Ubuntu14.04にてNginxを動かしている環境で、OpenSSLを利用してhttps化する方法をまとめました。
openSSL設定手順 Ubuntu 14.04 ver
1. ディレクトリ移動
$ cd /etc/ssl/
2. 秘密鍵の作成
$ sudo openssl genrsa -aes256 -out private.key 2048
3. passwordの設定
4. 証明書署名要求(CSR)
$ sudo openssl req -new -key private.key -out csr.pem
5. 各種情報を入力
Country Name (2 letter code) [AU]:JP
State or Province Name (full name) [Some-State]:Okayama
Locality Name (eg, city) []:Okayama
Organization Name (eg, company) [Internet Widgits Pty Ltd]:HOGE
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:admin@example.test
A challenge password []:
An optional company name []:
6. 作成された csr.pem の中身をコピーしrapidSSLお申込みフォームに貼り付け
7. メールで証明書が届いたら、SSLサーバ証明書(X.509形式)の内容をserver.crtに保存
-----BEGIN CERTIFICATE-----
...
...
...
-----END CERTIFICATE-----
8. 更に中間証明書(INTERMEDIATE CA) の内容をintermediate.crtに保存
-----BEGIN CERTIFICATE-----
...
...
...
-----END CERTIFICATE-----
9. サーバー再起動時にパス入力なしでもおkにする
sudo openssl rsa -in private.key -out private.key.nopass
10. SSLサーバー証明書と中間証明書を結合する
# cat server.crt intermediate.crt > server_intermediate.crt
11. nginxのconfファイルを変更
/etc/nginx/site-avairable/defaultをコピーして/etc/nginx/site-available/ドメイン名.confを作成
以下を記述していく
server {
listen 80;
server_name www.miningoo.com;
rewrite ^(.*)$ https://miningoo.com$1 permanent;
}
server {
listen 80;
server_name miningoo.com;
rewrite ^(.*)$ https://miningoo.com$1 permanent;
}
server {
listen 443;
server_name www.miningoo.com;
rewrite ^(.*)$ https://miningoo.com$1 permanent;
ssl on;
ssl_certificate 中間証明書;
ssl_certificate_key 秘密鍵;
ssl_session_timeout 5m;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES";
ssl_prefer_server_ciphers on;
location / {
index index.php index.html index.htm;
try_files $uri $uri/ /index.php?$uri&$args;
}
location ~ \.php$ {
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
fastcgi_param FUEL_ENV production;
}
}
server {
listen 443 ssl;
server_name miningoo.com;
root /var/www/miningoo.com;
index index.html index.php;
access_log /var/log/nginx/ssl.miningoo.com.access.log;
error_log /var/log/nginx/ssl.miningoo.com.error.log;
ssl on;
ssl_certificate 中間証明書;
ssl_certificate_key 秘密鍵;
ssl_session_timeout 5m;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES";
ssl_prefer_server_ciphers on;
location / {
index index.php index.html index.htm;
try_files $uri $uri/ /index.php?$uri&$args;
}
location ~ \.php$ {
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
fastcgi_param FUEL_ENV production;
}
}
12. site-availableからsite-enableにシンボリックリンクを貼る
ln -s /etc/nginx/site-available/ドメイン名.conf /etc/nginx/site-enable/
13. nginxの再起動
sudo service nginx restart
参考
https://www.ssl-store.jp/support/csr/ApacheOpenSSL/
https://blog.shiten.info/2014/09/rapidssl-%E3%81%AE-ssl-%E3%82%B5%E3%83%BC%E3%83%90%E8%A8%BC%E6%98%8E%E6%9B%B8%E3%82%92-apache-%E3%81%AB%E9%81%A9%E7%94%A8.html