certificate_key  /etc/nginx/ssl/priv/myserver.key;
 +
    ssl_prefer_server_ciphers on;
 +
    ssl_stapling on;
 +
    ssl_stapling_verify on;
 +
    ssl_dhparam /etc/ssl/private/dhparams.pem;
 +
    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
 +
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
 +
}
 +
</source>

Edição atual tal como às 01h15min de 12 de dezembro de 2015

  1. Autentique no painel
  2. clique em SSL
  3. selecione o domínio
  4. clique em get
  5. copie o conteúdo e salve num arquivo com o nome nuevo.crt
wget https://www.gandi.net/static/CAs/GandiStandardSSLCA.pem
cat nuevo.crt GandiStandardSSLCA.pem > quijaua-me.crt
mkdir /etc/nginx/ssl/
mv quijaua-me.crt /etc/nginx/ssl/

referencias:

2015

com base em

conforme

openssl req -nodes -newkey rsa:2048 -sha256 -keyout myserver.key -out server.csr
cd /etc/ssl/private
openssl dhparam -out dhparam.pem 2048
chmod 600 dhparam.pem

documentação atual


no nginx ficou assim

*
    server {
        listen          80;
        server_name quijaua.me www.quijaua.me;
        access_log   /var/log/nginx/iredmail-access.log;
        error_log  /var/log/nginx/iredmail-error.log info;

        location / {
                rewrite ^ https://quijaua.me/mail permanent;
        }
    location ~ \.php$ {
            fastcgi_pass   127.0.0.1:9000;
            fastcgi_index  index.php;
            include fastcgi_params;
            fastcgi_param SCRIPT_FILENAME /usr/share/apache2/roundcubemail$fastcgi_script_name;
    }

}

server {
    listen       443;
    server_name  quijaua.me;

    location / {
        root   /usr/share/apache2/;
        index  index.php index.html;
    }
     location ~ \.php$ {
        root            /usr/share/apache2;
        include         fastcgi_params;
        fastcgi_pass    127.0.0.1:9000;
        fastcgi_index   index.php;
        fastcgi_param   SCRIPT_FILENAME /usr/share/apache2$fastcgi_script_name;
        fastcgi_param   SERVER_NAME $http_host;
        fastcgi_ignore_client_abort on;
    }
    ssl                  on;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_certificate     /etc/nginx/ssl/quijaua-me.crt22;
    ssl_certificate_key  /etc/nginx/ssl/priv/myserver.key;
    ssl_prefer_server_ciphers on;
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_dhparam /etc/ssl/private/dhparams.pem;
    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
}