SSL - HackMD

--- title: SSL tags: Security, Web Server --- * 修改 acme 驗證 CA 為 letsencrypt acme.sh --set-default-ca --server letsencrypt * [acme.sh 使用教學 ( Web server 80 port 須對外開放提供驗證 )](https://github.com/acmesh-official/acme.sh) * Nginx install cert ``` acme.sh --install-cert -d domain.com \ --key-file /etc/nginx/ssl/domain.com/key.pem \ --fullchain-file /etc/nginx/ssl/domain.com/cert.pem \ --reloadcmd "service nginx force-reload" ``` * Others ``` acme.sh --install-cert -d domain.com \ --key-file /ssl/domain.com/key.pem \ --fullchain-file /ssl/domain.com/fullchain.pem \ --cert-file /ssl/domain.com/cert.pem ``` * KeyCloak run with SSL ``` docker run \ --name keycloak \ -e KEYCLOAK_ADMIN=admin \ -e KEYCLOAK_ADMIN_PASSWORD=admin \ -e KC_HTTPS_CERTIFICATE_FILE=/opt/keycloak/conf/fullchain.pem \ -e KC_HTTPS_CERTIFICATE_KEY_FILE=/opt/keycloak/conf/key.pem \ -v /ssl/domain.com/docker/fullchain.pem:/opt/keycloak/conf/fullchain.pem \ -v /ssl/domain.com/docker/key.pem:/opt/keycloak/conf/key.pem \ -p 8443:8443 \ -d \ quay.io/keycloak/keycloak:18.0.2 \ start-dev ``` ### 測試 openssl s_client -connect domain.com:443 -tls1_2 openssl s_client -connect domain.com:443 -tls1_3