14
9

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?

More than 3 years have passed since last update.

https化の手順

Last updated at Posted at 2020-01-11

#前提条件

  • VPS等を利用してサーバー構築済み。
  • CentOS8,apacheインストール済みです。
  • ドメイン設定済み

#ファイヤーウォールの設定

##現状のファイヤーウォールの状況を確認

現状はhttpのみであることが確認できます。

$ sudo firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources: 
  services: cockpit dhcpv6-client http ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

##httpsの接続を許可する

$ sudo firewall-cmd --add-service=https --permanent
success

##ファイヤーウォールを再起動する

$ sudo firewall-cmd --reload
success

##ファイヤーウォールの状況を確認

httpsが追加されています。

$ sudo firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources: 
  services: cockpit dhcpv6-client http https ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

#Apache httpd用SSL通信モジュールをインストールする

##yumにパッケージがあるか確認する。

$ sudo yum search mod_ssl
Failed to set locale, defaulting to C
Last metadata expiration check: 0:14:00 ago on Fri Jan 10 18:30:39 2020.
======================== Name Exactly Matched: mod_ssl =========================
mod_ssl.x86_64 : SSL/TLS module for the Apache HTTP Server

##mod_sslパッケージのインストール

sudo yum search mod_ssl
Failed to set locale, defaulting to C
Last metadata expiration check: 0:14:00 ago on Fri Jan 10 18:30:39 2020.
======================== Name Exactly Matched: mod_ssl =========================
mod_ssl.x86_64 : SSL/TLS module for the Apache HTTP Server
[jum@118-27-38-245 ~]$ sudo yum -y install mod_ssl
Failed to set locale, defaulting to C
Last metadata expiration check: 0:17:54 ago on Fri Jan 10 18:30:39 2020.
Dependencies resolved.
================================================================================
 Package   Arch     Version                                   Repository   Size
================================================================================
Installing:
 mod_ssl   x86_64   1:2.4.37-12.module_el8.0.0+185+5908b0db   AppStream   130 k
Installing dependencies:
 sscg      x86_64   2.3.3-6.el8                               AppStream    43 k

Transaction Summary
================================================================================
Install  2 Packages

Total download size: 173 k
Installed size: 351 k
Downloading Packages:
(1/2): sscg-2.3.3-6.el8.x86_64.rpm              959 kB/s |  43 kB     00:00    
(2/2): mod_ssl-2.4.37-12.module_el8.0.0+185+590 1.5 MB/s | 130 kB     00:00    
--------------------------------------------------------------------------------
Total                                           127 kB/s | 173 kB     00:01     
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                        1/1 
  Installing       : sscg-2.3.3-6.el8.x86_64                                1/2 
  Installing       : mod_ssl-1:2.4.37-12.module_el8.0.0+185+5908b0db.x86_   2/2 
  Running scriptlet: mod_ssl-1:2.4.37-12.module_el8.0.0+185+5908b0db.x86_   2/2 
  Verifying        : mod_ssl-1:2.4.37-12.module_el8.0.0+185+5908b0db.x86_   1/2 
  Verifying        : sscg-2.3.3-6.el8.x86_64                                2/2 

Installed:
  mod_ssl-1:2.4.37-12.module_el8.0.0+185+5908b0db.x86_64                        
  sscg-2.3.3-6.el8.x86_64                                                       

Complete!

##mod_sslパッケージがインストールされているか確認する

$ sudo yum list installed | grep mod_ssl
Failed to set locale, defaulting to C
mod_ssl.x86_64                       1:2.4.37-12.module_el8.0.0+185+5908b0db    @AppStream   

Failed to set locale, defaulting to Cとは

##mod_sslがApache httpdのモジュールとして登録されているか確認

$ sudo httpd -M | grep ssl
AH00548: NameVirtualHost has no effect and will be removed in the next release /etc/httpd/conf/httpd.conf:46
AH00526: Syntax error on line 85 of /etc/httpd/conf.d/ssl.conf:
SSLCertificateFile: file '/etc/pki/tls/certs/localhost.crt' does not exist or is empty

AH00548: NameVirtualHost has no effect and will be removed in the next release
はvirtualHostの設定は不要だよとのことですので以下を実施

$ sudo vi /etc/httpd/conf/httpd.conf
/etc/httpd/conf/httpd.conf
46  #NameVirtualHost *:80

###httpdを再起動

##再度、mod_sslがApache httpdに登録されているか確認する

$ sudo httpd -M | grep ssl
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using fe80::2:76ff:fe1b:26f5. Set the 'ServerName' directive globally to suppress this message
 ssl_module (shared)

AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using fe80::2:76ff:fe1b:26f5. Set the 'ServerName' directive globally to suppress this messageはApacheの設定ファイル「httpd.conf」にて「ServerName」が設定されていない時にこのエラーが表示されます。以下に解決策があった。

#Let's Encryptを利用したサーバー証明書の取得

##cerbotのインストール

$ cd /tmp
$ sudo wget https://dl.eff.org/certbot-auto
--2020-01-10 19:27:14--  https://dl.eff.org/certbot-auto
Resolving dl.eff.org (dl.eff.org)... 2a04:4e42:36::201, 151.101.228.201
Connecting to dl.eff.org (dl.eff.org)|2a04:4e42:36::201|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 71650 (70K) [application/octet-stream]
Saving to: 'certbot-auto'

certbot-auto                       100%[=============================================================>]  69.97K  --.-KB/s    in 0.004s  

2020-01-10 19:27:15 (18.5 MB/s) - 'certbot-auto' saved [71650/71650]

##ダウンロードしたcertbot-autoを"/usr/local/bin"に移動させてパーミッションを設定します。

$ sudo mv certbot-auto /usr/local/bin/certbot-auto
$ sudo chown root /usr/local/bin/certbot-auto
$ sudo chmod 0755 /usr/local/bin/certbot-auto

#SSL証明書の作成

##certbot-autoコマンドを実行します。

  • https化したいドメイン:jum11.com
  • jum11.comのDocumentRoot:/var/www/html/jum11.com
# /usr/local/bin/certbot-auto certonly --webroot -w /var/www/html/jum11.com -d jum11.com --email test@jum11.com --server https://acme-v02.api.letsencrypt.org/directory

##作成されたSSL証明書ファイルの確認

# ls -a /etc/letsencrypt/live/jum11.com
.  ..  README  cert.pem  chain.pem  fullchain.pem  privkey.pem

#Apache httpd HTTPSとHTTP/2通信用の設定

##バーチャルホスト用設定ファイルの変更

バーチャルホストの設定ファイルのバックアップをとります

# cp -p /etc/httpd/conf.d/jum11.com.conf /etc/httpd/conf.d/jum11.com.conf.org

バーチャルホストの設定ファイルを編集します。

# vi /etc/httpd/conf.d/jum11.com.conf

以下を追加

<VirtualHost *:443>
SSLEngine on
ServerName jum11.com
DocumentRoot "/var/www/html/jum11.com"
SSLCertificateFile /etc/letsencrypt/live/jum11.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/jum11.com/privkey.pem

  <Directory "/var/www/html/jum11.com">
    AllowOverride All
  </Directory>

ErrorLog logs/jum11.com-ssl-error_log
CustomLog logs/jum11.com-ssl-access_log combined
</VirtualHost>

##http

文法ckをします。

# httpd -t
Syntax OK

apacheを再起動します。

# systemctl restart httpd.service

#動作確認

#証明書の更新確認

# /usr/local/bin/certbot-auto renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/jum11.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for jum11.com
Using the webroot path /var/www/html/portfolio for all unmatched domains.
Waiting for verification...
Cleaning up challenges

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/jum11.com/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)


//Congratulations, all renewals succeeded. // The following certs have been renewed:
  /etc/letsencrypt/live/jum11.com/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.

Congratulations, all renewals succeeded...が表示れていればok

##更新コマンドを設定する

# crontab -e

以下のコードを追記します。
この記載では毎日3時と5時に更新されます。

00 3 * * * /usr/local/bin/certbot-auto renew -q --deploy-hook "systemctl restart httpd"
00 5 * * * /usr/local/bin/certbot-auto renew -q --deploy-hook "systemctl restart httpd"

#参考記事はコチラ

終了です。

14
9
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
14
9

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?