Edited at

CentOS 6.7でLet's Encrypt !!

More than 3 years have passed since last update.

2016/04/12より無料SSL証明書のLet's Encryptがβから正式リリースになったので早速証明書の取得とApacheへの組み込みを実施してみた

  • 準備

 Let's Encryptを利用するにあたって、ドメインの設定とDNSへの逆引き、さらにポート80/443の解放が必要です





  • クライアントツールのインストール

以下の手順でパッケージを追加します。httpdとmod_sslはカスタムインストールしていたりする場合は git と openssl だけyumで追加しましょう、すでにそちらも入っていれば一行目は要りません。


※letsencrypt --helpはヘルプを表示させるために実行するのではなく、依存パッケージの漏れが無いかを確認するために実行します。なので、必ず実行してください

yum install -y httpd mod_ssl git openssl

cd /opt
git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt
./letsencrypt --help


  letsencrypt-auto [SUBCOMMAND] [options] [-d domain] [-d domain] ...

The Let's Encrypt agent can obtain and install HTTPS/TLS/SSL certificates. By
default, it will attempt to use a webserver both for obtaining and installing
the cert. Major SUBCOMMANDS are:

(default) run Obtain & install a cert in your current webserver
certonly Obtain cert, but do not install it (aka "auth")
install Install a previously obtained cert in a server
renew Renew previously obtained certs that are near expiry
revoke Revoke a previously obtained certificate
rollback Rollback server configuration changes made during install
config_changes Show changes made to server config during installation
plugins Display information about installed plugins

Choice of server plugins for obtaining and installing cert:

--apache Use the Apache plugin for authentication & installation
--standalone Run a standalone webserver for authentication
(nginx support is experimental, buggy, and not installed by default)
--webroot Place files in a server's webroot folder for authentication

OR use different plugins to obtain (authenticate) the cert and then install it:

--authenticator standalone --installer apache

More detailed help:

-h, --help [topic] print this message, or detailed help on a topic;
the available topics are:

all, automation, paths, security, testing, or any of the subcommands or
plugins (certonly, install, nginx, apache, standalone, webroot, etc)

  • 証明書の作成


/opt/letsencrypt/letsencrypt-auto certonly -a standalone -d ドメイン名 


Checking for new version...

Requesting root privileges to run letsencrypt...
Version: 1.1-20080819
Version: 1.1-20080819

- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/(ドメイン名)/fullchain.pem. Your cert
will expire on (有効期限). To obtain a new version of the
certificate in the future, simply run Let's Encrypt again.
- If you like Let's Encrypt, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le


証明書単体 /etc/letsencrypt/live/ドメイン名/cert.pem

中間証明単体 /etc/letsencrypt/live/ドメイン名/chain.pem

結合証明 /etc/letsencrypt/live/ドメイン名/fullchain.pem

秘密鍵 /etc/letsencrypt/live/ドメイン名/private.pem

  • Apacheへの組み込み



SSLCertificateFile    /etc/letsencrypt/live/ドメイン名/fullchain.pem

SSLCertificateKeyFile /etc/letsencrypt/live/ドメイン名/privkey.pem