v<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html 
	  PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
	  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="utf-8" lang="utf-8">
  <head>
        <meta http-equiv="content-type" content="text/html; charset=utf-8" />
    <link rel="stylesheet" href="/%7ehiraga/style.css" type="text/css" media="all" />

    <title>FreeBSDでLet's Encryptの証明書を使う</title>
  </head>

  <body>
    <h1>FreeBSDでLet's Encryptの証明書を使う</h1>

    <h2>前提条件</h2>
    <ul>
      <li>FreeBSD 9.3以降</li>
      <li>各種アプリケーションソフトウエアはインストール済のこと</li>
    </ul>
    
    <hr />

    <h2>Let's Encryptのインストール</h2>
    <h3>FreeBSD 9.3の場合</h3>
    <p>ベースシステムのOpenSSLのバージョンが古すぎるのでOpenSSLをportsからインストールします。</p>
<pre>
# pkg install openssl
</pre>
    <p>portsのOpenSSLを使用するようにします。</p>
    <h4>/etc/make.conf</h4>
<pre>
+ DEFAULT_VERSIONS+=ssl=openssl
</pre>
    <p>certbotをportsからインストールします。</p>
<pre>
# portinstall py-certbot
# pkg lock py27-cryptography
</pre>

    <h3>FreeBSD 10以降の場合</h3>
    <p>ベースシステムのOpenSSLをそのまま使用できるの
      pkgからcertbotをインストー ルします。</p>
<pre>
# pkg install py-certbot
</pre>

    <hr />

    <h2>証明書の取得</h2>
<pre>
# certbot certonly -m webmaster@next-hop.net --agree-tos --webroot -w /usr/local/www/apache24/data -d www.next-hop.net
</pre>
    <h3>Application DocumentRoot が / の場合</h3>
    <p>Wordpress などのように Application DocumentRoot が / の場合は
    Alias を設定しておきます。</p>
<pre>
Alias /.well-known /usr/local/www/apache24/data/.well-known
</pre>

    <h2>証明書の更新</h2>
<pre>
# certbot renew --webroot -w /usr/local/www/apache24/data
</pre>

    <hr />

    <h2><a href="apache-tomcat.shtml">Apache + Tomcat</a></h2>

    <hr />

    <h2>Sendmail</h2>
    <p>セキュリティを高めたいときはsendmail.mcに以下を追加します。
      ただし、相手の SMTP サーバも同様に対応している必要があります。</p>
<pre>
LOCAL_CONFIG
O CipherList=HIGH:MEDIUM:-SSLv3:-SSLv2
O ServerSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3 +SSL_OP_CIPHER_SERVER_PREFERENCE
O ClientSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3
</pre>
    <p>sendmail.cfを再構築します。</p>
<pre>
# cd /etc/mail
# make sendmail.cf
# make install
</pre>
    <p>rootで次のスクリプトを実行します。</p>
<pre>
#!/bin/sh

LEDIR="/usr/local/etc/letsencrypt/live"
HOSTNAME="`uname -n`"
SUFFIX=""
HOSTDIR="$HOSTNAME$SUFFIX"
CERT="$LEDIR/$HOSTDIR/cert.pem"
KEY="$LEDIR/$HOSTDIR/privkey.pem"
CHAIN="$LEDIR/$HOSTDIR/chain.pem"
SENDMAILDIR="/etc/mail/certs"

if [ ! -f $CERT ]; then
    echo "file not found: $CERT"
    exit
fi
if [ ! -f $KEY ]; then
    echo "file not found: $KEY"
    exit
fi
if [ ! -f $CHAIN ]; then
    echo "file not found: $CHAIN"
    exit
fi
if [ ! -d $SENDMAILDIR ]; then
    mkdir $SENDMAILDIR
fi
cp -p $CERT $SENDMAILDIR/host.cert
cp -p $KEY $SENDMAILDIR/host.key
chmod 600 $SENDMAILDIR/host.key
cp -p $CHAIN $SENDMAILDIR/cacert.pem
cd $SENDMAILDIR
HASHFILE="`openssl x509 -hash -noout -in cacert.pem`.0"
if [ ! -f $HASHFILE ]; then
    ln -s cacert.pem $HASHFILE
fi
# for Cyrus imapd
cp -p $KEY $SENDMAILDIR/host.key2
chown cyrus:cyrus $SENDMAILDIR/host.key2
chmod 600 $SENDMAILDIR/host.key2
</pre>    
    <p>デーモンを再起動します。</p>
<pre>
# /etc/rc.d/sendmail restart
</pre>

    <hr />

    <h2>Cyrus IMAP</h2>
    <p>Sendmail用証明書から流用します。</p>
    <h4>/usr/local/etc/imapd.conf</h4>
<pre>
tls_client_ca_file:     /etc/mail/certs/cacert.pem
tls_client_ca_dir:      /etc/mail/certs
tls_server_key:         /etc/mail/certs/host.key2
tls_server_cert:        /etc/mail/certs/host.cert
tls_ciphers:            HIGH:MEDIUM:-SSLv3:-SSLv2
</pre>
    <p>デーモンを再起動します。</p>
<pre>
# /usr/local/etc/rc.d/imapd restart
</pre>

    <hr />

    <h2>OpenLDAP</h2>
    <h4>/usr/local/etc/openldap/slapd.conf</h4>
<pre>
TLSCACertificateFile    /usr/local/etc/openldap/certs/chain.pem
TLSCACertificatePath    /usr/local/etc/openldap/certs
TLSCertificateFile      /usr/local/etc/openldap/certs/host.cert
TLSCertificateKeyFile   /usr/local/etc/openldap/certs/host.key
TLSCipherSuite          HIGH:MEDIUM:-SSLv3:-SSLv2
</pre>
    <h4>/usr/local/etc/openldap/ldap.conf</h4>
<pre>
TLS_CACERT      /usr/local/etc/openldap/certs/cacert.pem
TLS_CACERTDIR   /usr/local/etc/openldap/certs
TLS_CERT        /usr/local/etc/openldap/certs/host.cert
TLS_KEY         /usr/local/etc/openldap/certs/host.key
TLS_CIPHER_SUITE HIGH:MEDIUM:-SSLv3:-SSLv2
</pre>
    <p>rootで次のスクリプトを実行します。</p>
<pre>
#!/bin/sh

LEDIR="/usr/local/etc/letsencrypt/live"
#HOSTNAME="`uname -n`"
HOSTNAME="ldap.next-hop.net"
#SUFFIX="-0001"
SUFFIX=""
HOSTDIR="$HOSTNAME$SUFFIX"
CACERT="/etc/ssl/cert.pem"
CHAIN="$LEDIR/$HOSTDIR/chain.pem"
CERT="$LEDIR/$HOSTDIR/cert.pem"
KEY="$LEDIR/$HOSTDIR/privkey.pem"
OPENLDAPDIR="/usr/local/etc/openldap/certs"

if [ ! -f $CACERT ]; then
    echo "file not found: $CACERT"
    exit
fi
if [ ! -f $CHAIN ]; then
    echo "file not found: $CHAIN"
    exit
fi
if [ ! -f $CERT ]; then
    echo "file not found: $CERT"
    exit
fi
if [ ! -f $KEY ]; then
    echo "file not found: $KEY"
    exit
fi
if [ ! -d $OPENLDAPDIR ]; then
    mkdir $OPENLDAPDIR
fi

cd $OPENLDAPDIR

if [ -f cacert.pem ]; then
    rm cacert.pem
fi
cp -p $CACERT cacert.pem
if [ -f chain.pem ]; then
    rm chain.pem
fi
cp -p $CHAIN chain.pem

HASHCA="`openssl x509 -hash -noout -in cacert.pem`.0"
HASHCHAIN="`openssl x509 -hash -noout -in chain.pem`.0"
if [ -h $HASHCA ]; then
    rm $HASHCA
fi
ln -s cacert.pem $HASHCA
if [ -h $HASHCHAIN ]; then
    rm $HASHCHAIN
fi
ln -s chain.pem $HASHCHAIN

cp -p $CERT host.cert
cp -p $KEY host.key
chown ldap:ldap host.key
chmod 600 host.key
</pre>
    <p>slapd を再起動します。</p>
<pre>
# service slapd restart
</pre>
    
    <h2>pam_ldap</h2>
    <h4>/usr/local/etc/ldap.conf</h4>
<pre>
tls_cacertfile /usr/local/etc/openldap/certs/cacert.pem
tls_cacertdir  /usr/local/etc/openldap/certs
tls_cert /usr/local/etc/openldap/certs/host.cert
tls_key  /usr/local/etc/openldap/certs/host.key
tls_ciphers HIGH:MEDIUM:-SSLv3:-SSLv2
</pre>

    <h2>nss_ldap</h2>
    <h4>/usr/local/etc/nss_ldap.conf</h4>
<pre>
tls_cacertfile /usr/local/etc/openldap/certs/cacert.pem
tls_cacertdir  /usr/local/etc/openldap/certs
tls_cert /usr/local/etc/openldap/certs/host.cert
tls_key  /usr/local/etc/openldap/certs/host.key
tls_ciphers HIGH:MEDIUM:-SSLv3:-SSLv2
</pre>

    <hr />

    <h2>SoftEther VPN</h2>
    <p>rootで次のスクリプトを実行します。</p>
<pre>
#!/bin/sh

VPNCMD="/usr/local/sbin/vpncmd localhost:5555 /SERVER /PASSWORD:password /CMD"
LEDIR="/usr/local/etc/letsencrypt/live"
HOSTNAME="`uname -n`"
SUFFIX=""
HOSTDIR="$HOSTNAME$SUFFIX"
CERT="$LEDIR/$HOSTDIR/cert.pem"
KEY="$LEDIR/$HOSTDIR/privkey.pem"

if [ ! -f $CERT ]; then
    echo "file not found: $CERT"
    exit
fi
if [ ! -f $KEY ]; then
    echo "file not found: $KEY"
    exit
fi

$VPNCMD ServerCertSet /LOADCERT:$CERT /LOADKEY:$KEY
</pre>
    <p>デーモンを再起動します。</p>
<pre>
# /usr/local/etc/rc.d/softether_server restart
</pre>

    <hr />

    <h2>Cipher Suiteの確認</h2>
<pre>
# openssl ciphers -v HIGH:MEDIUM:-SSLv3:-SSLv2
</pre>

    <hr />

    <h2>参考</h2>
    <ul>
      <li><a href="https://wiki.openssl.org/index.php/Manual:Ciphers(1)">
	  OpenSSL - Manual:Ciphers(1)
      </a></li>
      <li><a href="http://d.hatena.ne.jp/blooper/20120910/1347285980">
	  私が愛した openssl (SSL/TLS 編)
      </a></li>
      <li><a href="http://www.openldap.org/doc/admin24/tls.html">
	  OpenLDAP - 16. Using TLS
      </a></li>
      <li><a href="https://zmap.io/sslv3/servers.html">
	  POODLE Disabling SSLv3 Support on Servers
      </a></li>
    </ul>

    <hr />
    
   <table class="footer">
    <tr>
      <td width="500pt">
	<p class="copyright">Copyright &#169;2000-2018 T.Hiraga
	  <a href="mailto:hiraga@next-hop.net">&lt;hiraga@next-hop.net&gt;</a>
	  All Rights Reserved.</p>
	<p class="copyright">Last modified: 

$Date: 2018/02/28 21:58:19 $
    </p>
    </td>
      <td width="500pt">
	<div align="right">
	  <a href="https://validator.w3.org/check?uri=referer">
	    <img class="logo" src="https://www.w3.org/Icons/valid-xhtml10"
		 alt="Valid XHTML 1.0 Transitional" height="31" width="88" />
	  </a>
	  <a href="https://www.letsencrypt.org/">
	    <img class="logo" src="/images/le-logo-standard2.png" alt="Let's Encrypto" />
	  </a>
	  <!-- a href="https://www.openssl.org/">
	    <img class="logo" src="/images/128px-OpenSSL_logo.png" alt="OpenSSL" />
	  </a -->
	  <a href="https://www.apache.org/">
	    <img class="logo" src="/images/pb-apache2.png" alt="Powered by Apache" />
	  </a>
	  <a href="https://www.freebsd.org/">
	    <img class="logo" src="/images/pbfbsd2.gif" alt="Powered by FreeBSD" />
	  </a>
	</div>
      </td>
    </tr>
    </table>

    <!-- Google Analytics -->
    <script type="text/javascript" >
      (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
      (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
      m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
      })(window,document,'script','//www.google-analytics.com/analytics.js','ga');

      ga('create', 'UA-722671-1', 'auto');
      ga('send', 'pageview');
    </script>
    <!-- End Google Analytics -->

    <!-- script src="http://www.google-analytics.com/urchin.js"
	    type="text/javascript">
    </script>
    <script type="text/javascript">
      _uacct = "UA-722671-1";
      urchinTracker();
    </script -->


  </body>
</html>