Skip to content

Instantly share code, notes, and snippets.

@dseg

dseg/ct-submit.sh

Last active July 2, 2016 20:10
Show Gist options
  • Save dseg/90769ca9f51329027ad5 to your computer and use it in GitHub Desktop.
Save dseg/90769ca9f51329027ad5 to your computer and use it in GitHub Desktop.
Download ZIP
Let's EncryptのSSL証明書で、Qualys SSLTestでA+評価を獲得するには ref: http://qiita.com/dseg/items/bab80f6f14349fcd9c22
Raw
ct-submit.sh
#!/bin/sh
# Let's encryptから入手した fullchain.pem の場所
KEY=/etc/letsencrypt/live/shield.jp/fullchain.pem
# CT情報の保存先
SCTS_DIR=/etc/letsencrypt/live/shield.jp/scts
# ct-submitコマンド
CTSUBMIT=/usr/local/bin/ct-submit
echo 1
sudo sh -c "$CTSUBMIT ct.googleapis.com/aviator \
<$KEY \
>$SCTS_DIR/aviator.sct"
echo 2
sudo sh -c "$CTSUBMIT ct.googleapis.com/pilot \
<$KEY \
>$SCTS_DIR/pilot.sct"
echo 3
sudo sh -c "$CTSUBMIT ct.googleapis.com/rocketeer \
<$KEY \
>$SCTS_DIR/rocketeer.sct"
#echo 4
#sudo sh -c "$CTSUBMIT ct1.digicert-ct.com/log \
#<$KEY \
#>$SCTS_DIR/digicert.sct"
#echo 5
#sudo sh -c "$CTSUBMIT ct.izenpe.com \
#<$KEY \
#>$SCTS_DIR/izenpe.sct"
#echo 6
#sudo sh -c "$CTSUBMIT log.certly.io \
#<$KEY \
#>$SCTS_DIR/certly.sct"
Raw
file1.txt
# DHPARAMの生成
sudo openssl dhparam -out /etc/ssl/private/dhparams_4096.pem 4096
Raw
file11.txt
sudo ls -al /etc/letsencrypt/live/shield.jp/scts
total 20
drwxr-xr-x 2 root root 4096 Nov 12 16:54 .
drwxr-xr-x 3 root root 4096 Nov 12 17:46 ..
-rw-r--r-- 1 root root 118 Nov 12 16:54 aviator.sct
-rw-r--r-- 1 root root 119 Nov 12 16:54 pilot.sct
-rw-r--r-- 1 root root 118 Nov 12 16:54 rocketeer.sct
Raw
file5.txt
Public-Key-Pins: pin-sha256="base64=="; max-age=expireTime [; includeSubdomains][; report-uri="reportURI"]
Raw
file6.txt
# メインの鍵の情報を取り出して、Base64符号化
sudo openssl x509 -noout -in /etc/letsencrypt/live/shield.jp/chain.pem -pubkey | \
openssl pkey -pubin -outform der |\
openssl dgst -sha256 -binary |\
base64
# バックアップ鍵の生成
sudo openssl genrsa -out /etc/letsencrypt/live/shield.jp/hpkp-backup.key 4096
sudo openssl req -new -key /etc/letsencrypt/live/shield.jp/hpkp-backup.key -sha256 -out /etc/letsencrypt/live/shield.jp/hpkp-backup.csr
# バックアップ鍵の情報を取り出して、Base64符号化
sudo openssl req -pubkey < /etc/letsencrypt/live/shield.jp/hpkp-backup.csr | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | base64
Raw
file7.txt
listen 443 ssl;
server_name shield.jp;
ssl_certificate /etc/letsencrypt/live/shield.jp/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/shield.jp/privkey.pem;
ssl_session_cache shared:SSL:3m;
ssl_buffer_size 8k;
ssl_session_timeout 10m;
# ssl_ciphers HIGH:!aNULL:!MD5;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
ssl_prefer_server_ciphers on;
# 証明書透かし (Certificate Transparency)設定
ssl_ct on;
ssl_ct_static_scts /etc/letsencrypt/live/shield.jp/scts;
# Logjam攻撃対策
ssl_dhparam /etc/ssl/private/dhparam_4096.pem;
# Enable OCSP (Online Certificate Status Protocol) Stapling
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.4.4 8.8.8.8 valid=300s;
resolver_timeout 10s;
# Enable HSTS (HTTP Strict Transport Security)
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";
# HPKP Settings
add_header Public-Key-Pins 'pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg="; pin-sha256="GO8LTsdpBf/sLaUQ3/NPVCaGzZOmku+6iIBdeef9K2k="; max-age=2592000; includeSubDomains';
# 後略
Raw
file8.txt
# nginx-ctプラグインのダウンロード
cd /tmp
wget https://github.com/grahamedgecombe/nginx-ct/archive/master.zip
unzip master.zip
# nginx-ctプラグインを有効化してNginxを再ビルド (OpenSSL 1.0.2以降も必要)
cd /usr/local/src/nginx-1.9.3
./configure --add-module=/tmp/nginx-ct-master --with-http_ssl_module --with-openssl=/usr/local/src/openssl-1.0.2d
make clean
make
sudo make install
Raw
file9.txt
cd /tmp
wget https://github.com/grahamedgecombe/ct-submit/archive/master.zip
unzip master.zip
cd ct-submit-master
go build
sudo install -s -m755 ./ct-submit-master /usr/local/bin/ct-submit
Raw
nginx.conf
#
# HTTPS server
#
server {
listen 443 ssl http2; # HTTP/2パッチを当てているため。通常は http2 は不要
server_name shield.jp;
ssl_certificate /etc/letsencrypt/live/shield.jp/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/shield.jp/privkey.pem;
ssl_session_cache shared:SSL:3m;
ssl_buffer_size 8k;
ssl_session_timeout 10m;
# 1. 暗号方式の設定
# (デフォルト) ssl_ciphers HIGH:!aNULL:!MD5;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
ssl_prefer_server_ciphers on;
# 2. Logjam攻撃対策
ssl_dhparam /etc/ssl/private/dhparam_4096.pem;
# 3. Enable OCSP (Online Certificate Status Protocol) Stapling
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.4.4 8.8.8.8 valid=300s;
resolver_timeout 10s;
# 4. Enable HSTS (HTTP Strict Transport Security)
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";
# 5. HPKP Settings
add_header Public-Key-Pins 'pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg="; pin-sha256="GO8LTsdpBf/sLaUQ3/NPVCaGzZOmku+6iIBdeef9K2k="; max-age=2592000; includeSubDomains';
# 6.証明書透かし (Certificate Transparency)設定
ssl_ct on;
ssl_ct_static_scts /etc/letsencrypt/live/shield.jp/scts;
# 後略
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment