2018-02-07

WordPressからメールが届いた

意訳　Jetpackも無料で使えるからインストールしてね。

Jetpack is a WordPress toolkit that works alongside Akismet to protect your site and content. You can keep your Akismet account and add Jetpack's basic security features at no additional cost.

統計情報などが取れるみたいな様子。週末にインストールしてみよう。

2018-02-04

WordPress設定など

VPS WordPress

WordPressにもセキュリティの設定が必要らしい。

プラグインでインストールと設定。

Akismet Anti-Spam

WordPressに標準でインストールしてあるスパムコメントを削除するプラグイン。

サインアップしてAPIキーをもらって設定。

iThemes Security

ネットワークからのブルートフォース保護（辞書アタック）から保護。

404の検出してアラーム通知を有効にする。

標準アカウントの削除や設定ファイルのパーミッションなどをチェックする機能もある。

この他にも運用上バックアップを定期的に行うプラグインんが必要ですが

今日はここまで

2018-02-02

VPSにwordpressインストール

VPS SSL

午前中に時間が空いたのでVPSの続きを行う。

certbotとcronで証明書を自動更新

crontabにてcertbotを月に一度実行して証明書を更新する。

サンプルだと毎日実行することになっているが証明書の発行サーバーに無駄な負荷が掛かるので月に一度にする。

wordpressインストール

MariaDBの設定、wordpress本体のインストールと設定。

デフォルトの設定で動作確認できた。

ようやくスマホやIOS系の表示に対応したページの構築環境ができた。

SiteGuardのインストール

さくらのVPSで無料で使えるSiteGuardというFWソフトがあるのでインストール。

webサーバーへ特定のアタックをはじいてくれるらしい。

次回よりwordpressのお勉強。

2018-01-31

ようやく証明書インストールできた

VPS SSL

certbotのページよりCentOS7/Apache2.4の組み合わせでインストールする手順を追っかけてみる。

[root@ik1-333-26935 ~]# certbot --authenticator webroot --installer apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer apache
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
No names were found in your configuration files. Please enter in your domain
name(s) (comma and/or space separated) (Enter 'c' to cancel): DOMEIN.com
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for DOMEIN.com
Input the webroot for DOMEIN.com: (Enter 'c' to cancel): /var/www/html
Waiting for verification...
Cleaning up challenges

We were unable to find a vhost with a ServerName or Address of DOMEIN.com.
Which virtual host would you like to choose?
(note: conf files with multiple vhosts are not yet supported)
-------------------------------------------------------------------------------
1: ssl.conf | | HTTPS | Enabled
-------------------------------------------------------------------------------
Press 1 [enter] to confirm the selection (press 'c' to cancel): 1
Deploying Certificate for hodobara.com to VirtualHost /etc/httpd/conf.d/ssl.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
-------------------------------------------------------------------------------
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Created redirect file: le-redirect-DOMAIN.com.conf
Rollback checkpoint is empty (no changes made?)

-------------------------------------------------------------------------------
Congratulations! You have successfully enabled https://DOMEIN.com

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=DOMEIN.com
-------------------------------------------------------------------------------

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/DOMEIN.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/DOMEIN.com/privkey.pem
Your cert will expire on 2018-05-01. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the "certonly" option. To non-interactively renew *all* of
your certificates, run "certbot renew"
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

[root@ik1-333-26935 ~]#

成功！

httpdをリスタートしてwebを表示して証明書を確認できた。

「ネコでもわかる！さくらのVPS講座～第六回「無料SSL証明書 Let’s Encryptを導入しよう」」のページに注釈が欲しかった。

2018-01-30

どうやらCertbotが原因らしい

SSL VPS

Let's Encryptとインストールで使っているCertbotは別の扱いの様なのでページを開いてみると
同じメッセージでスレッドができていた。

Unfortunately, Let's Encrypt has stopped offering the mechanism that Certbot's Apache and Nginx plugins use to prove you control a domain due to a security issue. See https://community.letsencrypt.org/t/2018-01-11-update-regarding-acme-tls-sni-and-shared-hosting-infrastructure/50188 for more info.

CertbotのApacheとNginxのプラグインにセキュリティの問題がありLet's Encrypt側で停止しているらしい。

We are planning on releasing a new version of Certbot in the next few days that works around this but if you have to obtain/renew your cert and cannot wait, you have a couple of options. If you're serving files for that domain out of a directory on that server, you can run the following command:

近いうちに修正版をリリースするが急ぐなら次のコマンドをつかうこと。

sudo certbot --authenticator webroot --installer nginx

これはnginxサーバーの場合ですね。
この他に沢山のコメントが付いていて読み切れない。

今日はここまで。

2018-01-29

certbotのコマンドで証明書の取り消しを試してみる。

VPS SSL

[[root@ik1-333-26935 ~]# certbot plugins　「プラグインの一覧」
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - -

*p2* apache
Description: Apache Web Server plugin - Beta
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: apache = certbot_apache.entrypoint:ENTRYPOINT

*p3* standalone
Description: Spin up a temporary webserver
Interfaces: IAuthenticator, IPlugin
Entry point: standalone = certbot.plugins.standalone:Authenticator

*p4* webroot
Description: Place files in webroot directory
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = certbot.plugins.webroot:Authenticator

- - - - -

[[root@ik1-333-26935 ~]# certbot rollback　「設定の復元」
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Certbot hasn't modified your configuration, so rollback isn't available.
「変更してないので戻せない」

[[root@ik1-333-26935 ~]# certbot revoke 「証明書の取り消し」
usage:
certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...

Certbot can obtain and install HTTPS/TLS/SSL certificates. By default,
it will attempt to use a webserver both for obtaining and installing the
certificate.
certbot: error: argument --cert-path is required
「なにかパラメータが足りない」

[[root@ik1-333-26935 ~]# certbot certonly　「証明書のみ取得」
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?

- - - - -

1: Apache Web Server plugin - Beta (apache)
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)

- - - - -

Select the appropriate number [1-3] then [enter] (press 'c' to cancel): 1
Plugins selected: Authenticator apache, Installer None
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Please enter in your domain name(s) (comma and/or space separated) (Enter 'c'
to cancel): hodobara.com
Obtaining a new certificate
Performing the following challenges:
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.
「インストール時と同じ警告で終了」

[[root@ik1-333-26935 ~]# certbot certonly
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?

- - - - -

1: Apache Web Server plugin - Beta (apache)
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)

- - - - -

Select the appropriate number [1-3] then [enter] (press 'c' to cancel): 1
Plugins selected: Authenticator apache, Installer None
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Please enter in your domain name(s) (comma and/or space separated) (Enter 'c'
to cancel): hodobara.com.
Obtaining a new certificate
Performing the following challenges:
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.

[[root@ik1-333-26935 ~]# certbot config_changes
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Certbot has not saved backups of your configuration

[[root@ik1-333-26935 ~]# certbot certonly --dialog
Use of --dialog is deprecated.
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?

- - - - -

1: Apache Web Server plugin - Beta (apache)
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)

- - - - -

[[root@ik1-333-26935 ~]# certbot certonly --dialog
Use of --dialog is deprecated.
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?

- - - - -

1: Apache Web Server plugin - Beta (apache)
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)

- - - - -

Select the appropriate number [1-3] then [enter] (press 'c' to cancel): 2
Plugins selected: Authenticator standalone, Installer None
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Please enter in your domain name(s) (comma and/or space separated) (Enter 'c'
to cancel): hodobara.com
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for hodobara.com
Cleaning up challenges
Problem binding to port 80: Could not bind to IPv4 or IPv6.
[[root@ik1-333-26935 ~]#
[[root@ik1-333-26935 ~]#
[[root@ik1-333-26935 ~]# certbot config_changes
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Certbot has not saved backups of your configuration
[[root@ik1-333-26935 ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: dhcpv6-client ssh http https
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

2018-01-28

SSL証明書インストール

VPS SSL

今日はその気になったので少しだけ続きを行う。

さくらVPSにSSL証明書をインストールしたいのだがエラーとなってしまう。
certbotのインストール後に証明書を取りに行ったところで書きメッセージ。

Performing the following challenges:
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.

IMPORTANT NOTES:
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.

すでに登録してるからうんぬんと言っているような？

certbotのアンインストールと再インストールでも同じメッセージ。

今日はここまで