Edited at

CentOS6にLet’s Encryptをインストール

ブログ記事のコピーです。

前回CentOS7ではOKだったので、今回はCentOS6でのテストを実施しました。

主な検証項目は


  • CentOS6でLet's Encryptの証明書を発行し、動作するか

  • マルチドメイン対応できるか

といったところです。そのため、


  • ssl1.example.com

  • ssl2.example.com

という2つのサブドメインをサーバに仮想サイトとして作成し、検証を行いました。


バージョン確認

# cat /etc/redhat-release

CentOS release 6.7 (Final)

# python --version
Python 2.6.6


留意点

CentOS7と同じやり方はできないとのこと。CentOS6の場合は「その他のUnix系OS」のやり方でインストールを実施します。

ちなみに、CentOS7と同じ手順を実行すると以下のような感じになります。

# sudo yum install epel-release

読み込んだプラグイン:fastestmirror
インストール処理の設定をしています

## 略

パッケージ epel-release-6-8.noarch はインストール済みか最新バージョンです
何もしません

これはOK。

# sudo yum install certbot python-certbot-apache

読み込んだプラグイン:fastestmirror
インストール処理の設定をしています

## 略

パッケージ certbot は利用できません。
パッケージ python-certbot-apache は利用できません。
エラー: 何もしません

こんなエラーで止まりました。


参考


インストール

インストールすると依存関係もチェックしてインストールし、発行まで自動的に進みます。

ただし、途中で名前解決できないとしてエラーになってしまいました。原因は、DMZの出口のルータで、このサーバへの80および443が開いていなかったためという凡ミスでした。

# wget https://dl.eff.org/certbot-auto

--2018-08-02 09:41:52-- https://dl.eff.org/certbot-auto
dl.eff.org をDNSに問いあわせています... 151.101.72.201, 2a04:4e42:11::201
dl.eff.org|151.101.72.201|:443 に接続しています... 接続しました。
HTTP による接続要求を送信しました、応答を待っています... 200 OK

## 略

完了しました!
Creating virtual environment...
Installing Python packages...
Installation succeeded.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): test@example.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'
d like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: hoge.example.com
2: ssl1.example.com
3: ssl2.example.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 2
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for ssl1.example.com
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. ssl1.example.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://ssl1.example.com/.well-known/acme-challenge/jpXXXXXXXXXXXXXXXXXXXX-YYYYYYYYYYYYYYYYYY: Timeout during connect (likely firewall problem)

## 後略


参考: エラーログの参照

# less /var/log/letsencrypt/letsencrypt.log

2018-08-02 09:52:50,307:DEBUG:certbot.error_handler:Calling registered functions
2018-08-02 09:52:50,307:INFO:certbot.auth_handler:Cleaning up challenges
2018-08-02 09:52:50,782:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File "/opt/eff.org/certbot/venv/bin/letsencrypt", line 11, in <module>
load_entry_point('letsencrypt==0.7.0', 'console_scripts', 'letsencrypt')()
File "/opt/eff.org/certbot/venv/lib64/python3.4/site-packages/certbot/main.py", line 1364, in main
return config.func(config, plugins)
File "/opt/eff.org/certbot/venv/lib64/python3.4/site-packages/certbot/main.py", line 1124, in run
certname, lineage)
File "/opt/eff.org/certbot/venv/lib64/python3.4/site-packages/certbot/main.py", line 120, in _get_and_save_cert
lineage = le_client.obtain_and_enroll_certificate(domains, certname)
File "/opt/eff.org/certbot/venv/lib64/python3.4/site-packages/certbot/client.py", line 391, in obtain_and_enroll_certificate
cert, chain, key, _ = self.obtain_certificate(domains)
File "/opt/eff.org/certbot/venv/lib64/python3.4/site-packages/certbot/client.py", line 334, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File "/opt/eff.org/certbot/venv/lib64/python3.4/site-packages/certbot/client.py", line 370, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
File "/opt/eff.org/certbot/venv/lib64/python3.4/site-packages/certbot/auth_handler.py", line 82, in handle_authorizations
self._respond(aauthzrs, resp, best_effort)
File "/opt/eff.org/certbot/venv/lib64/python3.4/site-packages/certbot/auth_handler.py", line 155, in _respond
self._poll_challenges(aauthzrs, chall_update, best_effort)
File "/opt/eff.org/certbot/venv/lib64/python3.4/site-packages/certbot/auth_handler.py", line 226, in _poll_challenges
raise errors.FailedChallenges(all_failed_achalls)
certbot.errors.FailedChallenges: Failed authorization procedure. ssl1.example.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://ssl1.example.com/.well-known/acme-challenge/jpXXXXXXXXXXXXXXXXXXXX-YYYYYYYYYYYYYYYYYY: Timeout during connect (likely firewall problem)

エラーの内容と同様に、ドメインの認証で80での通信を試みた際に失敗していることが分かります。

ルータの設定を見直して再度挑戦。

# ./certbot-auto

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: hoge.example.com
2: ssl1.example.com
3: ssl2.example.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 2
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for ssl1.example.com
Waiting for verification...
Cleaning up challenges
Created an SSL vhost at /etc/httpd/conf/vhosts/siteX-le-ssl.conf
Deploying Certificate to VirtualHost /etc/httpd/conf/vhosts/siteX-le-ssl.conf
Enabling site /etc/httpd/conf/vhosts/siteX-le-ssl.conf by adding Include to root configuration

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server'
s configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Added an HTTP->HTTPS rewrite in addition to other RewriteRules; you may wish to check for overall consistency.
Redirecting vhost in /etc/httpd/conf/vhosts/siteX to ssl vhost in /etc/httpd/conf/vhosts/siteX-le-ssl.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://ssl1.example.com

## 後略

インストールできたようです。リダイレクトも成功しました。また、443用の仮想サイトを作成していなくても、自動的に設定してくれます。

ということで、2つ目の(サブ)ドメインも実施。

# ./certbot-auto

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: hoge.example.com
2: ssl1.example.com
3: ssl2.example.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 3
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for ssl2.example.com
Waiting for verification...
Cleaning up challenges
Created an SSL vhost at /etc/httpd/conf/vhosts/siteY-le-ssl.conf
Deploying Certificate to VirtualHost /etc/httpd/conf/vhosts/siteY-le-ssl.conf
Enabling site /etc/httpd/conf/vhosts/siteY-le-ssl.conf by adding Include to root configuration

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server'
s configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Added an HTTP->HTTPS rewrite in addition to other RewriteRules; you may wish to check for overall consistency.
Redirecting vhost in /etc/httpd/conf/vhosts/siteY to ssl vhost in /etc/httpd/conf/vhosts/siteY-le-ssl.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://ssl2.example.com

## 後略

大丈夫ですね。