Mudanças entre as edições de "SSL no Gandi"
De MochilaWiki
Ir para navegaçãoIr para pesquisar (→2015) |
|||
| (8 revisões intermediárias pelo mesmo usuário não estão sendo mostradas) | |||
| Linha 1: | Linha 1: | ||
# Autentique no painel | # Autentique no painel | ||
# clique em SSL | # clique em SSL | ||
| − | # selecione o | + | # selecione o domínio |
# clique em get | # clique em get | ||
# copie o conteúdo e salve num arquivo com o nome nuevo.crt | # copie o conteúdo e salve num arquivo com o nome nuevo.crt | ||
| Linha 21: | Linha 21: | ||
* [[Certifcado SSL]] | * [[Certifcado SSL]] | ||
| − | + | == 2015 == | |
| − | http://wiki.gandi.net/en/ssl/csr | + | com base em |
| + | * http://wiki.gandi.net/en/ssl/csr | ||
conforme | conforme | ||
* https://www.ssllabs.com/ssltest/analyze.html?d=quijaua.me | * https://www.ssllabs.com/ssltest/analyze.html?d=quijaua.me | ||
| − | + | <source lang="bash"> | |
| − | * | + | openssl req -nodes -newkey rsa:2048 -sha256 -keyout myserver.key -out server.csr |
| − | * | + | cd /etc/ssl/private |
| − | * https:// | + | openssl dhparam -out dhparam.pem 2048 |
| + | chmod 600 dhparam.pem | ||
| + | </source> | ||
| + | |||
| + | documentação atual | ||
| + | * http://jlecour.github.io/ssl-gandi-nginx-debian/ | ||
| + | * https://fak3r.com/2014/08/04/howto-serve-gandi-ssl-certs-in-nginx/ | ||
| + | * http://charlieharvey.org.uk/page/gandi_sha2_intermediate_cert_ssl_tls | ||
| + | * http://fatorbinario.com/tutorial-ssl-aprenda-a-instalar-um-certificado-de-baixo-custo-para-o-seu-site/ | ||
| + | * usar sha2 | ||
| + | * https://support.mozilla.org/pt-BR/kb/conteudo-misto-bloqueado-no-firefox?redirectlocale=en-US&as=u&redirectslug=how-does-content-isnt-secure-affect-my-safety&utm_source=inproduct | ||
| − | + | ||
| + | no nginx ficou assim | ||
| + | |||
| + | <source lang="nginx">* | ||
| + | server { | ||
| + | listen 80; | ||
| + | server_name quijaua.me www.quijaua.me; | ||
| + | access_log /var/log/nginx/iredmail-access.log; | ||
| + | error_log /var/log/nginx/iredmail-error.log info; | ||
| + | |||
| + | location / { | ||
| + | rewrite ^ https://quijaua.me/mail permanent; | ||
| + | } | ||
| + | location ~ \.php$ { | ||
| + | fastcgi_pass 127.0.0.1:9000; | ||
| + | fastcgi_index index.php; | ||
| + | include fastcgi_params; | ||
| + | fastcgi_param SCRIPT_FILENAME /usr/share/apache2/roundcubemail$fastcgi_script_name; | ||
| + | } | ||
| + | |||
| + | } | ||
| + | |||
| + | server { | ||
| + | listen 443; | ||
| + | server_name quijaua.me; | ||
| + | |||
| + | location / { | ||
| + | root /usr/share/apache2/; | ||
| + | index index.php index.html; | ||
| + | } | ||
| + | location ~ \.php$ { | ||
| + | root /usr/share/apache2; | ||
| + | include fastcgi_params; | ||
| + | fastcgi_pass 127.0.0.1:9000; | ||
| + | fastcgi_index index.php; | ||
| + | fastcgi_param SCRIPT_FILENAME /usr/share/apache2$fastcgi_script_name; | ||
| + | fastcgi_param SERVER_NAME $http_host; | ||
| + | fastcgi_ignore_client_abort on; | ||
| + | } | ||
| + | ssl on; | ||
| + | ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | ||
| + | ssl_certificate /etc/nginx/ssl/quijaua-me.crt22; | ||
| + | ssl_certificate_key /etc/nginx/ssl/priv/myserver.key; | ||
| + | ssl_prefer_server_ciphers on; | ||
| + | ssl_stapling on; | ||
| + | ssl_stapling_verify on; | ||
| + | ssl_dhparam /etc/ssl/private/dhparams.pem; | ||
| + | add_header Strict-Transport-Security "max-age=31536000; includeSubdomains"; | ||
| + | ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; | ||
| + | } | ||
| + | </source> | ||
Edição atual tal como às 01h15min de 12 de dezembro de 2015
- Autentique no painel
- clique em SSL
- selecione o domínio
- clique em get
- copie o conteúdo e salve num arquivo com o nome nuevo.crt
wget https://www.gandi.net/static/CAs/GandiStandardSSLCA.pem
cat nuevo.crt GandiStandardSSLCA.pem > quijaua-me.crt
mkdir /etc/nginx/ssl/
mv quijaua-me.crt /etc/nginx/ssl/
referencias:
- https://library.linode.com/web-servers/nginx/configuration/ssl
- http://docs.nkosi.org/IRedMail_com_Nginx
- https://nicolas.perriault.net/code/2012/gandi-standard-ssl-certificate-nginx/
- http://wiki.gandi.net/en/hosting/using-linux/tutorials/ubuntu/ssl
- http://wiki.gandi.net/en/ssl/csr
- IRedMail com Nginx
- Certifcado SSL
2015
com base em
conforme
openssl req -nodes -newkey rsa:2048 -sha256 -keyout myserver.key -out server.csr
cd /etc/ssl/private
openssl dhparam -out dhparam.pem 2048
chmod 600 dhparam.pem
documentação atual
- http://jlecour.github.io/ssl-gandi-nginx-debian/
- https://fak3r.com/2014/08/04/howto-serve-gandi-ssl-certs-in-nginx/
- http://charlieharvey.org.uk/page/gandi_sha2_intermediate_cert_ssl_tls
- http://fatorbinario.com/tutorial-ssl-aprenda-a-instalar-um-certificado-de-baixo-custo-para-o-seu-site/
- usar sha2
- https://support.mozilla.org/pt-BR/kb/conteudo-misto-bloqueado-no-firefox?redirectlocale=en-US&as=u&redirectslug=how-does-content-isnt-secure-affect-my-safety&utm_source=inproduct
no nginx ficou assim
*
server {
listen 80;
server_name quijaua.me www.quijaua.me;
access_log /var/log/nginx/iredmail-access.log;
error_log /var/log/nginx/iredmail-error.log info;
location / {
rewrite ^ https://quijaua.me/mail permanent;
}
location ~ \.php$ {
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME /usr/share/apache2/roundcubemail$fastcgi_script_name;
}
}
server {
listen 443;
server_name quijaua.me;
location / {
root /usr/share/apache2/;
index index.php index.html;
}
location ~ \.php$ {
root /usr/share/apache2;
include fastcgi_params;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /usr/share/apache2$fastcgi_script_name;
fastcgi_param SERVER_NAME $http_host;
fastcgi_ignore_client_abort on;
}
ssl on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_certificate /etc/nginx/ssl/quijaua-me.crt22;
ssl_certificate_key /etc/nginx/ssl/priv/myserver.key;
ssl_prefer_server_ciphers on;
ssl_stapling on;
ssl_stapling_verify on;
ssl_dhparam /etc/ssl/private/dhparams.pem;
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
}
