Help us understand the problem. What is going on with this article?

ownCloudをインストールしたAmazon LinuxにLet’s EncryptでSSL証明書をインストールする

More than 3 years have passed since last update.

経緯

Let’s Encryptを使用し、Amazon Linux上のownCloudをSSL化した際にいくつか躓いたので、その備忘録です。

前提

FATAL: Amazon Linux support is very experimental at present...
if you would like to work on improving it, please ensure you have backups

とのことですので、作業を行う際は自己責任でお願いします。

環境

  • Amazon Linux AMI release 2017.03
  • Apache/2.4.27 (Amazon)

作業開始!

certbot-autoを取得します。

$ sudo curl https://dl.eff.org/certbot-auto -o /usr/bin/certbot-auto
$ sudo chmod 700 /usr/bin/certbot-auto

テストモードで実行します。ここでエラー発生。

$ sudo certbot-auto --debug
Bootstrapping dependencies for Amazon... (you can skip this with --no-bootstrap)
yum は /usr/bin/yum です
読み込んだプラグイン:priorities, update-motd, upgrade-helper
・
・
・
Creating virtual environment...
/usr/bin/certbot-auto: 行 700: virtualenv: コマンドが見つかりません

どうやらPython 2.7でいけないことが判明。現在のPythonのバージョン確認します。

$ alternatives --display python
python - ステータスは手動です。
リンクは現在 /usr/bin/python2.6 を指しています。
・
・
・
現在の「最適」バージョンは /usr/bin/python2.7 です。

Pythonのバージョンを2.7にします。

$ sudo alternatives --set python /usr/bin/python2.7
$ python -V
Python 2.7.12

証明書発行を行います。

$ sudo certbot-auto certonly --webroot -w 【ドキュメントルート】 -d 【ドメイン名】 --email 【メールアドレス】
・
・
・
IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: 【ドメイン名】
   Type:   unauthorized
   Detail: Invalid response from
   http://【ドメイン名】/.well-known/acme-challenge/j86lIDb5VkS_f2cuFXf6tICw5FzP4YH7JaAASlPk35k:
   "<!DOCTYPE html>
   <!--[if lt IE 7]><html class="ng-csp ie ie6 lte9 lte8 lte7"
   data-placeholder-focus="false" lang="en"><![endif]--"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.

またエラー発生。どうやら、ownCloudでエラーとなり、Let’s Encryptからこちらに接続できていませんでした。一度、DocumentRootを書き換えます。

/etc/httpd/conf/httpd.conf
・
・
DocumentRoot "/var/www/html/"
・
・

Apacheを再起動します。

$ sudo service httpd restart

もう一度証明書発行を行います。

$ sudo certbot-auto certonly --webroot -w /var/www/html -d 【ドメイン名】 --email 【メールアドレス】
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for 【ドメイン名】
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/【ドメイン名】/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/【ドメイン名】/privkey.pem
   Your cert will expire on 2017-11-29. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again. To non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

DocumentRootをもとに戻します。

ssl.confを開き、下記を修正します。

/etc/httpd/conf.d/ssl.conf
・
・
#   Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate.  If
# the certificate is encrypted, then you will be prompted for a
# pass phrase.  Note that a kill -HUP will prompt again.  A new
# certificate can be generated using the genkey(1) command.
SSLCertificateFile /etc/letsencrypt/live/【ドメイン名】/fullchain.pem

#   Server Private Key:
#   If the key is not combined with the certificate, use this
#   directive to point at the key file.  Keep in mind that if
#   you've both a RSA and a DSA private key you can configure
#   both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile /etc/letsencrypt/live/【ドメイン名】/privkey.pem
・
・

httpできた場合、httpsに飛ばす設定を入れます。

/etc/httpd/conf.d/rewrite.conf
<ifModule mod_rewrite.c>
  RewriteEngine On
  LogLevel alert rewrite:trace3
  RewriteCond %{HTTPS} off
  RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R,L]
</ifModule>

Apacheを再起動します。

$ sudo service httpd restart

SSL証明書の自動更新を設定します。

$ sudo crontab -e
50 3 * * 0 certbot-auto renew --force-renew --post-hook "service httpd restart"

参考にしたサイト

Let’s EncryptのSSL証明書で、安全なウェブサイトを公開
apacheでhttpへのアクセスをhttpsへ自動リダイレクトする

akido_
C#(Unity, XAML, WPF)、PHP(Laravel, CakePHP3)エンジニア。Qiitaには日々遭遇したエラーの解決方法を書いています。
openlogi
物流はこれから、テクノロジーによりダイナミックに変化する業界です。物を作る人とそれを欲しい人、その間の物流や配送がすべてネットワーク化された、需要と供給が最適化される次世代のインフラづくりを私たちは目指しています。
https://openlogi.com/
Why not register and get more from Qiita?
  1. We will deliver articles that match you
    By following users and tags, you can catch up information on technical fields that you are interested in as a whole
  2. you can read useful information later efficiently
    By "stocking" the articles you like, you can search right away
Comments
No comments
Sign up for free and join this conversation.
If you already have a Qiita account
Why do not you register as a user and use Qiita more conveniently?
You need to log in to use this function. Qiita can be used more conveniently after logging in.
You seem to be reading articles frequently this month. Qiita can be used more conveniently after logging in.
  1. We will deliver articles that match you
    By following users and tags, you can catch up information on technical fields that you are interested in as a whole
  2. you can read useful information later efficiently
    By "stocking" the articles you like, you can search right away
ユーザーは見つかりませんでした