SSL no Gandi: mudanças entre as edições
De MochilaWiki
Ir para navegaçãoIr para pesquisar
Sem resumo de edição |
|||
| (8 revisões intermediárias pelo mesmo usuário não estão sendo mostradas) | |||
| Linha 1: | Linha 1: | ||
# Autentique no painel | # Autentique no painel | ||
# clique em SSL | # clique em SSL | ||
# selecione o | # selecione o domínio | ||
# clique em get | # clique em get | ||
# copie o conteúdo e salve num arquivo com o nome nuevo.crt | # copie o conteúdo e salve num arquivo com o nome nuevo.crt | ||
| Linha 21: | Linha 21: | ||
* [[Certifcado SSL]] | * [[Certifcado SSL]] | ||
== 2015 == | |||
http://wiki.gandi.net/en/ssl/csr | com base em | ||
* http://wiki.gandi.net/en/ssl/csr | |||
conforme | conforme | ||
* https://www.ssllabs.com/ssltest/analyze.html?d=quijaua.me | * https://www.ssllabs.com/ssltest/analyze.html?d=quijaua.me | ||
<source lang="bash"> | |||
* | openssl req -nodes -newkey rsa:2048 -sha256 -keyout myserver.key -out server.csr | ||
* | cd /etc/ssl/private | ||
* https:// | openssl dhparam -out dhparam.pem 2048 | ||
chmod 600 dhparam.pem | |||
</source> | |||
documentação atual | |||
* http://jlecour.github.io/ssl-gandi-nginx-debian/ | |||
* https://fak3r.com/2014/08/04/howto-serve-gandi-ssl-certs-in-nginx/ | |||
* http://charlieharvey.org.uk/page/gandi_sha2_intermediate_cert_ssl_tls | |||
* http://fatorbinario.com/tutorial-ssl-aprenda-a-instalar-um-certificado-de-baixo-custo-para-o-seu-site/ | |||
* usar sha2 | |||
* https://support.mozilla.org/pt-BR/kb/conteudo-misto-bloqueado-no-firefox?redirectlocale=en-US&as=u&redirectslug=how-does-content-isnt-secure-affect-my-safety&utm_source=inproduct | |||
no nginx ficou assim | |||
<source lang="nginx">* | |||
server { | |||
listen 80; | |||
server_name quijaua.me www.quijaua.me; | |||
access_log /var/log/nginx/iredmail-access.log; | |||
error_log /var/log/nginx/iredmail-error.log info; | |||
location / { | |||
rewrite ^ https://quijaua.me/mail permanent; | |||
} | |||
location ~ \.php$ { | |||
fastcgi_pass 127.0.0.1:9000; | |||
fastcgi_index index.php; | |||
include fastcgi_params; | |||
fastcgi_param SCRIPT_FILENAME /usr/share/apache2/roundcubemail$fastcgi_script_name; | |||
} | |||
} | |||
server { | |||
listen 443; | |||
server_name quijaua.me; | |||
location / { | |||
root /usr/share/apache2/; | |||
index index.php index.html; | |||
} | |||
location ~ \.php$ { | |||
root /usr/share/apache2; | |||
include fastcgi_params; | |||
fastcgi_pass 127.0.0.1:9000; | |||
fastcgi_index index.php; | |||
fastcgi_param SCRIPT_FILENAME /usr/share/apache2$fastcgi_script_name; | |||
fastcgi_param SERVER_NAME $http_host; | |||
fastcgi_ignore_client_abort on; | |||
} | |||
ssl on; | |||
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | |||
ssl_certificate /etc/nginx/ssl/quijaua-me.crt22; | |||
ssl_certificate_key /etc/nginx/ssl/priv/myserver.key; | |||
ssl_prefer_server_ciphers on; | |||
ssl_stapling on; | |||
ssl_stapling_verify on; | |||
ssl_dhparam /etc/ssl/private/dhparams.pem; | |||
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains"; | |||
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; | |||
} | |||
</source> | |||
Edição atual tal como às 22h15min de 11 de dezembro de 2015
- Autentique no painel
- clique em SSL
- selecione o domínio
- clique em get
- copie o conteúdo e salve num arquivo com o nome nuevo.crt
wget https://www.gandi.net/static/CAs/GandiStandardSSLCA.pem
cat nuevo.crt GandiStandardSSLCA.pem > quijaua-me.crt
mkdir /etc/nginx/ssl/
mv quijaua-me.crt /etc/nginx/ssl/
referencias:
- https://library.linode.com/web-servers/nginx/configuration/ssl
- http://docs.nkosi.org/IRedMail_com_Nginx
- https://nicolas.perriault.net/code/2012/gandi-standard-ssl-certificate-nginx/
- http://wiki.gandi.net/en/hosting/using-linux/tutorials/ubuntu/ssl
- http://wiki.gandi.net/en/ssl/csr
- IRedMail com Nginx
- Certifcado SSL
2015
com base em
conforme
openssl req -nodes -newkey rsa:2048 -sha256 -keyout myserver.key -out server.csr
cd /etc/ssl/private
openssl dhparam -out dhparam.pem 2048
chmod 600 dhparam.pem
documentação atual
- http://jlecour.github.io/ssl-gandi-nginx-debian/
- https://fak3r.com/2014/08/04/howto-serve-gandi-ssl-certs-in-nginx/
- http://charlieharvey.org.uk/page/gandi_sha2_intermediate_cert_ssl_tls
- http://fatorbinario.com/tutorial-ssl-aprenda-a-instalar-um-certificado-de-baixo-custo-para-o-seu-site/
- usar sha2
- https://support.mozilla.org/pt-BR/kb/conteudo-misto-bloqueado-no-firefox?redirectlocale=en-US&as=u&redirectslug=how-does-content-isnt-secure-affect-my-safety&utm_source=inproduct
no nginx ficou assim
*
server {
listen 80;
server_name quijaua.me www.quijaua.me;
access_log /var/log/nginx/iredmail-access.log;
error_log /var/log/nginx/iredmail-error.log info;
location / {
rewrite ^ https://quijaua.me/mail permanent;
}
location ~ \.php$ {
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME /usr/share/apache2/roundcubemail$fastcgi_script_name;
}
}
server {
listen 443;
server_name quijaua.me;
location / {
root /usr/share/apache2/;
index index.php index.html;
}
location ~ \.php$ {
root /usr/share/apache2;
include fastcgi_params;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /usr/share/apache2$fastcgi_script_name;
fastcgi_param SERVER_NAME $http_host;
fastcgi_ignore_client_abort on;
}
ssl on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_certificate /etc/nginx/ssl/quijaua-me.crt22;
ssl_certificate_key /etc/nginx/ssl/priv/myserver.key;
ssl_prefer_server_ciphers on;
ssl_stapling on;
ssl_stapling_verify on;
ssl_dhparam /etc/ssl/private/dhparams.pem;
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
}
