前提条件
- VPS等を利用してサーバー構築済み。
- CentOS8,apacheインストール済みです。
- ドメイン設定済み
ファイヤーウォールの設定
現状のファイヤーウォールの状況を確認
現状はhttpのみであることが確認できます。
$ sudo firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: cockpit dhcpv6-client http ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
httpsの接続を許可する
$ sudo firewall-cmd --add-service=https --permanent
success
ファイヤーウォールを再起動する
$ sudo firewall-cmd --reload
success
ファイヤーウォールの状況を確認
httpsが追加されています。
$ sudo firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: cockpit dhcpv6-client http https ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
Apache httpd用SSL通信モジュールをインストールする
yumにパッケージがあるか確認する。
$ sudo yum search mod_ssl
Failed to set locale, defaulting to C
Last metadata expiration check: 0:14:00 ago on Fri Jan 10 18:30:39 2020.
======================== Name Exactly Matched: mod_ssl =========================
mod_ssl.x86_64 : SSL/TLS module for the Apache HTTP Server
mod_sslパッケージのインストール
sudo yum search mod_ssl
Failed to set locale, defaulting to C
Last metadata expiration check: 0:14:00 ago on Fri Jan 10 18:30:39 2020.
======================== Name Exactly Matched: mod_ssl =========================
mod_ssl.x86_64 : SSL/TLS module for the Apache HTTP Server
[jum@118-27-38-245 ~]$ sudo yum -y install mod_ssl
Failed to set locale, defaulting to C
Last metadata expiration check: 0:17:54 ago on Fri Jan 10 18:30:39 2020.
Dependencies resolved.
================================================================================
Package Arch Version Repository Size
================================================================================
Installing:
mod_ssl x86_64 1:2.4.37-12.module_el8.0.0+185+5908b0db AppStream 130 k
Installing dependencies:
sscg x86_64 2.3.3-6.el8 AppStream 43 k
Transaction Summary
================================================================================
Install 2 Packages
Total download size: 173 k
Installed size: 351 k
Downloading Packages:
(1/2): sscg-2.3.3-6.el8.x86_64.rpm 959 kB/s | 43 kB 00:00
(2/2): mod_ssl-2.4.37-12.module_el8.0.0+185+590 1.5 MB/s | 130 kB 00:00
--------------------------------------------------------------------------------
Total 127 kB/s | 173 kB 00:01
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Installing : sscg-2.3.3-6.el8.x86_64 1/2
Installing : mod_ssl-1:2.4.37-12.module_el8.0.0+185+5908b0db.x86_ 2/2
Running scriptlet: mod_ssl-1:2.4.37-12.module_el8.0.0+185+5908b0db.x86_ 2/2
Verifying : mod_ssl-1:2.4.37-12.module_el8.0.0+185+5908b0db.x86_ 1/2
Verifying : sscg-2.3.3-6.el8.x86_64 2/2
Installed:
mod_ssl-1:2.4.37-12.module_el8.0.0+185+5908b0db.x86_64
sscg-2.3.3-6.el8.x86_64
Complete!
mod_sslパッケージがインストールされているか確認する
$ sudo yum list installed | grep mod_ssl
Failed to set locale, defaulting to C
mod_ssl.x86_64 1:2.4.37-12.module_el8.0.0+185+5908b0db @AppStream
Failed to set locale, defaulting to Cとは
mod_sslがApache httpdのモジュールとして登録されているか確認
$ sudo httpd -M | grep ssl
AH00548: NameVirtualHost has no effect and will be removed in the next release /etc/httpd/conf/httpd.conf:46
AH00526: Syntax error on line 85 of /etc/httpd/conf.d/ssl.conf:
SSLCertificateFile: file '/etc/pki/tls/certs/localhost.crt' does not exist or is empty
AH00548: NameVirtualHost has no effect and will be removed in the next release
はvirtualHostの設定は不要だよとのことですので以下を実施
$ sudo vi /etc/httpd/conf/httpd.conf
/etc/httpd/conf/httpd.conf
46 #NameVirtualHost *:80
httpdを再起動
再度、mod_sslがApache httpdに登録されているか確認する
$ sudo httpd -M | grep ssl
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using fe80::2:76ff:fe1b:26f5. Set the 'ServerName' directive globally to suppress this message
ssl_module (shared)
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using fe80::2:76ff:fe1b:26f5. Set the 'ServerName' directive globally to suppress this messageはApacheの設定ファイル「httpd.conf」にて「ServerName」が設定されていない時にこのエラーが表示されます。以下に解決策があった。
Let's Encryptを利用したサーバー証明書の取得
cerbotのインストール
$ cd /tmp
$ sudo wget https://dl.eff.org/certbot-auto
--2020-01-10 19:27:14-- https://dl.eff.org/certbot-auto
Resolving dl.eff.org (dl.eff.org)... 2a04:4e42:36::201, 151.101.228.201
Connecting to dl.eff.org (dl.eff.org)|2a04:4e42:36::201|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 71650 (70K) [application/octet-stream]
Saving to: 'certbot-auto'
certbot-auto 100%[=============================================================>] 69.97K --.-KB/s in 0.004s
2020-01-10 19:27:15 (18.5 MB/s) - 'certbot-auto' saved [71650/71650]
ダウンロードしたcertbot-autoを"/usr/local/bin"に移動させてパーミッションを設定します。
$ sudo mv certbot-auto /usr/local/bin/certbot-auto
$ sudo chown root /usr/local/bin/certbot-auto
$ sudo chmod 0755 /usr/local/bin/certbot-auto
SSL証明書の作成
certbot-autoコマンドを実行します。
- https化したいドメイン:jum11.com
- jum11.comのDocumentRoot:/var/www/html/jum11.com
# /usr/local/bin/certbot-auto certonly --webroot -w /var/www/html/jum11.com -d jum11.com --email test@jum11.com --server https://acme-v02.api.letsencrypt.org/directory
作成されたSSL証明書ファイルの確認
# ls -a /etc/letsencrypt/live/jum11.com
. .. README cert.pem chain.pem fullchain.pem privkey.pem
Apache httpd HTTPSとHTTP/2通信用の設定
バーチャルホスト用設定ファイルの変更
バーチャルホストの設定ファイルのバックアップをとります
# cp -p /etc/httpd/conf.d/jum11.com.conf /etc/httpd/conf.d/jum11.com.conf.org
バーチャルホストの設定ファイルを編集します。
# vi /etc/httpd/conf.d/jum11.com.conf
以下を追加
<VirtualHost *:443>
SSLEngine on
ServerName jum11.com
DocumentRoot "/var/www/html/jum11.com"
SSLCertificateFile /etc/letsencrypt/live/jum11.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/jum11.com/privkey.pem
<Directory "/var/www/html/jum11.com">
AllowOverride All
</Directory>
ErrorLog logs/jum11.com-ssl-error_log
CustomLog logs/jum11.com-ssl-access_log combined
</VirtualHost>
http
文法ckをします。
# httpd -t
Syntax OK
apacheを再起動します。
# systemctl restart httpd.service
動作確認
証明書の更新確認
# /usr/local/bin/certbot-auto renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/jum11.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for jum11.com
Using the webroot path /var/www/html/portfolio for all unmatched domains.
Waiting for verification...
Cleaning up challenges
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/jum11.com/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)
//Congratulations, all renewals succeeded. // The following certs have been renewed:
/etc/letsencrypt/live/jum11.com/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
IMPORTANT NOTES:
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
Congratulations, all renewals succeeded...が表示れていればok
更新コマンドを設定する
# crontab -e
以下のコードを追記します。
この記載では毎日3時と5時に更新されます。
00 3 * * * /usr/local/bin/certbot-auto renew -q --deploy-hook "systemctl restart httpd"
00 5 * * * /usr/local/bin/certbot-auto renew -q --deploy-hook "systemctl restart httpd"
参考記事はコチラ
終了です。