さくらVPSサーバー初期設定 – 無料SSL証明書 Let’s Encrypt の導入

Web

参考URL

ApacheがSSL通信を使えるようする

  • Apacheのモジュール「mod_ssl」をインストールする。
# yum install mod_ssl
  • Apacheを再起動して適用
# systemctl restart httpd
mod_sslがインストール済みかどうか確認する方法
# httpd -M | grep ssl
ssl_module (shared)

https用の443番ポートのファイアーウォール通過を許可する

# firewall-cmd --add-service=https --zone=public --permanent
  • ファイアーウォールを再起動して適用
# systemctl restart firewalld
ファイアーウォールで許可されているポートを確認する方法
# firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources: 
  services: dhcpv6-client ssh http https
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

Let’s Encrypt をインストールする

Certbotをインストールする
  • いちおうyum listで確認してみる
    • ある
# yum list certbot
Loaded plugins: fastestmirror, langpacks
Determining fastest mirrors
 * base: ftp.iij.ad.jp
 * epel: mirror.dmmlabs.jp
 * extras: ftp.iij.ad.jp
 * remi-safe: repo1.sea.innoscale.net
 * updates: ftp.iij.ad.jp
Available Packages
certbot.noarch                                      0.19.0-1.el7                                      epel
  • certbotをインストール
# yum install certbot
<!--more-->
 Package                                    Arch          Version                    Repository      Size
<!--more-->
Installing:
 certbot                                    noarch        0.19.0-1.el7               epel            20 k
Installing for dependencies:
 audit-libs-python                          x86_64        2.7.6-3.el7                base            73 k
 checkpolicy                                x86_64        2.5-4.el7                  base           290 k
 dialog                                     x86_64        1.2-4.20130523.el7         base           208 k
 libcgroup                                  x86_64        0.41-13.el7                base            65 k
 libsemanage-python                         x86_64        2.5-8.el7                  base           104 k
 policycoreutils-python                     x86_64        2.5-17.1.el7               base           446 k
 pyOpenSSL                                  x86_64        0.13.1-3.el7               base           133 k
 python-IPy                                 noarch        0.75-6.el7                 base            32 k
 python-backports                           x86_64        1.0-8.el7                  base           5.8 k
 python-backports-ssl_match_hostname        noarch        3.4.0.2-4.el7              base            12 k
 python-cffi                                x86_64        1.6.0-5.el7                base           218 k
 python-enum34                              noarch        1.0.4-1.el7                base            52 k
 python-idna                                noarch        2.4-1.el7                  base            94 k
 python-ipaddress                           noarch        1.0.16-2.el7               base            34 k
 python-ndg_httpsclient                     noarch        0.3.2-1.el7                epel            43 k
 python-parsedatetime                       noarch        1.5-3.el7                  epel            61 k
 python-ply                                 noarch        3.4-11.el7                 base           123 k
 python-pycparser                           noarch        2.14-1.el7                 base           104 k
 python-requests                            noarch        2.6.0-1.el7_1              base            94 k
 python-setuptools                          noarch        0.9.8-7.el7                base           397 k
 python-urllib3                             noarch        1.10.2-3.el7               base           101 k
 python-zope-component                      noarch        1:4.1.0-3.el7              epel           227 k
 python-zope-event                          noarch        4.0.3-2.el7                epel            79 k
 python-zope-interface                      x86_64        4.0.5-4.el7                base           138 k
 python2-acme                               noarch        0.19.0-1.el7               epel           176 k
 python2-certbot                            noarch        0.19.0-1.el7               epel           471 k
 python2-configargparse                     noarch        0.11.0-1.el7               epel            30 k
 python2-cryptography                       x86_64        1.7.2-1.el7_4.1            updates        502 k
 python2-dialog                             noarch        3.3.0-6.el7                epel            94 k
 python2-future                             noarch        0.16.0-2.el7               epel           799 k
 python2-mock                               noarch        1.0.1-9.el7                epel            92 k
 python2-psutil                             x86_64        2.2.1-2.el7                epel           116 k
 python2-pyasn1                             noarch        0.1.9-7.el7                base           100 k
 python2-pyrfc3339                          noarch        1.0-2.el7                  epel            13 k
 pytz                                       noarch        2016.10-2.el7              base            46 k
 setools-libs                               x86_64        3.3.8-1.1.el7              base           612 k

Transaction Summary
<!--more-->
Install  1 Package (+36 Dependent packages)
  • certbotのapache用プラグインをインストール
#  yum install certbot-apache
<!--more-->
 Package                            Arch               Version                     Repository        Size
<!--more-->
Installing:
 python2-certbot-apache             noarch             0.19.0-1.el7                epel             151 k

Transaction Summary
<!--more-->
Install  1 Package
certbotで証明書をインストールする
# certbot --apache -d {ドメイン名}
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): 
  • メールアドレスを入力
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org

-------------------------------------------------------------------------------
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v01.api.letsencrypt.org/directory
-------------------------------------------------------------------------------
  • 規約を読んで同意するならaを入力してreturn
-------------------------------------------------------------------------------
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about EFF and
our work to encrypt the web, protect its users and defend digital rights.
-------------------------------------------------------------------------------
  • EmailアドレスをLet’s Encryptのパートナーデベロッパーに共有してお知らせを受け取ってもいいならyを入力してreturn
Starting new HTTPS connection (1): supporters.eff.org
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for hi3103.net

We were unable to find a vhost with a ServerName or Address of hi3103.net.
Which virtual host would you like to choose?
(note: conf files with multiple vhosts are not yet supported)
-------------------------------------------------------------------------------
1: ssl.conf                       |                       | HTTPS | Enabled
-------------------------------------------------------------------------------
Press 1 [enter] to confirm the selection (press 'c' to cancel): 
  • 1を入力してreturn(ssl.confを選択する)
Deploying Certificate for hi3103.net to VirtualHost /etc/httpd/conf.d/ssl.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
-------------------------------------------------------------------------------
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 
  • httpからのアクセスをhttpsに強制リダイレクトするかしないか
    • 1(しない)にした
      • apacheの設定で書く
-------------------------------------------------------------------------------
Congratulations! You have successfully enabled https://hi3103.net

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=hi3103.net
-------------------------------------------------------------------------------

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/hi3103.net/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/hi3103.net/privkey.pem
   Your cert will expire on 2018-02-16. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le
  • インストール完了。apacheを再起動して適用する。
# systemctl restart httpd
  • 試しにアクセスしてみる。
    • 安全な接続になった。
      • 右矢印をクリック > 詳細を表示 > 証明書を表示 で詳細が確認できる。

Firefox上で「安全な接続」と表示されている画像

Let’s Encrypt SSL証明書を更新する

  • 有効期限の残りが30日未満の場合にのみ更新する
# certbot renew
  • 有効期限に関係なくすぐに証明書を更新する
# certbot renew --force-renew

ポート80にバーチャルホストを設定(2019-04-15追記)

  • なぜかSSLが切れていたので手動で更新を試みたところ、以下のエラーが出てしまった。

Attempting to renew cert (hi3103.net) from /etc/letsencrypt/renewal/hi3103.net.conf produced an unexpected error:
Unable to find a virtual host listening on port 80 which is currently needed for Certbot to prove to the CA that you control your domain.
Please add a virtual host for port 80.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/hi3103.net/fullchain.pem (failure)

# vi /etc/httpd/conf/httpd.conf
NameVirtualHost IPアドレス:80

<VirtualHost IPアドレス>
    ServerName www.hi3103.net
    DocumentRoot ドキュメントルートのパス
</VirtualHost>

<VirtualHost IPアドレス>
    ServerName hi3103.net
    DocumentRoot ドキュメントルートのパス
</VirtualHost>
  • Apacheを再起動
# systemctl restart httpd.service
  • 手動でSSLを更新→成功!
# certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-  - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/hi3103.net.conf
-  - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for hi3103.net
http-01 challenge for www.hi3103.net
Waiting for verification...
Cleaning up challenges

-  - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/hi3103.net/fullchain.pem
-  - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

-  - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/hi3103.net/fullchain.pem (success)
-  - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Comments

  • スパム対策のため、コメント本文にURLが含まれている場合は「承認待ち」となり、すぐに投稿が反映されません。ご了承ください。
  • 公序良俗に反する内容、個人が特定できる情報、スパム投稿と思われるコメント等については、予告なく編集・削除する場合があります。