let’sencriptが正式サービスになったので常時SSLにしてみた

% sudo preupg

Preupg tool doesn't do the actual upgrade.
Please ensure you have backed up your system and/or data in the event of a failed upgrade
 that would require a full re-install of the system from installation media.
Do you want to continue? y/n
y
Gathering logs used by preupgrade assistant:
All installed packages : 01/11 ...running         finished (time 00:02s)
All changed files      : 02/11 ...running         finished (time 02:08s)
Changed config files   : 03/11 ...running         finished (time 00:00s)
All users              : 04/11 ...running         finished (time 00:00s)
All groups             : 05/11 ...running         finished (time 00:00s)
Service statuses       : 06/11 ...running         finished (time 00:00s)
All installed files    : 07/11 ...running         finished (time 00:03s)
All local files        : 08/11 ...running         finished (time 00:12s)
All executable files   : 09/11 ...running         finished (time 00:12s)
RedHat signed packages : 10/11 ...running         finished (time 00:00s)
CentOS signed packages : 11/11 ...running         finished (time 00:00s)
Assessment of the system, running checks / SCE scripts:
001/096 ...running (Configuration Files to Review)                                       done    (Configuration Files to Review)

長いので省略

096/096 ...running (NIS server config file back-up)                                        done    (NIS server config file back-up)
Assessment finished (time 03:06s)
I/O warning : failed to load external entity "/usr/share/openscap/xsl/security-guide.xsl"
compilation error: file /usr/share/preupgrade/xsl/preup.xsl line 40 element import
xsl:import : unable to load /usr/share/openscap/xsl/security-guide.xsl
I/O warning : failed to load external entity "/usr/share/openscap/xsl/oval-report.xsl"
compilation error: file /usr/share/preupgrade/xsl/preup.xsl line 41 element import
xsl:import : unable to load /usr/share/openscap/xsl/oval-report.xsl
I/O warning : failed to load external entity "/usr/share/openscap/xsl/sce-report.xsl"
compilation error: file /usr/share/preupgrade/xsl/preup.xsl line 42 element import
xsl:import : unable to load /usr/share/openscap/xsl/sce-report.xsl
OpenSCAP Error:: Could not parse XSLT file '/usr/share/preupgrade/xsl/preup.xsl' [oscapxml.c:416]
Unable to open file /root/preupgrade/result.html
Usage: preupg [options]

preupg: error: [Errno 2] No such file or directory: '/root/preupgrade/result.html'
%

CentOS Linux 7 (Core)
Kernel 3.10.0-327.22.2.el7.x86_64 on an x86_64

sudo yum install http://nginx.org/packages/centos/7/noarch/RPMS/nginx-release-centos-7-0.el7.ngx.noarch.rpm

sudo yum install nginx

sudo yum install php-fpm

; Unix user/group of processes
; Note: The user is mandatory. If the group is not set, the default user's group
;       will be used.
; RPM: apache Choosed to be able to access some dir as httpd
user = nginx
; RPM: Keep a group allowed to write in log dir.
group = nginx

# getenforce
Enforcing
# setenforce 0
# getenforce
Permissive

# setenforce 1
# getenforce
Enforcing
# chcon -Rt httpd_sys_content_t /var/www

# semanage fcontext -a -t httpd_sys_content_t "/var/www(/.*)?"
# semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/wordpress/wp-content(/.*)?"
# restorecon -R -vv /var/www/
# ll -Z /var/www
drwxr--r--. nginx nginx unconfined_u:object_r:httpd_sys_content_t:s0 html
drwxrwxr-x. nginx nginx unconfined_u:object_r:httpd_sys_content_t:s0 wordpress

restorecon

$ git clone https://github.com/letsencrypt/letsencrypt.git
$ ./letsencrypt-auto certonly --webroot --webroot-path ~/ak1211.com -d ak1211.com

$ systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
   Active: active (running) since 木 2016-08-04 03:15:09 JST; 1 weeks 1 days ago
 Main PID: 619 (firewalld)
   CGroup: /system.slice/firewalld.service
           └─619 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid

$ sudo firewall-cmd --list-services --zone=public  --permanent
dhcpv6-client http https ssh