はじめに
ZeroSSLで無料SSL証明書を使っていましたが、ZeroSSLは無料の90日間SSLは2回更新したら有料プラン以外は選択できなくなる仕組みなのでLet's Encryptに移行しました。説明不要なほどに簡単なので、実際に使ったコマンドを見れば何をやるのか分かると思います。
1. Install
$ sudo yum install epel-release
Last metadata expiration check: 1:08:30 ago on Fri 20 Oct 2023 11:02:41 AM UTC.
Package epel-release-9-4.el9.noarch is already installed.
Dependencies resolved.
============================================================================================================================================================================================================================================================
Package Architecture Version Repository Size
============================================================================================================================================================================================================================================================
Upgrading:
epel-release noarch 9-7.el9 extras-common 19 k
Installing weak dependencies:
epel-next-release noarch 9-7.el9 extras-common 8.1 k
Transaction Summary
============================================================================================================================================================================================================================================================
Install 1 Package
Upgrade 1 Package
Total download size: 27 k
Is this ok [y/N]: y
Downloading Packages:
(1/2): epel-next-release-9-7.el9.noarch.rpm 783 kB/s | 8.1 kB 00:00
(2/2): epel-release-9-7.el9.noarch.rpm 1.4 MB/s | 19 kB 00:00
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total 63 kB/s | 27 kB 00:00
CentOS Stream 9 - Extras packages 2.1 MB/s | 2.1 kB 00:00
Importing GPG key 0x1D997668:
Userid : "CentOS Extras SIG (https://wiki.centos.org/SpecialInterestGroup) <security@centos.org>"
Fingerprint: 363F C097 2F64 B699 AED3 968E 1FF6 A217 1D99 7668
From : /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-SIG-Extras-SHA512
Is this ok [y/N]: y
Key imported successfully
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Upgrading : epel-release-9-7.el9.noarch 1/3
Running scriptlet: epel-release-9-7.el9.noarch 1/3
Installing : epel-next-release-9-7.el9.noarch 2/3
Cleanup : epel-release-9-4.el9.noarch 3/3
Running scriptlet: epel-release-9-4.el9.noarch 3/3
Verifying : epel-next-release-9-7.el9.noarch 1/3
Verifying : epel-release-9-7.el9.noarch 2/3
Verifying : epel-release-9-4.el9.noarch 3/3
Upgraded:
epel-release-9-7.el9.noarch
Installed:
epel-next-release-9-7.el9.noarch
Complete!
$ sudo yum install certbot
Extra Packages for Enterprise Linux 9 openh264 (From Cisco) - x86_64 702 B/s | 2.5 kB 00:03
Extra Packages for Enterprise Linux 9 - Next - x86_64 560 kB/s | 1.5 MB 00:02
Last metadata expiration check: 0:00:01 ago on Fri 20 Oct 2023 12:11:48 PM UTC.
Dependencies resolved.
============================================================================================================================================================================================================================================================
Package Architecture Version Repository Size
============================================================================================================================================================================================================================================================
Installing:
certbot noarch 2.6.0-1.el9 epel 18 k
Installing dependencies:
fontawesome-fonts noarch 1:4.7.0-13.el9 appstream 205 k
python3-acme noarch 2.6.0-1.el9 epel 160 k
python3-certbot noarch 2.6.0-1.el9 epel 644 k
python3-cffi x86_64 1.14.5-5.el9 baseos 253 k
python3-configargparse noarch 1.7-1.el9 epel 45 k
python3-configobj noarch 5.0.6-25.el9 appstream 63 k
python3-cryptography x86_64 36.0.1-4.el9 baseos 1.2 M
python3-josepy noarch 1.13.0-1.el9 epel 60 k
python3-parsedatetime noarch 2.6-5.el9 epel 79 k
python3-ply noarch 3.11-14.el9 baseos 106 k
python3-pyOpenSSL noarch 21.0.0-1.el9 epel 90 k
python3-pycparser noarch 2.20-6.el9 baseos 135 k
python3-pyrfc3339 noarch 1.1-11.el9 epel 18 k
python3-pytz noarch 2021.1-5.el9 appstream 51 k
Installing weak dependencies:
python-josepy-doc noarch 1.13.0-1.el9 epel 19 k
Transaction Summary
============================================================================================================================================================================================================================================================
Install 16 Packages
Total download size: 3.1 M
Installed size: 12 M
Is this ok [y/N]: y
Downloading Packages:
(1/16): python3-ply-3.11-14.el9.noarch.rpm 1.3 MB/s | 106 kB 00:00
(2/16): python3-cffi-1.14.5-5.el9.x86_64.rpm 2.9 MB/s | 253 kB 00:00
(3/16): python3-pycparser-2.20-6.el9.noarch.rpm 19 MB/s | 135 kB 00:00
(4/16): python3-cryptography-36.0.1-4.el9.x86_64.rpm 8.9 MB/s | 1.2 MB 00:00
(5/16): fontawesome-fonts-4.7.0-13.el9.noarch.rpm 2.7 MB/s | 205 kB 00:00
(6/16): python3-configobj-5.0.6-25.el9.noarch.rpm 916 kB/s | 63 kB 00:00
(7/16): python3-pytz-2021.1-5.el9.noarch.rpm 1.1 MB/s | 51 kB 00:00
(8/16): certbot-2.6.0-1.el9.noarch.rpm 36 kB/s | 18 kB 00:00
(9/16): python-josepy-doc-1.13.0-1.el9.noarch.rpm 37 kB/s | 19 kB 00:00
(10/16): python3-configargparse-1.7-1.el9.noarch.rpm 123 kB/s | 45 kB 00:00
(11/16): python3-acme-2.6.0-1.el9.noarch.rpm 165 kB/s | 160 kB 00:00
(12/16): python3-josepy-1.13.0-1.el9.noarch.rpm 228 kB/s | 60 kB 00:00
(13/16): python3-parsedatetime-2.6-5.el9.noarch.rpm 348 kB/s | 79 kB 00:00
(14/16): python3-pyrfc3339-1.1-11.el9.noarch.rpm 98 kB/s | 18 kB 00:00
(15/16): python3-pyOpenSSL-21.0.0-1.el9.noarch.rpm 304 kB/s | 90 kB 00:00
(16/16): python3-certbot-2.6.0-1.el9.noarch.rpm 678 kB/s | 644 kB 00:00
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total 906 kB/s | 3.1 MB 00:03
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Installing : python3-pytz-2021.1-5.el9.noarch 1/16
Installing : python3-pyrfc3339-1.1-11.el9.noarch 2/16
Installing : python3-parsedatetime-2.6-5.el9.noarch 3/16
Installing : python3-configargparse-1.7-1.el9.noarch 4/16
Installing : python-josepy-doc-1.13.0-1.el9.noarch 5/16
Installing : python3-configobj-5.0.6-25.el9.noarch 6/16
Installing : fontawesome-fonts-1:4.7.0-13.el9.noarch 7/16
Installing : python3-ply-3.11-14.el9.noarch 8/16
Installing : python3-pycparser-2.20-6.el9.noarch 9/16
Installing : python3-cffi-1.14.5-5.el9.x86_64 10/16
Installing : python3-cryptography-36.0.1-4.el9.x86_64 11/16
Installing : python3-pyOpenSSL-21.0.0-1.el9.noarch 12/16
Installing : python3-josepy-1.13.0-1.el9.noarch 13/16
Installing : python3-acme-2.6.0-1.el9.noarch 14/16
Installing : python3-certbot-2.6.0-1.el9.noarch 15/16
Installing : certbot-2.6.0-1.el9.noarch 16/16
Running scriptlet: certbot-2.6.0-1.el9.noarch 16/16
Created symlink /etc/systemd/system/timers.target.wants/certbot-renew.timer → /usr/lib/systemd/system/certbot-renew.timer.
Certbot auto renewal timer is not started by default.
Run 'systemctl start certbot-renew.timer' to enable automatic renewals.
Verifying : python3-cffi-1.14.5-5.el9.x86_64 1/16
Verifying : python3-cryptography-36.0.1-4.el9.x86_64 2/16
Verifying : python3-ply-3.11-14.el9.noarch 3/16
Verifying : python3-pycparser-2.20-6.el9.noarch 4/16
Verifying : fontawesome-fonts-1:4.7.0-13.el9.noarch 5/16
Verifying : python3-configobj-5.0.6-25.el9.noarch 6/16
Verifying : python3-pytz-2021.1-5.el9.noarch 7/16
Verifying : certbot-2.6.0-1.el9.noarch 8/16
Verifying : python-josepy-doc-1.13.0-1.el9.noarch 9/16
Verifying : python3-acme-2.6.0-1.el9.noarch 10/16
Verifying : python3-certbot-2.6.0-1.el9.noarch 11/16
Verifying : python3-configargparse-1.7-1.el9.noarch 12/16
Verifying : python3-josepy-1.13.0-1.el9.noarch 13/16
Verifying : python3-parsedatetime-2.6-5.el9.noarch 14/16
Verifying : python3-pyOpenSSL-21.0.0-1.el9.noarch 15/16
Verifying : python3-pyrfc3339-1.1-11.el9.noarch 16/16
Installed:
certbot-2.6.0-1.el9.noarch fontawesome-fonts-1:4.7.0-13.el9.noarch python-josepy-doc-1.13.0-1.el9.noarch python3-acme-2.6.0-1.el9.noarch python3-certbot-2.6.0-1.el9.noarch python3-cffi-1.14.5-5.el9.x86_64
python3-configargparse-1.7-1.el9.noarch python3-configobj-5.0.6-25.el9.noarch python3-cryptography-36.0.1-4.el9.x86_64 python3-josepy-1.13.0-1.el9.noarch python3-parsedatetime-2.6-5.el9.noarch python3-ply-3.11-14.el9.noarch
python3-pyOpenSSL-21.0.0-1.el9.noarch python3-pycparser-2.20-6.el9.noarch python3-pyrfc3339-1.1-11.el9.noarch python3-pytz-2021.1-5.el9.noarch
Complete!
2. SSL証明書の取得
Nginxを先に停止してからSSL証明書を取得します。Let’s Encrypt SSL証明書は、1枚の証明書で複数ドメイン・サブドメインに対応できるので-dでwwwありとwww無しの両方を指定します。
$ sudo systemctl stop nginx
以下はドメインはexample.comの場合のコマンドですが、自分のドメインに応じて変えてください。
$ sudo certbot certonly --standalone -d www.example.com -d example.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices)
(Enter 'c' to cancel): info@example.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf. You must
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
Account registered.
Requesting a certificate for www.example.com
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/www.my-domain/fullchain.pem
Key is saved at: /etc/letsencrypt/live/www.my-domain/privkey.pem
This certificate expires on 2024-01-18.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
* Donating to EFF: https://eff.org/donate-le
$ sudo vi my-domain_production
server {
listen 443 ssl;
server_name {{ cashbook.host }};
root /var/www/www.example.com/current/web;
ssl_certificate /etc/letsencrypt/live/www.example.com/privkey.pem;
ssl_certificate_key /etc/letsencrypt/live/www.example.com/fullchain.pem;
}
$ sudo systemctl start nginx
3. Configuration
$ sudo vi /etc/sysconfig/certbot
## NOTE ##
# If a hook is set here then it will be used for all
# certificates and will override any per certificate
# hook configuration in place.
# Command to be run in a shell before obtaining any
# certificates. Intended primarily for renewal, where it
# can be used to temporarily shut down a webserver that
# might conflict with the standalone plugin. This will
# only be called if a certificate is actually to be
# obtained/renewed. When renewing several certificates
# that have identical pre-hooks, only the first will be
# executed.
#
# An example to stop the MTA before updating certs would be
# PRE_HOOK="--pre-hook 'systemctl stop postfix'"
PRE_HOOK="systemctl stop nginx"
# Command to be run in a shell after attempting to
# obtain/renew certificates. Can be used to deploy
# renewed certificates, or to restart any servers that
# were stopped by --pre-hook. This is only run if an
# attempt was made to obtain/renew a certificate. If
# multiple renewed certificates have identical post-
# hooks, only one will be run.
#
# An example to restart httpd would be:
# POST_HOOK="--post-hook 'systemctl restart httpd'"
POST_HOOK="systemctl start nginx"
# Command to be run in a shell once for each
# successfully renewed certificate. For this command,
# the shell variable $RENEWED_LINEAGE will point to the
# config live subdirectory containing the new certs and
# keys; the shell variable $RENEWED_DOMAINS will contain
# a space-delimited list of renewed cert domains
#
# An example to run a script to alert each cert would be:
# DEPLOY_HOOK="--deploy-hook /usr/local/bin/cert-notifier.sh"
DEPLOY_HOOK=""
# Any other misc arguments for the renewal
# See certbot -h renew for full list
#
# An example to force renewal for certificates not due yet
# CERTBOT_ARGS="--force-renewal"
CERTBOT_ARGS=""
4. 証明書自動更新のタイマー設定
以前のLet's Encryptではcronで証明書の更新自動化をやるのが一般的だったようですが、今のLet's Encryptには最初からタイマー機能がありました。非常に簡単です。
$ sudo systemctl list-timers
NEXT LEFT LAST PASSED UNIT ACTIVATES
Sat 2023-10-21 10:44:34 UTC 21h left - - certbot-renew.timer certbot-renew.service
参考記事
Let’s Encryptの使い方〜SSL証明書の取得から更新の自動化まで〜