【WEBサーバ】Apache2SSL導入

Apache2にSSLを導入し、httpsで接続できるようにします。

• OpenSSL設定
  「/etc/ssl/openssl.cnf」が存在していたので
  OpenSSLはインストール済のようなので、設定だけ行います。

  vi /etc/ssl/openssl.cnf
  

  # [ usr_cert ] 付近を下記内容に変更
  #nsCertType                      = server
  ↓
  nsCertType                      = server
  
  # [ v3_ca ]付近を下記内容に変更
  #nsCertType = sslCA, emailCA
  ↓
  nsCertType = sslCA, emailCA
  

• オレオレ認証局作成

  cd /usr/local/
  mkdir certs
  cd certs
  /usr/lib/ssl/misc/CA.pl -newca
  

  #Enterすれば作成されると書いてあるので、何も入力せずEnter
  CA certificate filename (or enter to create)
  ...................................+++
  .............+++
  writing new private key to './demoCA/private/cakey.pem'
  # パスワード入力
  Enter PEM pass phrase:
  # パスワード再入力
  Verifying - Enter PEM pass phrase:
  
  -----
  You are about to be asked to enter information that will be incorporated
  into your certificate request.
  What you are about to enter is what is called a Distinguished Name or a DN.
  There are quite a few fields but you can leave some blank
  For some fields there will be a default value,
  If you enter '.', the field will be left blank.
  -----
  
  # JPを入力
  Country Name (2 letter code) [AU]:
  # Tokyoを入力
  State or Province Name (full name) [Some-State]:
  # Akihabaraを入力
  Locality Name (eg, city) []:
  # Praicate_CAを入力
  Organization Name (eg, company) [Internet Widgits Pty Ltd]:
  # 何も入力せずEnter
  Organizational Unit Name (eg, section) []:
  # z-area.net
  Common Name (e.g. server FQDN or YOUR name) []:
  # 何も入力せずEnter
  Email Address []:
  
  Please enter the following 'extra' attributes
  to be sent with your certificate request
  # 何も入力せずEnter
  A challenge password []:
  # 何も入力せずEnter
  An optional company name []:
  
  Using configuration from /usr/lib/ssl/openssl.cnf
  # パスワード再々入力
  Enter pass phrase for ./demoCA/private/cakey.pem:
  Check that the request matches the signature
  Signature ok
  Certificate Details:
  ～(略)～
  Certificate is to be certified until Sep  3 14:39:36 2017 GMT (1095 days)
  Write out database with 1 new entries
  Data Base Updated
  

  オレオレ認証局が出来たので、次に秘密鍵を作成します。

• 秘密鍵作成

  openssl genrsa -out server.key 1024
  

  Generating RSA private key, 1024 bit long modulus
  ...................................+++
  .............+++
  e is 65537 (0x10001)
  

  秘密鍵が作成できたので、次に公開鍵を作成します。

• 公開鍵作成

  openssl req -new -key server.key -out server.csr
  

  先ほどオレオレ認証局を作成したときと同じ値を入力する。

  You are about to be asked to enter information that will be incorporated
  into your certificate request.
  What you are about to enter is what is called a Distinguished Name or a DN.
  There are quite a few fields but you can leave some blank
  For some fields there will be a default value,
  If you enter '.', the field will be left blank.
  -----
  # JPを入力
  Country Name (2 letter code) [AU]:
  # Tokyoを入力
  State or Province Name (full name) [Some-State]:
  # Akihabaraを入力
  Locality Name (eg, city) []:
  # Pravate_CAを入力
  Organization Name (eg, company) [Internet Widgits Pty Ltd]:
  # 何も入力せずEnter
  Organizational Unit Name (eg, section) []:
  # z-area.net
  Common Name (e.g. server FQDN or YOUR name) []:
  # 何も入力せずEnter
  Email Address []:
  
  Please enter the following 'extra' attributes
  to be sent with your certificate request
  # 何も入力せずEnter
  A challenge password []:
  # 何も入力せずEnter
  An optional company name []:
  

  公開鍵が作成できたので、最後にオレオレ証明書を作成する。

• オレオレ証明書作成
  証明書のシリアルナンバーを発行する。

  # シリアルナンバー01で発行
  echo 01 > demoCA/ca-cert.srl
  # -days 3650 は有効日数なので10年
  openssl x509 -CA ./demoCA/cacert.pem -CAkey ./demoCA/private/cakey.pem -CAserial ./demoCA/ca-cert.srl -req -days 3650 -in server.csr -out server.crt
  

  Signature ok
  subject=/C=JP/ST=Tokyo/L=Akihabara/O=Private_CA/CN=z-area.net
  Getting CA Private Key
  # パスワード再々々入力
  Enter pass phrase for ./demoCA/private/cakey.pem:
  

  ls
  demoCA  server.crt  server.csr  server.key
  

  demoCA：オレオレ認証局
  server.crt：オレオレ証明書
  server.csr：公開鍵
  server.key：秘密鍵

• Apache2SSL設定
  Apache2のSSL設定とSSLモジュールを有効にする。

  /etc/apache2/a2ensite default-ssl
  

  Enabling site default-ssl.
  To activate the new configuration, you need to run:
    service apache2 reload
  

  /etc/apache2/a2enmod ssl
  

  Enabling module ssl.
  See /usr/share/doc/apache2.2-common/README.Debian.gz on how to configure SSL and create self-signed certificates.
  To activate the new configuration, you need to run:
    service apache2 restart
  

  vi /etc/apache2/sites-enabled/default-ssl
  

  # ServerAdminの上に下記内容を追加
  ServerName z-area.net
  
  # 下記内容を変更
  SSLCertificateFile    /etc/ssl/certs/ssl-cert-snakeoil.pem
  ↓
  SSLCertificateFile    /usr/local/certs/server.crt
  
  SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
  ↓
  SSLCertificateKeyFile /usr/local/certs/server.key
  
  # 下記内容を変更(「/var/www/」の子要素)
  Options Indexes FollowSymLinks MultiViews
  ↓
  Options -Indexes FollowSymLinks -MultiViews
  
  # .hatcessファイル制御(単純にAllで良いのかは要検討)
  AllowOverride None
  ↓
  AllowOverride All
  

  service apache2 restart
  

• ファイアウォール設定

  ufw allow 443
  # yを入力
  Command may disrupt existing ssh connections. Proceed with operation (y|n)?
  Firewall is active and enabled on system startup
  ufw status
  

  To	Action	From
  20	LIMIT	Anywhere
  21	LIMIT	Anywhere
  22	LIMIT	Anywhere
  80	ALLOW	Anywhere
  8080	ALLOW	Anywhere
  443	ALLOW	Anywhere

  
  「https://z-area.net/」でHTTPS接続でIt Works!が表示されれば成功。
  ルータでもポート443を開放後に外からも接続確認。