{"id":3318,"date":"2016-06-19T22:26:38","date_gmt":"2016-06-19T13:26:38","guid":{"rendered":"http:\/\/borg4.vdomains.jp\/~goro\/diary\/?p=3318"},"modified":"2016-06-19T22:26:38","modified_gmt":"2016-06-19T13:26:38","slug":"lets-encrypt-%e3%81%ae%e8%a8%bc%e6%98%8e%e6%9b%b8%e3%82%92-os-x-server-%e3%81%a7%e4%bd%bf%e3%81%86","status":"publish","type":"post","link":"https:\/\/borg4.vdomains.jp\/~goro\/diary\/2016\/3318","title":{"rendered":"Let&#8217;s Encrypt \u306e\u8a3c\u660e\u66f8\u3092 OS X Server \u3067\u4f7f\u3046"},"content":{"rendered":"<p>\u3053\u3053\u6570\u5e74 OS X \u306e SSL \u8a3c\u660e\u66f8\u306f <a href=\"https:\/\/www.startssl.com\">StartSSL<\/a> \u306e\u7121\u6599\u8a3c\u660e\u66f8\u3092\u4f7f\u3044\u7d9a\u3051\u3066\u305f\u3093\u3060\u3051\u3069\u3001\u4eca\u5e74\u306e\u66f4\u65b0\u3067\u4eca\u307e\u3067\u30c9\u30e1\u30a4\u30f3+1\u30db\u30b9\u30c8\u3060\u3063\u305f\u7121\u6599\u8a3c\u660e\u66f8\u304c5\u30db\u30b9\u30c8\u307e\u3067\u30a4\u30b1\u308b\u3063\u3066\u4ed5\u69d8\u5909\u66f4(\u3044\u3064\u304b\u3089?)\u306e\u304a\u304b\u3052\u3067\u3001\u30c9\u30e1\u30a4\u30f3\u81ea\u4f53\u306e\u8a3c\u660e\u66f8\u3092\u53d6\u308a\u640d\u306d\u3066\u3057\u307e\u3063\u305f\u306e\u3067\u3001\u3053\u308c\u3092\u6c17\u306b <a href=\"https:\/\/letsencrypt.org\">Let&#8217;s Encrypt<\/a> \u306e\u8a3c\u660e\u66f8\u306b\u4e57\u308a\u63db\u3048\u308b\u3053\u3068\u306b\u3057\u305f\u306e\u3067\u3059\u3002<\/p>\n<p>\u6c17\u3065\u3051\u3070\u00a0<a href=\"https:\/\/community.letsencrypt.org\/t\/complete-guide-to-install-ssl-certificate-on-your-os-x-server-hosted-website\/15005\">Complete guide to install SSL certificate on your OS X server hosted website<\/a>\u00a0\u306a\u3093\u3066 OS X Server \u5411\u3051\u306e\u30ac\u30a4\u30c9\u304c\u516c\u958b\u3055\u308c\u3066\u3044\u305f\u306e\u3067\u60a9\u3080\u3068\u3053\u308d\u306f\u3042\u3093\u307e\u308a\u306a\u3044\u306e\u3060\u3051\u3069\u3001\u304d\u3063\u3068\u4f55\u3084\u3063\u305f\u304b\u5fd8\u308c\u308b\u306e\u3067\u30e1\u30e2w<\/p>\n<p><!--more--><\/p>\n<ol>\n<li><span class=\"label label-info\">Install let&#8217;s Encrypt client | <a href=\"https:\/\/letsencrypt.org\">Let&#8217;s Encrypt<\/a>\u00a0\u30af\u30e9\u30a4\u30a2\u30f3\u30c8\u306e\u5165\u624b<\/span><br \/>\n\u30ac\u30a4\u30c9\u3067\u306f Homebrew \u5165\u308c\u308d\u3068\u304b\u66f8\u3044\u3066\u3042\u308a\u307e\u3059\u304c\u3001\u30d1\u30c3\u30b1\u30fc\u30b8\u30b7\u30b9\u30c6\u30e0\u3050\u3089\u3044\u597d\u304d\u306b\u9078\u3070\u305b\u308d\u3088\u3001\u3068\u3044\u3046\u3053\u3068\u3067\u76f8\u5909\u308f\u3089\u305a pkgsrc \u3067\u3059\u3002 wip \u306b\u3042\u308b\u306f\u305a\u306e <a href=\"http:\/\/pkgsrc.se\/wip\/py-letsencrypt\">py-letsencrypt<\/a> \u304c\u898b\u3064\u304b\u3089\u306a\u3044\u3068\u60a9\u3093\u3060\u6319\u53e5\u306b\u73fe\u5728\u306f\u672c\u5bb6\u306e\u30b3\u30de\u30f3\u30c9\u304c letsencrypt \u304b\u3089 certbot \u3063\u3066\u540d\u524d\u306b\u5909\u308f\u3063\u305f\u306e\u3092\u53cd\u6620\u3057\u3066\u3066\u3001\u3064\u3044\u3067\u306b wip \u304b\u3089\u672c\u5bb6\u306b\u30de\u30fc\u30b8\u3055\u308c\u3066 <a href=\"http:\/\/pkgsrc.se\/security\/py-certbot\">security\/py-certbot<\/a>\u00a0\u306b\u306a\u3063\u3066\u305f\u3063\u3066\u3053\u3068\u306b\u6c17\u3065\u304f\u306e\u306b\u5049\u3044\u6642\u9593\u304c\u304b\u304b\u308a\u307e\u3057\u305f\u304c\u3001\u6c17\u3065\u3044\u3066\u3057\u307e\u3048\u3070 bmake install \u4e00\u767a\u306a\u306e\u697d\u30c1\u30f3\u3067\u3059\u3001\u591a\u5206\u3002<\/li>\n<li><span class=\"label label-info\">(test and) generate the certificate | \u8a3c\u660e\u66f8\u306e\u4f5c\u6210<\/span><br \/>\n\u3053\u3053\u306f\u3001\u57fa\u672c\u7684\u306b\u306f letsencrypt-auto \u3092 certbot \u306b\u8aad\u307f\u66ff\u3048\u308b\u3060\u3051\u306a\u306e\u3067\u3042\u3093\u307e\u308a\u4f55\u3082\u8003\u3048\u308b\u5fc5\u8981\u304c\u306a\u3055\u305d\u3046\u3002\u521d\u56de\u306f\u3053\u306e\u30ac\u30a4\u30c9\u306e\u307e\u307e\u3067\u826f\u3044\u3093\u3060\u3051\u3069\u3001 2 \u56de\u76ee(\u3068\u3044\u3046\u304b\u66f4\u65b0\u6642)\u306f cert.ini \u306e domains \u884c\u3092\u30b3\u30e1\u30f3\u30c8\u30a2\u30a6\u30c8\u3057\u3066\u3001certonly \u3058\u3083\u306a\u304f\u3066 renew \u3057\u305f\u307b\u3046\u304c\u697d\u3058\u3083\u306a\u3044\u304b\u306a\u30fc\u3001\u3068\u3044\u3046\u6c17\u304c\u3057\u306a\u3044\u3067\u3082\u306a\u3044\u3002 OS X Server \u306e\u8a3c\u660e\u66f8\u306e\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3092 cli \u304b\u3089\u3084\u308b\u65b9\u6cd5\u3092\u77e5\u3089\u306a\u304b\u3063\u305f\u306e\u3067\u3001\/usr\/bin\/security \u3067\u51fa\u6765\u308b\u3068\u3044\u3046\u3042\u305f\u308a\u306b\u611f\u52d5\u3002<\/li>\n<li><span class=\"label label-info\">configure your website | \u30b5\u30a4\u30c8\u306e\u8a2d\u5b9a<\/span><br \/>\n\u8a3c\u660e\u66f8\u306e\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u304c cli \u3067\u51fa\u6765\u308b\u3093\u3060\u304b\u3089\u3001\u8a3c\u660e\u66f8\u306e\u9078\u629e\u3084\u3089\u306a\u3093\u3084\u3089\u3082 serveradmin \u306e\u30aa\u30d7\u30b7\u30e7\u30f3\u3042\u305f\u308a\u3067\u51fa\u6765\u308b\u3093\u3058\u3083\u306a\u3044\u304b\u3068\u601d\u3046\u3051\u3069\u3001\u308f\u304b\u3089\u3093\u306e\u3067 \u00a0GUI \u3068\u3044\u3046\u304b Server.app \u304b\u3089\u3084\u308b\u3057\u304b\u306a\u3044\u306e\u304b\u306a\u3041\u2026? \u306a\u304a Server.app \u304b\u3089\u8a2d\u5b9a\u3060\u3068 web \u30b5\u30a4\u30c8\u306e\u4ed6\u3001 OpenDirectory, Dovcot, postfix, Message \u3067\u3082\u4f7f\u308f\u308c\u308b\u306e\u3067\u7d50\u69cb\u9762\u5012\u81ed\u3044\u3002\u3068\u3044\u3046\u304b OD \u306e\u8a3c\u660e\u66f8\u5207\u308a\u66ff\u3048\u3068\u304b\u624b\u52d5\u3067\u3084\u308a\u305f\u304f\u306a\u3044\u3057w<\/li>\n<li><span class=\"label label-info\">(test and) automate the renewal | \u8a3c\u660e\u66f8\u66f4\u65b0\u306e\u81ea\u52d5\u5316<\/span><br \/>\n\u8a3c\u660e\u66f8\u306e\u53d6\u308a\u8fbc\u307f\u307e\u3067\u306f\u81ea\u52d5\u5316\u3067\u304d\u308b\u3051\u3069\u3001\u5207\u308a\u66ff\u3048\u306f\u4eca\u306e\u6240\u624b\u52d5\u3068\u3044\u3046\u306e\u304c\u30c0\u30b5\u3044\u3002<\/li>\n<li><span class=\"label label-info\">Enjoy&#8230; | \u697d\u3057\u3082\u3046<\/span><br \/>\n\u304a\u795d\u3044\u306b\u30d3\u30fc\u30eb\u304b\u306a\u3093\u304b\u3092\u98f2\u3080\u3089\u3057\u3044\u306e\u3060\u3051\u308c\u3069\u3001\u4e0b\u6238\u306a\u306e\u3067\u3001\u4ee3\u308f\u308a\u306b\u3053\u306e\u30a8\u30f3\u30c8\u30ea\u3092\u66f8\u3044\u305f\u306e\u3067\u3057\u305f(\u7b11<\/li>\n<\/ol>\n<p>\u3068\u3044\u3046\u3053\u3068\u3067\u3046\u3061\u306e cert.ini \u3068 get_cert.sh \u3092\u6652\u3057\u3066\u307f\u308b\u30d7\u30ec\u30a4\u3002\u4f5c\u6210\u3055\u308c\u305f\u8a3c\u660e\u66f8\u306e\u6709\u52b9\u671f\u9593\u306f 3 \u30f6\u6708\u3063\u307d\u3044\u306e\u3067\u3001 9 \u6708\u306b\u5165\u3063\u305f\u3089\u3053\u308c\u3067\u6b63\u3057\u3044\u306e\u304b\u8a66\u305b\u308b\u306e\u304b\u306a\u2026?<\/p>\n<ul>\n<li>cert.ini<\/li>\n<\/ul>\n<pre># Use a 4096 bit RSA key instead of 2048\nrsa-key-size = 4096\n# Register with the specified e-mail address\nemail = root@example.jp\n# Generate certificates for the specified domains.\n# domains = example.jp, www.example.jp, mail.example.jp\n# Uncomment to use a text interface instead of ncurses\n# text = True\n# To use the webroot authenticator.\nauthenticator = webroot\nwebroot-path = \/Library\/Server\/Web\/Data\/Sites\/Default<\/pre>\n<ul>\n<li>get_cert.sh<\/li>\n<\/ul>\n<pre>#!\/bin\/sh\n\nDOMAIN_DEFAULT=example.jp\nCERTBOT_ROOT=\"\/Users\/goro\/Documents\/cert\/letsencrypt\/my_script\/\"\nPEM_FOLDER=\"${CERTBOT_ROOT}\/live\/${DOMAIN_DEFAULT}\/\"\nLOG_FOLDER=\"${CERTBOT_ROOT}\/logs\/\" \nDATE=$(date +\"%d-%m-%y\")\nLOG_FILE=\"${LOG_FOLDER}\/${DATE}.log\" \n\n# Retrieve certificate - DELETE --dry-run AFTER THE TEST RUN WORKED\n\/opt\/pkg\/bin\/certbot renew -c ${CERTBOT_ROOT}cert.ini --config-dir ${CERTBOT_ROOT} --logs-dir ${LOG_FOLDER} \n\n# Check that everything went fine\nLE_STATUS=$?\n\nif [ \"${LE_STATUS}\" != 0 ]; then\n    echo Automated Get certificate failed:\n    cat ${LOG_FILE}\n    exit 1\nfi\n \n# Generate a passphrase - UNCOMMENT THE NEXT LINE AFTER THE TEST RUN WORKED\nPASS=$(openssl rand -base64 45 | tr -d \/=+ | cut -c -30)\n\n# Transform the pem files into a OS X Valid p12 file - UNCOMMENT THE NEXT LINE AFTER THE TEST RUN WORKED\nopenssl pkcs12 -export -inkey \"${PEM_FOLDER}privkey.pem\" -in \"${PEM_FOLDER}cert.pem\" -certfile \"${PEM_FOLDER}fullchain.pem\" -out \"${PEM_FOLDER}letsencrypt_sslcert.p12\" -passout pass:${PASS}\n\n# import the p12 file in keychain - UNCOMMENT THE NEXT LINE AFTER THE TEST RUN WORKED\nsudo security import \"${PEM_FOLDER}letsencrypt_sslcert.p12\" -f pkcs12 -k \/Library\/Keychains\/System.keychain -P ${PASS} -T \/Applications\/Server.app\/Contents\/ServerRoot\/System\/Library\/CoreServices\/ServerManagerDaemon.bundle\/Contents\/MacOS\/servermgrd<\/pre>\n","protected":false},"excerpt":{"rendered":"<p>\u3053\u3053\u6570\u5e74 OS X \u306e SSL \u8a3c\u660e\u66f8\u306f StartSSL \u306e\u7121\u6599\u8a3c\u660e\u66f8\u3092\u4f7f\u3044\u7d9a\u3051\u3066\u305f\u3093\u3060\u3051\u3069\u3001\u4eca\u5e74\u306e\u66f4\u65b0\u3067\u4eca\u307e\u3067\u30c9\u30e1\u30a4\u30f3+1\u30db\u30b9\u30c8\u3060\u3063\u305f\u7121\u6599\u8a3c\u660e\u66f8\u304c5\u30db\u30b9\u30c8\u307e\u3067\u30a4\u30b1\u308b\u3063\u3066\u4ed5\u69d8\u5909\u66f4(\u3044\u3064\u304b\u3089?)\u306e\u304a\u304b\u3052\u3067\u3001\u30c9\u30e1\u30a4\u30f3\u81ea\u4f53\u306e [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11],"tags":[77,62,30,65,23],"class_list":["post-3318","post","type-post","status-publish","format-standard","hentry","category-mac","tag-mac","tag-os-x-server","tag-pkgsrc","tag-python","tag-software"],"_links":{"self":[{"href":"https:\/\/borg4.vdomains.jp\/~goro\/diary\/wp-json\/wp\/v2\/posts\/3318","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borg4.vdomains.jp\/~goro\/diary\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borg4.vdomains.jp\/~goro\/diary\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borg4.vdomains.jp\/~goro\/diary\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/borg4.vdomains.jp\/~goro\/diary\/wp-json\/wp\/v2\/comments?post=3318"}],"version-history":[{"count":6,"href":"https:\/\/borg4.vdomains.jp\/~goro\/diary\/wp-json\/wp\/v2\/posts\/3318\/revisions"}],"predecessor-version":[{"id":3324,"href":"https:\/\/borg4.vdomains.jp\/~goro\/diary\/wp-json\/wp\/v2\/posts\/3318\/revisions\/3324"}],"wp:attachment":[{"href":"https:\/\/borg4.vdomains.jp\/~goro\/diary\/wp-json\/wp\/v2\/media?parent=3318"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borg4.vdomains.jp\/~goro\/diary\/wp-json\/wp\/v2\/categories?post=3318"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borg4.vdomains.jp\/~goro\/diary\/wp-json\/wp\/v2\/tags?post=3318"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}