LoginSignup
0
1

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?

More than 3 years have passed since last update.

@0714

CentOS 7でLet's Encryptを導入

Last updated at Posted at 2021-01-19

概要

(以下前提)

  • CentOS 7
  • 通常の証明書(非ワイルドカード)
  • Webサーバー必要なし
  • ファイアウォールで http(ポート80)を許可していること
  • root ユーザーで作業

certbot をインストール

# yum install -y epel-release
:
完了しました!

# yum install certbot 
:
完了しました!

SSL証明書の取得

certbot を実行してSSL証明書の取得をします
WebサーバーがインストールされていなくてもOKです
certbot が一時的にWebサーバーを稼働してくれます

# certbot certonly
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):1

管理者の連絡先を尋ねられるのでメールアドレスを入力します
(このメールアドレスは証明書のドメインとは関係ないです)

Plugins selected: Authenticator standalone, Installer None
Enter email address (used for urgent renewal and security notices)
 (Enter 'c' to cancel): hoge@example.com

利用規約に同意するように尋ねられるので y を入力します

Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y

証明書が発行されたらあなたのメールアドレスを関係者と共有してニュースなどを送ってよいか尋ねられるので y か n を入力します

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: n
Account registered.

証明書を発行するFQDNを入力します

Please enter in your domain name(s) (comma and/or space separated)  (Enter 'c'
to cancel): www.example.com

一時的にWebサーバーが起動し、自動でドメイン認証が行われます
成功すると証明書のファイルが作成されます

Requesting a certificate for www.example.com
Performing the following challenges:
http-01 challenge for www.example.com
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/www.example.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/www.example.com/privkey.pem
   Your cert will expire on 2021-04-19. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

# ls -l /etc/letsencrypt/live/www.example.com/
合計 4
-rw-r--r-- 1 root root 692  1月 19 19:56 README
lrwxrwxrwx 1 root root  33  1月 19 19:56 cert.pem -> ../../archive/www.example.com/cert1.pem
lrwxrwxrwx 1 root root  34  1月 19 19:56 chain.pem -> ../../archive/www.example.com/chain1.pem
lrwxrwxrwx 1 root root  38  1月 19 19:56 fullchain.pem -> ../../archive/www.example.com/fullchain1.pem
lrwxrwxrwx 1 root root  36  1月 19 19:56 privkey.pem -> ../../archive/www.example.com/privkey1.pem

他のFQDNの証明書を取得したい場合は同様に繰り返します
なお、複数のFQDNを入力すると、1つの証明書を複数のサブドメインで使用することも可能です(Subject Alt Names に記載されます)

# certbot certonly
:
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):1
:
Please enter in your domain name(s) (comma and/or space separated)  (Enter 'c'
to cancel): mail.example.com
:

証明書の有効期限は取得から3か月間です
30日前になったら以下を実行してすべての証明書を更新できます
(以下はそれより前に実行した例なので更新はされません)

# certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/www.example.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/mail.example.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

The following certs are not due for renewal yet:
  /etc/letsencrypt/live/www.example.com/fullchain.pem expires on 2021-04-19 (skipped)
  /etc/letsencrypt/live/mail.example.com/fullchain.pem expires on 2021-04-19 (skipped)
No renewals were attempted.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
0
1
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
Sign upLogin
0
1

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?