さくらVPSサーバー初期設定 – 無料SSL証明書 Let’s Encrypt の導入
参考URL
ApacheがSSL通信を使えるようする
- Apacheのモジュール「mod_ssl」をインストールする。
# yum install mod_ssl- Apacheを再起動して適用
# systemctl restart httpdmod_sslがインストール済みかどうか確認する方法
# httpd -M | grep ssl
ssl_module (shared)https用の443番ポートのファイアーウォール通過を許可する
# firewall-cmd --add-service=https --zone=public --permanent- ファイアーウォールを再起動して適用
# systemctl restart firewalldファイアーウォールで許可されているポートを確認する方法
# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: dhcpv6-client ssh http https
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules: Let’s Encrypt をインストールする
Certbotをインストールする
- いちおうyum listで確認してみる
- ある
# yum list certbot
Loaded plugins: fastestmirror, langpacks
Determining fastest mirrors
* base: ftp.iij.ad.jp
* epel: mirror.dmmlabs.jp
* extras: ftp.iij.ad.jp
* remi-safe: repo1.sea.innoscale.net
* updates: ftp.iij.ad.jp
Available Packages
certbot.noarch 0.19.0-1.el7 epel- certbotをインストール
# yum install certbot<!--more-->
Package Arch Version Repository Size
<!--more-->
Installing:
certbot noarch 0.19.0-1.el7 epel 20 k
Installing for dependencies:
audit-libs-python x86_64 2.7.6-3.el7 base 73 k
checkpolicy x86_64 2.5-4.el7 base 290 k
dialog x86_64 1.2-4.20130523.el7 base 208 k
libcgroup x86_64 0.41-13.el7 base 65 k
libsemanage-python x86_64 2.5-8.el7 base 104 k
policycoreutils-python x86_64 2.5-17.1.el7 base 446 k
pyOpenSSL x86_64 0.13.1-3.el7 base 133 k
python-IPy noarch 0.75-6.el7 base 32 k
python-backports x86_64 1.0-8.el7 base 5.8 k
python-backports-ssl_match_hostname noarch 3.4.0.2-4.el7 base 12 k
python-cffi x86_64 1.6.0-5.el7 base 218 k
python-enum34 noarch 1.0.4-1.el7 base 52 k
python-idna noarch 2.4-1.el7 base 94 k
python-ipaddress noarch 1.0.16-2.el7 base 34 k
python-ndg_httpsclient noarch 0.3.2-1.el7 epel 43 k
python-parsedatetime noarch 1.5-3.el7 epel 61 k
python-ply noarch 3.4-11.el7 base 123 k
python-pycparser noarch 2.14-1.el7 base 104 k
python-requests noarch 2.6.0-1.el7_1 base 94 k
python-setuptools noarch 0.9.8-7.el7 base 397 k
python-urllib3 noarch 1.10.2-3.el7 base 101 k
python-zope-component noarch 1:4.1.0-3.el7 epel 227 k
python-zope-event noarch 4.0.3-2.el7 epel 79 k
python-zope-interface x86_64 4.0.5-4.el7 base 138 k
python2-acme noarch 0.19.0-1.el7 epel 176 k
python2-certbot noarch 0.19.0-1.el7 epel 471 k
python2-configargparse noarch 0.11.0-1.el7 epel 30 k
python2-cryptography x86_64 1.7.2-1.el7_4.1 updates 502 k
python2-dialog noarch 3.3.0-6.el7 epel 94 k
python2-future noarch 0.16.0-2.el7 epel 799 k
python2-mock noarch 1.0.1-9.el7 epel 92 k
python2-psutil x86_64 2.2.1-2.el7 epel 116 k
python2-pyasn1 noarch 0.1.9-7.el7 base 100 k
python2-pyrfc3339 noarch 1.0-2.el7 epel 13 k
pytz noarch 2016.10-2.el7 base 46 k
setools-libs x86_64 3.3.8-1.1.el7 base 612 k
Transaction Summary
<!--more-->
Install 1 Package (+36 Dependent packages)- certbotのapache用プラグインをインストール
# yum install certbot-apache<!--more-->
Package Arch Version Repository Size
<!--more-->
Installing:
python2-certbot-apache noarch 0.19.0-1.el7 epel 151 k
Transaction Summary
<!--more-->
Install 1 Packagecertbotで証明書をインストールする
# certbot --apache -d {ドメイン名}Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): - メールアドレスを入力
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
-------------------------------------------------------------------------------
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v01.api.letsencrypt.org/directory
-------------------------------------------------------------------------------- 規約を読んで同意するならaを入力してreturn
-------------------------------------------------------------------------------
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about EFF and
our work to encrypt the web, protect its users and defend digital rights.
-------------------------------------------------------------------------------- EmailアドレスをLet’s Encryptのパートナーデベロッパーに共有してお知らせを受け取ってもいいならyを入力してreturn
Starting new HTTPS connection (1): supporters.eff.org
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for hi3103.net
We were unable to find a vhost with a ServerName or Address of hi3103.net.
Which virtual host would you like to choose?
(note: conf files with multiple vhosts are not yet supported)
-------------------------------------------------------------------------------
1: ssl.conf | | HTTPS | Enabled
-------------------------------------------------------------------------------
Press 1 [enter] to confirm the selection (press 'c' to cancel): - 1を入力してreturn(ssl.confを選択する)
Deploying Certificate for hi3103.net to VirtualHost /etc/httpd/conf.d/ssl.conf
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
-------------------------------------------------------------------------------
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): - httpからのアクセスをhttpsに強制リダイレクトするかしないか
- 1(しない)にした
- apacheの設定で書く
- 1(しない)にした
-------------------------------------------------------------------------------
Congratulations! You have successfully enabled https://hi3103.net
You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=hi3103.net
-------------------------------------------------------------------------------
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/hi3103.net/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/hi3103.net/privkey.pem
Your cert will expire on 2018-02-16. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the "certonly" option. To non-interactively renew *all* of
your certificates, run "certbot renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le- インストール完了。apacheを再起動して適用する。
# systemctl restart httpd- 試しにアクセスしてみる。
- 安全な接続になった。
- 右矢印をクリック > 詳細を表示 > 証明書を表示 で詳細が確認できる。
- 安全な接続になった。
Let’s Encrypt SSL証明書を更新する
- 有効期限の残りが30日未満の場合にのみ更新する
# certbot renew- 有効期限に関係なくすぐに証明書を更新する
# certbot renew --force-renewポート80にバーチャルホストを設定(2019-04-15追記)
- なぜかSSLが切れていたので手動で更新を試みたところ、以下のエラーが出てしまった。
Attempting to renew cert (hi3103.net) from /etc/letsencrypt/renewal/hi3103.net.conf produced an unexpected error:
Unable to find a virtual host listening on port 80 which is currently needed for Certbot to prove to the CA that you control your domain.
Please add a virtual host for port 80.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/hi3103.net/fullchain.pem (failure)
- ポート80に対するバーチャルホストを設定するため、httpd.confを編集する
# vi /etc/httpd/conf/httpd.conf- ウチの場合、wwwあり/なしそれぞれで取得しているので、両方に対して設定をする。
- 上述のページの例にある Listen 80 は42行目に記載済みだったので省略
NameVirtualHost IPアドレス:80
<VirtualHost IPアドレス>
ServerName www.hi3103.net
DocumentRoot ドキュメントルートのパス
</VirtualHost>
<VirtualHost IPアドレス>
ServerName hi3103.net
DocumentRoot ドキュメントルートのパス
</VirtualHost>- Apacheを再起動
# systemctl restart httpd.service- 手動でSSLを更新→成功!
# certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/hi3103.net.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for hi3103.net
http-01 challenge for www.hi3103.net
Waiting for verification...
Cleaning up challenges
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/hi3103.net/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/hi3103.net/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -