[fedora@fedoracore4 ~]$ su -
[root@fedoracore4 ~]# yum -y install mod_ssl SSLモジュールインストール
Error: Bad repository file ///etc/yum.repos.d/city-fan.repo.
Setting up Install Process
Setting up repositories
updates-released 100% |=========================| 951 B 00:00
extras 100% |=========================| 1.1 kB 00:00
--> Populating transaction set with selected packages. Please wait.
---> Downloading header for mod_ssl to pack into transaction set.
mod_ssl-2.0.52-3.1.i386.r 100% |=========================| 20 kB 00:00
---> Package mod_ssl.i386 1:2.0.52-3.1 set to be installed
--> Running transaction check --> Processing Dependency: libdistcache.so.1
for package: mod_ssl
--> Processing Dependency: libnal.so.1 for package: mod_ssl
--> Restarting Dependency Resolution with new changes.
--> Populating transaction set with selected packages. Please wait.
---> Downloading header for distcache to pack into transaction set.
distcache-1.4.5-6.i386.rp 100% |=========================| 7.2 kB 00:00
---> Package distcache.i386 0:1.4.5-6 set to be installed
--> Running transaction check
Dependencies Resolved
Transaction Listing: Install:
mod_ssl.i386 1:2.0.52-3.1
Performing the following to resolve dependencies: Install:
distcache.i386 0:1.4.5-6
Downloading Packages:
mod_ssl-2.0.52-3.1.i386.r 100% |=========================| 89 kB 00:00
distcache-1.4.5-6.i386.rp 100% |=========================| 111 kB 00:01
Running Transaction Test
Finished Transaction Test
Transaction Test
Succeeded Running Transaction Installing: distcache 100 % done 1/2
Installing: mod_ssl 100 % done 2/2
Installed: mod_ssl.i386 1:2.0.52-3.1
Dependency Installed: distcache.i386 0:1.4.5-6 Complete!
|
[root@fedoracore4 ~]# cd /etc/pki/tls/certs
[root@fedoracore4 ~]# make server.key 秘密鍵作成
umask 77 ; \
/usr/bin/openssl genrsa -des3 1024 > server.key
Generating RSA private key, 1024 bit long modulus
................................................................++++++
................................................++++++
e is 65537 (0x10001)
Enter pass phrase: パスワード
Verifying - Enter pass phrase: パスワード
[fedora@fedoracore4 ~]$ openssl rsa -in server.key -out server.key 秘密鍵のパスワード削除
Enter pass phrase for server.key: 秘密鍵作成時のパスワード
writing RSA key
[fedora@fedoracore4 ~]$ make server.csr 公開鍵作成
umask 77 ; \
/usr/bin/openssl req -new -key server.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:JP
State or Province Name (full name) [Berkshire]:Osaka (都道府県名)
Locality Name (eg, city) [Newbury]:Tyuoh-ku,Osaka-city (市区町村名)
Organization Name (eg, company) [My Company Ltd]:fedoracore4.com (ドメイン名)
Organizational Unit Name (eg, section) []: ブランクのまま<ENTER>
Common Name (eg, your name or your server's hostname) []:fedoracore4.com (ホスト名)
Email Address []:webmaster@fedoracore4.com (メールアドレス)
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: ブランクのまま<ENTER>
An optional company name []: ブランクのまま<ENTER>
[fedora@fedoracore4 ~]$ openssl x509 -in server.csr -out server.pem -req
-signkey server.key -days 365 証明書作成
Signature ok
subject=/C=JP/ST=Osaka/L=Tyuoh-ku,Osaka-city/O=fedoracore4.com/CN=fedoracore4.com/emailAddress=webmaster@fedoracore4.com
Getting Private key
[root@fedoracore4 ~]# chmod 400 server.* rootのみ参照可能に |
[root@fedoracore4 ~]# mv server.* /etc/httpd/conf Apache conf ディレクトリへ移動
[root@fedoracore4 ~]# vi /etc/httpd/conf.d/ssl.conf Apache SSL設定ファイル編集
|
[root@fedoracore4 ~]# mv server.* /etc/httpd/conf Apache conf ディレクトリへ移動
[root@fedoracore4 ~]# vi /etc/httpd/conf.d/ssl.conf Apache SSL設定ファイル編集
/SSLCertificateFile /etc で移動
#SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateFile /etc/httpd/conf/server.pem
SSLCertificateKeyFile /etc で移動
#SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
SSLCertificateKeyFile /etc/httpd/conf/server.key
#DocumentRoot で移動
#DocumentRoot "/var/www/html" #コメント削除
ServerName fedoracore4.com:443
</VirtualHost> で移動
</VirtualHost>
##########add `date +%Y%m%d`
NameVirtualHost *:443
デフォルトのバーチャルホスト(SSLサーバー名)を指定
<VirtualHost *:443>
ServerName fedoracore4.com
</VirtualHost>
ここでSSL+バーチャルホストで運用したいサーバーの設定を行う
<VirtualHost *:443>
ServerName blog.fedoracore4.com:443 この場合は https://blog.fedoracore4.com/
DocumentRoot "/var/www/html/blog" https://blog.fedoracore4.com/にアクセスがあった時にindexを出すディレクトリを指定
ErrorLog logs/ssl_error_log 通常のSSLのログに混ぜる。 ドメインまで違う場合は別ファイル名を指定
TransferLog logs/ssl_access_log 通常のSSLのログに混ぜる。 ドメインまで違う場合は別ファイル名を指定
LogLevel warn
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
SSLCertificateFile /etc/httpd/conf/server.pem blog.fedoracore4.comとfedoracore4.comの証明書を分ける必要がないので同一設定
SSLCertificateKeyFile /etc/httpd/conf/server.key 〃
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files> ここらへんはApacheのマニュアルに詳細が記載されています。
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
</VirtualHost>
:wq で保存
|
[root@fedoracore4 ~]# vi /var/named/chroot/var/named/fedoracore4.com.zone BIND ゾーンファイル編集
|
$TTL 86400
@ IN SOA fedoracore4.com. root.fedoracore4.com.(
2004031901 ; Serial
28800 ; Refresh
14400 ; Retry
3600000 ; Expire
86400 ) ; Minimum
IN NS fedoracore4.com.
IN MX 10 fedoracore4.com.
@ IN A 192.168.1.1
www IN A 192.168.1.1
blog IN A 192.168.1.1 bolg.fedoracore4.com でアクセスできるようにする。
:wq で保存
|
[root@fedoracore4 ~]# /etc/init.d/httpd restart Webサーバー再起動
httpd を停止中: [ OK ]
httpd を起動中: [ OK ]
[root@fedoracore4 ~]# /etc/init.d/named reload Nameサーバー設定再読み込み
Reloading named: [ OK ]
[root@fedoracore4 ~]# dig blog.fedoracore4.com Nameサーバー設定確認
; <<>> DiG 9.3.1 <<>> blog.fedoracore4.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39640
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;blog.fedoracore4.com. IN A
;; ANSWER SECTION:
blog.fedoracore4.com. 86400 IN A 192.168.1.1 正引きがうまくいっている
;; AUTHORITY SECTION:
fedoracore4.com. 86400 IN NS fedoracore4.com.
;; ADDITIONAL SECTION:
fedoracore4.com. 86400 IN A 192.168.1.1
;; Query time: 28 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Fri Oct 7 00:56:11 2005
;; MSG SIZE rcvd: 84
あとは443番ポートが開いていることを確認して https://blog.fedoracore4.com/
にアクセスして確認。
http://blog.fedoracore4.com/ でアクセスすることがあるなら httpd.conf を編集することを忘れないで下さい。 |
