====== 31 OpenNebula SSL化 ====== ===== OpenNebula ===== :host: 0.0.0.0 :port: 80 ↓ :host: 127.0.0.1 :port: 9869 :vnc_proxy_port: 29876 :vnc_proxy_support_wss: no :vnc_proxy_cert: :vnc_proxy_key: :vnc_proxy_ipv6: false :vnc_request_password: false ↓ :vnc_proxy_port: 29876 :vnc_proxy_support_wss: yes :vnc_proxy_cert: /etc/letsencrypt/live/hoge.hogehoge.com/fullchain.pem :vnc_proxy_key: /etc/letsencrypt/live/hoge.hogehoge.com/privkey.pem :vnc_proxy_ipv6: false :vnc_request_password: false ===== Nginx ===== #### OpenNebula Sunstone upstream upstream sunstone { server 127.0.0.1:9869; } upstream websocketproxy { server 127.0.0.1:29876; } #### cloudserver.org HTTP virtual host server { listen 80; server_name hoge.hogehoge.com; root /usr/share/nginx/html; ### Permanent redirect to HTTPS (optional) #return 301 https://$server_name:8443; } #### cloudserver.org HTTPS virtual host server { listen 443; server_name hoge.hogehoge.com; ### SSL Parameters ssl on; ssl_session_timeout 24h; ssl_certificate /etc/letsencrypt/live/hoge.hogehoge.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/hoge.hogehoge.com/privkey.pem; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; client_max_body_size 10G; ### Proxy requests to upstream location / { proxy_pass http://sunstone; } location /websockify { proxy_pass http://websocketproxy; } ===== Lets' Encryptの場合 ===== oneadminでアクセスできないと、下記のエラーになります。 xxx.xx.xxx.xxx: SSL connection but '/etc/letsencrypt/live/hoge.hogehoge.com/fullchain.pem' not found xxx.xx.xxx.xxx: SSL connection but '/etc/letsencrypt/live/hoge.hogehoge.com/fullchain.pem' not found # chmod 755 /etc/letsencrypt/live /etc/letsencrypt/archive # chmod 644 /etc/letsencrypt/archive/hoge.hogehoge.com/privkey* ==== おまけLet's Encrypt更新 ==== certbot-auto renew --force-renew --post-hook "service opennebula-sunstone restart" {{tag>kvm opennebula}}