Self-Signing. Sekarang, saya coba menggunakan Let's Encrypt. Caranya cukup sederhana karena semua dikerjakan secara auto.• Download atau copy-paste
acme.sh di https://github.com/Neilpang/acme.sh.• Copykan di
root folder, usahakan menggunakan root akses karena kita perlu merestart daemon nginx webserver dan menempatkan sertifikat di /etc/ssl/certs. Buat folder .acme.sh di root folder dan download acme.sh script.
# mkdir .acme.sh
# cd .acme.sh && fetch https://raw.githubusercontent.com/Neilpang/acme.sh/master/acme.sh
# chmod 700 acme.sh
webserver.# cd .acme.sh
# ./acme.sh --issue -d domainanda.com -w /path/to/root/webserver/document
[Mon May 15 19:28:12 WIB 2017] Registering account
[Mon May 15 19:28:15 WIB 2017] Registered
[Mon May 15 19:28:16 WIB 2017] Update success.
[Mon May 15 19:28:16 WIB 2017] ACCOUNT_THUMBPRINT='MINkdh3CiCitr1h4YesQSO2azn7bs3NIFwJOLbTSpug'
[Mon May 15 19:28:16 WIB 2017] Creating domain key
[Mon May 15 19:28:17 WIB 2017] Single domain='domainanda.com'
[Mon May 15 19:28:17 WIB 2017] Getting domain auth token for each domain
[Mon May 15 19:28:17 WIB 2017] Getting webroot for domain='domainanda.com'
[Mon May 15 19:28:17 WIB 2017] Getting new-authz for domain='domainanda.com'
[Mon May 15 19:28:19 WIB 2017] The new-authz request is ok.
[Mon May 15 19:28:19 WIB 2017] Verifying:domainanda.com
[Mon May 15 19:28:24 WIB 2017] Success
[Mon May 15 19:28:24 WIB 2017] Verify finished, start to sign.
[Mon May 15 19:28:26 WIB 2017] Cert success.
-----BEGIN CERTIFICATE-----
MIIE/DCCA+SgAwIBAgISBAb5KVD8Z+F2hCdzvVfK0cp6MA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNzA1MTUxMTI4MDBaFw0x
NzA4MTMxMTI4MDBaMBcxFTATBgNVBAMTDHduLnNseWlwLm5ldDCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBALtbiMysoSdf+7VfuiL+6vc5qscn6DPd2j2f
YbWVIki3PdsJUmr66/oj3wRXRMbzflhfVgLfnFvj9mUb+44pIChRSc5R4AboqIFo
vngilTgDAjtbpceCmeTj3DNpa1sJN9BVmrfRazLBgzg0dPQ6QJpixtKcRiwbOJsx
k5XM7SOeq1hFpNef3NPc6wyIhcv+h+e1Id8WJPWGaJgNq+QnC7AnnIRRcjuaCZsl
SKeenGBUcpHKNUKOY7AADZ2hHR74Eg7IGcbOt+LrnljE/613BXi2U8GYbL28LoIq
YrNFAxjqoKPXZtfWuIHYYxfAbiejGhnmzPPKlKsZ2rRTAREZJUMCAwEAAaOCAg0w
ggIJMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUH
AwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUbBO4xZOZeedw10ZZYg083IAcnqgw
HwYDVR0jBBgwFoAUqEpqYwR93brm0Tm3pkVl7/Oo7KEwcAYIKwYBBQUHAQEEZDBi
MC8GCCsGAQUFBzABhiNodHRwOi8vb2NzcC5pbnQteDMubGV0c2VuY3J5cHQub3Jn
LzAvBggrBgEFBQcwAoYjaHR0cDovL2NlcnQuaW50LXgzLmxldHNlbmNyeXB0Lm9y
Zy8wFwYDVR0RBBAwDoIMd24uc2x5aXAubmV0MIH+BgNVHSAEgfYwgfMwCAYGZ4EM
AQIBMIHmBgsrBgEEAYLfEwEBATCB1jAmBggrBgEFBQcCARYaaHR0cDovL2Nwcy5s
ZXRzZW5jcnlwdC5vcmcwgasGCCsGAQUFBwICMIGeDIGbVGhpcyBDZXJ0aWZpY2F0
ZSBtYXkgb25seSBiZSByZWxpZWQgdXBvbiBieSBSZWx5aW5nIFBhcnRpZXMgYW5k
IG9ubHkgaW4gYWNjb3JkYW5jZSB3aXRoIHRoZSBDZXJ0aWZpY2F0ZSBQb2xpY3kg
Zm91bmQgYXQgaHR0cHM6Ly9sZXRzZW5jcnlwdC5vcmcvcmVwb3NpdG9yeS8wDQYJ
KoZIhvcNAQELBQADggEBAJad1Nm5x62oMmMNy2zsCe6bckLQaW5MhqXzez13Uz2A
DnaUTgpYC6+AIJmCaPjNkozSOcb8KDXPx2Mmdt16ZB0wjgBqcMJfcrm9EjTXafQZ
SlIXQYQuB0hsoJIXWQacAXjNlFnRUSEk9DSCBy7Xnq55qbFPrrqj3L51qjlGE6zE
s+Fbt0BIKpybBy0JGltMJtAQaVkFgYnAXj1mvKSnf3FYwBySNBciumyKDr9cSlkQ
CyjduyR7HB3GgeIlndYvPnkT0x5PEdWoiqh8ACMAWqJyfwEXWGOTxBNdtMdbGV37
zDyK/nDHeWd2LP3dXxCxaSxrhFHD0hnRv+krOzHguXU=
-----END CERTIFICATE-----
[Mon May 15 19:28:26 WIB 2017] Your cert is in /root/.acme.sh/domainanda.com/domainanda.com.cer
[Mon May 15 19:28:26 WIB 2017] Your cert key is in /root/.acme.sh/domainanda.com/domainanda.com.key
[Mon May 15 19:28:26 WIB 2017] The intermediate CA cert is in /root/.acme.sh/domainanda.com/ca.cer
[Mon May 15 19:28:26 WIB 2017] And the full chain certs is there: /root/.acme.sh/domainanda.com/fullchain.cer
# ls -laF
drwxr-xr-x 4 root wheel 512 May 15 19:28:39 2017 .
drwxr-xr-x 12 root wheel 1024 May 15 19:25:13 2017 ..
-rw-r--r-- 1 root wheel 196 May 15 19:28:26 2017 account.conf
-rwxr-xr-x 1 root wheel 142712 May 3 21:04:02 2017 acme.sh
drwxr-xr-x 3 root wheel 512 May 15 19:28:09 2017 ca
-rw-r--r-- 1 root wheel 448 May 15 19:28:26 2017 http.header
drwxr-xr-x 2 root wheel 512 May 15 19:28:26 2017 domainanda.com# cd .acme.sh && ./acme.sh --install-cert -d domainanda.com --key-file /etc/ssl/certs/domainanda.com.key --fullchain-file /etc/ssl/certs/domainanda.com.pem
# vim /usr/local/etc/nginx/nginx.conf
server {
listen domainanda.com:443 ssl default_server;
root /usr/local/www/data;
add_header X-Powered-By "domainanda.com";
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy no-referrer;
add_header Strict-Transport-Security "max-age=31536000;" always;
add_header Content-Security-Policy "default-src 'self'; script-src 'self' domainanda.com";
ssl_certificate /etc/ssl/certs/domainanda.com.pem;
ssl_certificate_key /etc/ssl/certs/domainanda.com.key;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_ecdh_curve secp384r1;
ssl_session_tickets off;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
}
# /usr/local/etc/rc.d/nginx restart
# cd /root/.acme.sh/ && ./acme.sh --renew -d domainanda.com --force
# cd /root/.acme.sh/ && ./acme.sh --install-cert -d domainanda.com --key-file /etc/ssl/certs/domainanda.com.key --fullchain-file /etc/ssl/certs/domainanda.com.pem
# /usr/local/etc/rc.d/nginx restart
crontab(5) setiap 2 bulan sekali:# crontab -l
0 1 1 */2 * cd /root/.acme.sh/ && ./acme.sh --renew -d domainanda.com --force && ./acme.sh --install-cert -d domainanda.com --key-file /etc/ssl/certs/domainanda.com.key --fullchain-file /etc/ssl/certs/domainanda.com.pem --reloadcmd "/usr/local/etc/rc.d/nginx reload"
