1.環境・前提
環境と前提は以下の通りです。
1.1環境
サーバ:さくらインターネットVPS
OS:CentOS Linux release 7.9.2009 (Core)
1.2前提
・ドメイン取得、正引き設定済み
・Nginxをインストール済み、取得したドメインでドキュメントルートの設定済み
2.事前確認
SSL証明書を作成する前に、ドメインの正引きが出来ているかを確認します。
yumでhostコマンドをインストール
[hoge@hogehoge ~]$ yum -y install bind-utils
hostコマンドでIPアドレスの解決が正常に行われることを確認
[hoge@hogehoge ~]$ host www.hogehoge.com
www.hogehoge.com has address xxx.xxx.xxx.xxx
3.Let's Encryptでサーバー証明書の取得
3.1 epelレポジトリのインストール
Let's Encryptを利用するためのアプリケーションは”certbot”をインストールします。
certbotはCentOSのベースレポジトリには含まれていないので、epelレポジトリを利用できるようにします。
epelのインストール後
[hoge@hogehoge ~]$ yum list installed | grep epel
Repodata is over 2 weeks old. Install yum-cron? Or run: yum makecache fast
epel-release.noarch 7-13 @epel
libzstd.x86_64 1.4.7-1.el7 @epel
nginx.x86_64 1:1.16.1-3.el7 @epel
nginx-all-modules.noarch 1:1.16.1-3.el7 @epel
nginx-filesystem.noarch 1:1.16.1-3.el7 @epel
nginx-mod-http-image-filter.x86_64 1:1.16.1-3.el7 @epel
nginx-mod-http-perl.x86_64 1:1.16.1-3.el7 @epel
nginx-mod-http-xslt-filter.x86_64 1:1.16.1-3.el7 @epel
nginx-mod-mail.x86_64 1:1.16.1-3.el7 @epel
nginx-mod-stream.x86_64 1:1.16.1-3.el7 @epel
openssl11-libs.x86_64 1:1.1.1g-2.el7 @epel
snap-confine.x86_64 2.49-1.el7 @epel
snapd.x86_64 2.49-1.el7 @epel
snapd-selinux.noarch 2.49-1.el7 @epel
squashfuse.x86_64 0.1.102-1.el7 @epel
squashfuse-libs.x86_64 0.1.102-1.el7 @epel
レポジトリにepelが存在することを確認
[hoge@hogehoge ~]$ yum repolist
Loaded plugins: fastestmirror, langpacks
Repodata is over 2 weeks old. Install yum-cron? Or run: yum makecache fast
Loading mirror speeds from cached hostfile
* base: ftp.iij.ad.jp
* epel: d2lzkl7pfhq30w.cloudfront.net
* extras: ftp.iij.ad.jp
* updates: ftp.iij.ad.jp
repo id repo name status
!base/7/x86_64 CentOS-7 - Base 10,072
!epel/x86_64 Extra Packages for Enterprise Linux 7 - x86_64 13,545
!extras/7/x86_64 CentOS-7 - Extras 453
!updates/7/x86_64 CentOS-7 - Updates 1,729
repolist: 25,799
3.2 certbotパッケージのインストール
certbotパッケージのが存在することを確認
[hoge@hogehoge ~]$ yum search certbot
Loaded plugins: fastestmirror, langpacks
Repodata is over 2 weeks old. Install yum-cron? Or run: yum makecache fast
Loading mirror speeds from cached hostfile
* base: ftp.iij.ad.jp
* epel: d2lzkl7pfhq30w.cloudfront.net
* extras: ftp.iij.ad.jp
* updates: ftp.iij.ad.jp
======================================================= N/S matched: certbot ========================================================
python2-certbot.noarch : Python 2 libraries used by certbot
python2-certbot-apache.noarch : The apache plugin for certbot
python2-certbot-dns-cloudflare.noarch : Cloudflare DNS Authenticator plugin for Certbot
python2-certbot-dns-cloudxns.noarch : CloudXNS DNS Authenticator plugin for Certbot
python2-certbot-dns-digitalocean.noarch : DigitalOcean DNS Authenticator plugin for Certbot
python2-certbot-dns-dnsimple.noarch : DNSimple DNS Authenticator plugin for Certbot
python2-certbot-dns-dnsmadeeasy.noarch : DNS Made Easy DNS Authenticator plugin for Certbot
python2-certbot-dns-gehirn.noarch : Gehirn Infrastructure Service DNS Authenticator plugin for Certbot
python2-certbot-dns-google.noarch : Google Cloud DNS Authenticator plugin for Certbot
python2-certbot-dns-linode.noarch : Linode DNS Authenticator plugin for Certbot
python2-certbot-dns-luadns.noarch : LuaDNS Authenticator plugin for Certbot
python2-certbot-dns-nsone.noarch : NS1 DNS Authenticator plugin for Certbot
python2-certbot-dns-ovh.noarch : OVH DNS Authenticator plugin for Certbot
python2-certbot-dns-rfc2136.noarch : RFC 2136 DNS Authenticator plugin for Certbot
python2-certbot-dns-route53.noarch : Route53 DNS Authenticator plugin for Certbot
python2-certbot-dns-sakuracloud.noarch : Sakura Cloud DNS Authenticator plugin for Certbot
python2-certbot-nginx.noarch : The nginx plugin for certbot
certbot.noarch : A free, automated certificate authority client
Name and summary matches only, use "search all" for everything.
certbotパッケージをインストール
[root@hogehoge ~]# yum -y install certbot
Loaded plugins: fastestmirror, langpacks
Determining fastest mirrors
epel/x86_64/metalink | 9.9 kB 00:00:00
* base: ftp.iij.ad.jp
* epel: ftp.iij.ad.jp
* extras: ftp.iij.ad.jp
* updates: ftp.iij.ad.jp
base | 3.6 kB 00:00:00
epel | 4.7 kB 00:00:00
extras | 2.9 kB 00:00:00
updates | 2.9 kB 00:00:00
(1/5): epel/x86_64/group_gz | 96 kB 00:00:00
(2/5): epel/x86_64/updateinfo | 1.1 MB 00:00:00
(3/5): extras/7/x86_64/primary_db | 247 kB 00:00:00
(4/5): epel/x86_64/primary_db | 7.0 MB 00:00:01
(5/5): updates/7/x86_64/primary_db | 16 MB 00:00:02
Resolving Dependencies
--> Running transaction check
---> Package certbot.noarch 0:1.11.0-2.el7 will be installed
--> Processing Dependency: python2-certbot = 1.11.0-2.el7 for package: certbot-1.11.0-2.el7.noarch
--> Running transaction check
---> Package python2-certbot.noarch 0:1.11.0-2.el7 will be installed
--> Processing Dependency: python-parsedatetime >= 1.3 for package: python2-certbot-1.11.0-2.el7.noarch
--> Processing Dependency: python2-acme >= 1.8.0 for package: python2-certbot-1.11.0-2.el7.noarch
--> Processing Dependency: python2-configargparse >= 0.9.3 for package: python2-certbot-1.11.0-2.el7.noarch
--> Processing Dependency: python2-cryptography >= 1.2.3 for package: python2-certbot-1.11.0-2.el7.noarch
--> Processing Dependency: python2-distro >= 1.0.1 for package: python2-certbot-1.11.0-2.el7.noarch
--> Processing Dependency: python2-josepy >= 1.1.0 for package: python2-certbot-1.11.0-2.el7.noarch
--> Processing Dependency: python-setuptools for package: python2-certbot-1.11.0-2.el7.noarch
--> Processing Dependency: python-zope-component for package: python2-certbot-1.11.0-2.el7.noarch
--> Processing Dependency: python-zope-interface for package: python2-certbot-1.11.0-2.el7.noarch
--> Processing Dependency: python2-mock for package: python2-certbot-1.11.0-2.el7.noarch
--> Processing Dependency: python2-pyrfc3339 for package: python2-certbot-1.11.0-2.el7.noarch
--> Processing Dependency: pytz for package: python2-certbot-1.11.0-2.el7.noarch
--> Running transaction check
---> Package python-setuptools.noarch 0:0.9.8-7.el7 will be installed
--> Processing Dependency: python-backports-ssl_match_hostname for package: python-setuptools-0.9.8-7.el7.noarch
---> Package python-zope-component.noarch 1:4.1.0-5.el7 will be installed
--> Processing Dependency: python-zope-event for package: 1:python-zope-component-4.1.0-5.el7.noarch
---> Package python-zope-interface.x86_64 0:4.0.5-4.el7 will be installed
---> Package python2-acme.noarch 0:1.11.0-1.el7 will be installed
--> Processing Dependency: pyOpenSSL >= 0.13.1 for package: python2-acme-1.11.0-1.el7.noarch
--> Processing Dependency: python2-requests >= 2.6.0 for package: python2-acme-1.11.0-1.el7.noarch
--> Processing Dependency: python-ndg_httpsclient for package: python2-acme-1.11.0-1.el7.noarch
--> Processing Dependency: python-requests-toolbelt for package: python2-acme-1.11.0-1.el7.noarch
--> Processing Dependency: python2-pyasn1 for package: python2-acme-1.11.0-1.el7.noarch
--> Processing Dependency: python2-six for package: python2-acme-1.11.0-1.el7.noarch
---> Package python2-configargparse.noarch 0:0.11.0-2.el7 will be installed
---> Package python2-cryptography.x86_64 0:1.7.2-2.el7 will be installed
--> Processing Dependency: python-idna >= 2.0 for package: python2-cryptography-1.7.2-2.el7.x86_64
--> Processing Dependency: python-cffi >= 1.4.1 for package: python2-cryptography-1.7.2-2.el7.x86_64
--> Processing Dependency: python-ipaddress for package: python2-cryptography-1.7.2-2.el7.x86_64
--> Processing Dependency: python-enum34 for package: python2-cryptography-1.7.2-2.el7.x86_64
---> Package python2-distro.noarch 0:1.5.0-1.el7 will be installed
---> Package python2-josepy.noarch 0:1.3.0-2.el7 will be installed
---> Package python2-mock.noarch 0:1.0.1-10.el7 will be installed
---> Package python2-parsedatetime.noarch 0:2.4-6.el7 will be installed
--> Processing Dependency: python2-future for package: python2-parsedatetime-2.4-6.el7.noarch
---> Package python2-pyrfc3339.noarch 0:1.1-3.el7 will be installed
---> Package pytz.noarch 0:2016.10-2.el7 will be installed
--> Running transaction check
---> Package pyOpenSSL.x86_64 0:0.13.1-4.el7 will be installed
---> Package python-backports-ssl_match_hostname.noarch 0:3.5.0.1-1.el7 will be installed
--> Processing Dependency: python-backports for package: python-backports-ssl_match_hostname-3.5.0.1-1.el7.noarch
---> Package python-cffi.x86_64 0:1.6.0-5.el7 will be installed
--> Processing Dependency: python-pycparser for package: python-cffi-1.6.0-5.el7.x86_64
---> Package python-enum34.noarch 0:1.0.4-1.el7 will be installed
---> Package python-idna.noarch 0:2.4-1.el7 will be installed
---> Package python-ipaddress.noarch 0:1.0.16-2.el7 will be installed
---> Package python-ndg_httpsclient.noarch 0:0.3.2-1.el7 will be installed
---> Package python-requests.noarch 0:2.6.0-10.el7 will be installed
--> Processing Dependency: python-urllib3 >= 1.10.2-1 for package: python-requests-2.6.0-10.el7.noarch
---> Package python-requests-toolbelt.noarch 0:0.8.0-3.el7 will be installed
---> Package python-zope-event.noarch 0:4.0.3-2.el7 will be installed
---> Package python2-future.noarch 0:0.18.2-2.el7 will be installed
---> Package python2-pyasn1.noarch 0:0.1.9-7.el7 will be installed
---> Package python2-six.noarch 0:1.9.0-0.el7 will be installed
--> Running transaction check
---> Package python-backports.x86_64 0:1.0-8.el7 will be installed
---> Package python-pycparser.noarch 0:2.14-1.el7 will be installed
--> Processing Dependency: python-ply for package: python-pycparser-2.14-1.el7.noarch
---> Package python-urllib3.noarch 0:1.10.2-7.el7 will be installed
--> Running transaction check
---> Package python-ply.noarch 0:3.4-11.el7 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
=====================================================================================================================================
Package Arch Version Repository Size
=====================================================================================================================================
Installing:
certbot noarch 1.11.0-2.el7 epel 47 k
Installing for dependencies:
pyOpenSSL x86_64 0.13.1-4.el7 base 135 k
python-backports x86_64 1.0-8.el7 base 5.8 k
python-backports-ssl_match_hostname noarch 3.5.0.1-1.el7 base 13 k
python-cffi x86_64 1.6.0-5.el7 base 218 k
python-enum34 noarch 1.0.4-1.el7 base 52 k
python-idna noarch 2.4-1.el7 base 94 k
python-ipaddress noarch 1.0.16-2.el7 base 34 k
python-ndg_httpsclient noarch 0.3.2-1.el7 epel 43 k
python-ply noarch 3.4-11.el7 base 123 k
python-pycparser noarch 2.14-1.el7 base 104 k
python-requests noarch 2.6.0-10.el7 base 95 k
python-requests-toolbelt noarch 0.8.0-3.el7 epel 78 k
python-setuptools noarch 0.9.8-7.el7 base 397 k
python-urllib3 noarch 1.10.2-7.el7 base 103 k
python-zope-component noarch 1:4.1.0-5.el7 epel 228 k
python-zope-event noarch 4.0.3-2.el7 epel 79 k
python-zope-interface x86_64 4.0.5-4.el7 base 138 k
python2-acme noarch 1.11.0-1.el7 epel 83 k
python2-certbot noarch 1.11.0-2.el7 epel 386 k
python2-configargparse noarch 0.11.0-2.el7 epel 31 k
python2-cryptography x86_64 1.7.2-2.el7 base 502 k
python2-distro noarch 1.5.0-1.el7 epel 33 k
python2-future noarch 0.18.2-2.el7 epel 806 k
python2-josepy noarch 1.3.0-2.el7 epel 89 k
python2-mock noarch 1.0.1-10.el7 epel 92 k
python2-parsedatetime noarch 2.4-6.el7 epel 78 k
python2-pyasn1 noarch 0.1.9-7.el7 base 100 k
python2-pyrfc3339 noarch 1.1-3.el7 epel 16 k
python2-six noarch 1.9.0-0.el7 epel 2.9 k
pytz noarch 2016.10-2.el7 base 46 k
Transaction Summary
=====================================================================================================================================
Install 1 Package (+30 Dependent packages)
Total download size: 4.1 M
Installed size: 19 M
Downloading packages:
(1/31): python-backports-1.0-8.el7.x86_64.rpm | 5.8 kB 00:00:00
(2/31): python-backports-ssl_match_hostname-3.5.0.1-1.el7.noarch.rpm | 13 kB 00:00:00
(3/31): certbot-1.11.0-2.el7.noarch.rpm | 47 kB 00:00:00
(4/31): pyOpenSSL-0.13.1-4.el7.x86_64.rpm | 135 kB 00:00:00
(5/31): python-enum34-1.0.4-1.el7.noarch.rpm | 52 kB 00:00:00
(6/31): python-cffi-1.6.0-5.el7.x86_64.rpm | 218 kB 00:00:00
(7/31): python-idna-2.4-1.el7.noarch.rpm | 94 kB 00:00:00
(8/31): python-ipaddress-1.0.16-2.el7.noarch.rpm | 34 kB 00:00:00
(9/31): python-ply-3.4-11.el7.noarch.rpm | 123 kB 00:00:00
(10/31): python-pycparser-2.14-1.el7.noarch.rpm | 104 kB 00:00:00
(11/31): python-requests-2.6.0-10.el7.noarch.rpm | 95 kB 00:00:00
(12/31): python-ndg_httpsclient-0.3.2-1.el7.noarch.rpm | 43 kB 00:00:00
(13/31): python-requests-toolbelt-0.8.0-3.el7.noarch.rpm | 78 kB 00:00:00
(14/31): python-zope-component-4.1.0-5.el7.noarch.rpm | 228 kB 00:00:00
(15/31): python-urllib3-1.10.2-7.el7.noarch.rpm | 103 kB 00:00:00
(16/31): python-zope-event-4.0.3-2.el7.noarch.rpm | 79 kB 00:00:00
(17/31): python-zope-interface-4.0.5-4.el7.x86_64.rpm | 138 kB 00:00:00
(18/31): python2-acme-1.11.0-1.el7.noarch.rpm | 83 kB 00:00:00
(19/31): python-setuptools-0.9.8-7.el7.noarch.rpm | 397 kB 00:00:00
(20/31): python2-certbot-1.11.0-2.el7.noarch.rpm | 386 kB 00:00:00
(21/31): python2-configargparse-0.11.0-2.el7.noarch.rpm | 31 kB 00:00:00
(22/31): python2-distro-1.5.0-1.el7.noarch.rpm | 33 kB 00:00:00
(23/31): python2-future-0.18.2-2.el7.noarch.rpm | 806 kB 00:00:00
(24/31): python2-josepy-1.3.0-2.el7.noarch.rpm | 89 kB 00:00:00
(25/31): python2-cryptography-1.7.2-2.el7.x86_64.rpm | 502 kB 00:00:00
(26/31): python2-mock-1.0.1-10.el7.noarch.rpm | 92 kB 00:00:00
(27/31): python2-parsedatetime-2.4-6.el7.noarch.rpm | 78 kB 00:00:00
(28/31): python2-pyrfc3339-1.1-3.el7.noarch.rpm | 16 kB 00:00:00
(29/31): python2-six-1.9.0-0.el7.noarch.rpm | 2.9 kB 00:00:00
(30/31): python2-pyasn1-0.1.9-7.el7.noarch.rpm | 100 kB 00:00:00
(31/31): pytz-2016.10-2.el7.noarch.rpm | 46 kB 00:00:00
-------------------------------------------------------------------------------------------------------------------------------------
Total 3.4 MB/s | 4.1 MB 00:00:01
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : python2-pyasn1-0.1.9-7.el7.noarch 1/31
Installing : pyOpenSSL-0.13.1-4.el7.x86_64 2/31
Installing : python-ipaddress-1.0.16-2.el7.noarch 3/31
Installing : python2-pyrfc3339-1.1-3.el7.noarch 4/31
Installing : python-zope-interface-4.0.5-4.el7.x86_64 5/31
Installing : pytz-2016.10-2.el7.noarch 6/31
Installing : python2-six-1.9.0-0.el7.noarch 7/31
Installing : python2-future-0.18.2-2.el7.noarch 8/31
Installing : python2-parsedatetime-2.4-6.el7.noarch 9/31
Installing : python-zope-event-4.0.3-2.el7.noarch 10/31
Installing : 1:python-zope-component-4.1.0-5.el7.noarch 11/31
Installing : python2-mock-1.0.1-10.el7.noarch 12/31
Installing : python-backports-1.0-8.el7.x86_64 13/31
Installing : python-backports-ssl_match_hostname-3.5.0.1-1.el7.noarch 14/31
Installing : python-setuptools-0.9.8-7.el7.noarch 15/31
Installing : python-ndg_httpsclient-0.3.2-1.el7.noarch 16/31
Installing : python-urllib3-1.10.2-7.el7.noarch 17/31
Installing : python-requests-2.6.0-10.el7.noarch 18/31
Installing : python-requests-toolbelt-0.8.0-3.el7.noarch 19/31
Installing : python-ply-3.4-11.el7.noarch 20/31
Installing : python-pycparser-2.14-1.el7.noarch 21/31
Installing : python-cffi-1.6.0-5.el7.x86_64 22/31
Installing : python2-distro-1.5.0-1.el7.noarch 23/31
Installing : python2-configargparse-0.11.0-2.el7.noarch 24/31
Installing : python-enum34-1.0.4-1.el7.noarch 25/31
Installing : python-idna-2.4-1.el7.noarch 26/31
Installing : python2-cryptography-1.7.2-2.el7.x86_64 27/31
Installing : python2-josepy-1.3.0-2.el7.noarch 28/31
Installing : python2-acme-1.11.0-1.el7.noarch 29/31
Installing : python2-certbot-1.11.0-2.el7.noarch 30/31
Installing : certbot-1.11.0-2.el7.noarch 31/31
Verifying : python-idna-2.4-1.el7.noarch 1/31
Verifying : python-backports-ssl_match_hostname-3.5.0.1-1.el7.noarch 2/31
Verifying : python2-six-1.9.0-0.el7.noarch 3/31
Verifying : pytz-2016.10-2.el7.noarch 4/31
Verifying : python-ndg_httpsclient-0.3.2-1.el7.noarch 5/31
Verifying : python-enum34-1.0.4-1.el7.noarch 6/31
Verifying : 1:python-zope-component-4.1.0-5.el7.noarch 7/31
Verifying : python-setuptools-0.9.8-7.el7.noarch 8/31
Verifying : python-ipaddress-1.0.16-2.el7.noarch 9/31
Verifying : python-requests-toolbelt-0.8.0-3.el7.noarch 10/31
Verifying : python2-configargparse-0.11.0-2.el7.noarch 11/31
Verifying : certbot-1.11.0-2.el7.noarch 12/31
Verifying : python-zope-interface-4.0.5-4.el7.x86_64 13/31
Verifying : python2-distro-1.5.0-1.el7.noarch 14/31
Verifying : python2-josepy-1.3.0-2.el7.noarch 15/31
Verifying : python-ply-3.4-11.el7.noarch 16/31
Verifying : python-urllib3-1.10.2-7.el7.noarch 17/31
Verifying : python-backports-1.0-8.el7.x86_64 18/31
Verifying : python2-acme-1.11.0-1.el7.noarch 19/31
Verifying : python2-certbot-1.11.0-2.el7.noarch 20/31
Verifying : pyOpenSSL-0.13.1-4.el7.x86_64 21/31
Verifying : python-cffi-1.6.0-5.el7.x86_64 22/31
Verifying : python2-mock-1.0.1-10.el7.noarch 23/31
Verifying : python-pycparser-2.14-1.el7.noarch 24/31
Verifying : python-requests-2.6.0-10.el7.noarch 25/31
Verifying : python-zope-event-4.0.3-2.el7.noarch 26/31
Verifying : python2-pyrfc3339-1.1-3.el7.noarch 27/31
Verifying : python2-pyasn1-0.1.9-7.el7.noarch 28/31
Verifying : python2-future-0.18.2-2.el7.noarch 29/31
Verifying : python2-parsedatetime-2.4-6.el7.noarch 30/31
Verifying : python2-cryptography-1.7.2-2.el7.x86_64 31/31
Installed:
certbot.noarch 0:1.11.0-2.el7
Dependency Installed:
pyOpenSSL.x86_64 0:0.13.1-4.el7 python-backports.x86_64 0:1.0-8.el7
python-backports-ssl_match_hostname.noarch 0:3.5.0.1-1.el7 python-cffi.x86_64 0:1.6.0-5.el7
python-enum34.noarch 0:1.0.4-1.el7 python-idna.noarch 0:2.4-1.el7
python-ipaddress.noarch 0:1.0.16-2.el7 python-ndg_httpsclient.noarch 0:0.3.2-1.el7
python-ply.noarch 0:3.4-11.el7 python-pycparser.noarch 0:2.14-1.el7
python-requests.noarch 0:2.6.0-10.el7 python-requests-toolbelt.noarch 0:0.8.0-3.el7
python-setuptools.noarch 0:0.9.8-7.el7 python-urllib3.noarch 0:1.10.2-7.el7
python-zope-component.noarch 1:4.1.0-5.el7 python-zope-event.noarch 0:4.0.3-2.el7
python-zope-interface.x86_64 0:4.0.5-4.el7 python2-acme.noarch 0:1.11.0-1.el7
python2-certbot.noarch 0:1.11.0-2.el7 python2-configargparse.noarch 0:0.11.0-2.el7
python2-cryptography.x86_64 0:1.7.2-2.el7 python2-distro.noarch 0:1.5.0-1.el7
python2-future.noarch 0:0.18.2-2.el7 python2-josepy.noarch 0:1.3.0-2.el7
python2-mock.noarch 0:1.0.1-10.el7 python2-parsedatetime.noarch 0:2.4-6.el7
python2-pyasn1.noarch 0:0.1.9-7.el7 python2-pyrfc3339.noarch 0:1.1-3.el7
python2-six.noarch 0:1.9.0-0.el7 pytz.noarch 0:2016.10-2.el7
Complete!
[root@hogehoge ~]#
certbotがインストールされていることを確認
[root@hogehoge ~]# yum list installed | grep certbot
certbot.noarch 1.11.0-2.el7 @epel
python2-certbot.noarch 1.11.0-2.el7 @epel
certbotがインストールされているパスを確認
[root@hogehoge ~]# which certbot
/bin/certbot
/binのCertbotファイル
[root@hogehoge ~]# ls -la /bin/ | grep certbot
lrwxrwxrwx 1 root root 18 Jun 30 14:14 certbot -> /usr/bin/certbot-2
-rwxr-xr-x 1 root root 305 Oct 8 2021 certbot-2
lrwxrwxrwx 1 root root 16 Jun 30 14:14 letsencrypt -> /usr/bin/certbot
3.3 SSL証明書の作成
証明書作成コマンドを実行
[root@hogehoge ~]# certbot certonly --webroot -w /home/www/www.hogehoge.com/ -d /home/www/www.hogehoge.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Enter email address (used for urgent renewal and security notices)
(Enter 'c' to cancel): romio_y_jurietta@hotmail.com
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: N
Account registered.
Requesting a certificate for /home/www/www.hogehoge.com
An unexpected error occurred:
The server will not issue certificates for the identifier :: Error creating new order :: Cannot issue for "/home/www/www.hogehoge.com": Domain name contains an invalid character
Please see the logfiles in /var/log/letsencrypt for more details.
エラーが出る
Error: urn:ietf:params:acme:error:rejectedIdentifier :: The server will not issue certificates for the identifier :: Error creating n
ew order :: Cannot issue for "/home/www/www.hogehoge.com": Domain name contains an invalid character
2022-06-30 14:17:52,742:ERROR:certbot._internal.log:An unexpected error occurred:
2022-06-30 14:17:52,742:ERROR:certbot._internal.log:The server will not issue certificates for the identifier :: Error creating new o
rder :: Cannot issue for "/home/www/www.hogehoge.com": Domain name contains an invalid character
ドメイン指定の箇所がディレクトリになっていたのでもう一度実施→成功
[root@hogehoge www.hogehoge.com]# certbot certonly --webroot -w /home/www/www.hogehoge.com/ -d www.hogehoge.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Requesting a certificate for www.hogehoge.com
Performing the following challenges:
http-01 challenge for www.hogehoge.com
Using the webroot path /home/www/www.hogehoge.com for all unmatched domains.
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/www.hogehoge.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/www.hogehoge.com/privkey.pem
Your certificate will expire on 2022-09-28. To obtain a new or
tweaked version of this certificate in the future, simply run
certbot again. To non-interactively renew *all* of your
certificates, run "certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
作成された証明書を確認
[root@hogehoge www.hogehoge.com]# cd /etc/letsencrypt/live/www.hogehoge.com
[root@hogehoge www.hogehoge.com]# ls -la
total 12
drwxr-xr-x 2 root root 4096 Jun 30 16:55 .
drwx------ 3 root root 4096 Jun 30 16:55 ..
lrwxrwxrwx 1 root root 45 Jun 30 16:55 cert.pem -> ../../archive/www.hogehoge.com/cert1.pem
lrwxrwxrwx 1 root root 46 Jun 30 16:55 chain.pem -> ../../archive/www.hogehoge.com/chain1.pem
lrwxrwxrwx 1 root root 50 Jun 30 16:55 fullchain.pem -> ../../archive/www.hogehoge.com/fullchain1.pem /nginxで利用
lrwxrwxrwx 1 root root 48 Jun 30 16:55 privkey.pem -> ../../archive/www.hogehoge.com/privkey1.pem /nginxで利用
-rw-r--r-- 1 root root 692 Jun 30 16:55 README
[root@hogehoge www.hogehoge.com]# more README
This directory contains your keys and certificates.
`privkey.pem` : the private key for your certificate.
`fullchain.pem`: the certificate file used in most server software.
`chain.pem` : used for OCSP stapling in Nginx >=1.3.7.
`cert.pem` : will break many server configurations, and should not be used
without reading further documentation (see link below).
WARNING: DO NOT MOVE OR RENAME THESE FILES!
Certbot expects these files to remain in this location in order
to function properly!
We recommend not moving these files. For more information, see the Certbot
User Guide at https://certbot.eff.org/docs/using.html#where-are-my-certificates.
4 nginxの設定
4.1 nginxでSSLを設定をするときに必要なdhparam用ファイルの作成
ディレクトリ作成
[root@hogehoge nginx]# mkdir /etc/nginx/ssl
[root@hogehoge nginx]# ls
conf.d fastcgi.conf fastcgi_params koi-utf mime.types nginx.conf nginx.conf.org scgi_params.default sites-enabled uwsgi_params win-utf
default.d fastcgi.conf.default fastcgi_params.default koi-win mime.types.default nginx.conf.default scgi_params sites-available ssl uwsgi_params.default
opensslコマンドでファイルを作成
[root@hogehoge nginx]# openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
.....................................+...................................................................................................................................................................................+...........................................................+....................+.........................................+.............................................................................................................................................................................................................+................................................................................................................................................................+...........................+....................................................................+.....................................................................................+.....................................................................+........................................................................................................................................................................................................................+.......................................................................................................................................................................................................................................................................+...................................................................................................................................................................................................+.....+......................+.....+..............................................................................................................................................................................................................................................................................................................................................................................................................................+...................................+........................................................................+...........................................................................................................+.....................................................................................................................................................++*++*
4.2 nginxのconfファイル設定
confファイル設定
[root@hogehoge sites-enabled]# pwd
/etc/nginx
[root@hogehoge nginx]# ls -la
total 100
-rw-r--r-- 1 root root 2925 Feb 13 2021 nginx.conf
[root@hogehoge nginx]# vi nginx.conf
# Settings for a TLS enabled server.
#
server {
listen 443 ssl;
# listen [::]:443 ssl http2 default_server;
server_name hogehoge.com www.hogehoge.com;
# root /usr/share/nginx/html;
#
# ssl_certificate "/etc/pki/nginx/server.crt";
# ssl_certificate_key "/etc/pki/nginx/server.key";
ssl_certificate /etc/letsencrypt/live/www.hogehoge.com/fullchain.pem; /サーバ証明書を指定
ssl_certificate_key /etc/letsencrypt/live/www.hogehoge.com/privkey.pem; /keyを指定
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 1d;
ssl_session_tickets on;
ssl_dhparam /etc/nginx/ssl/dhparam.pem; /dhparamファイルを指定
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
#
# # Load configuration files for the default server block.
# include /etc/nginx/default.d/*.conf;
#
location = /vmess/ {
proxy_redirect off;
proxy_pass http://127.0.0.1:16823;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
}
# location / {
# }
#
# error_page 404 /404.html;
# location = /404.html {
# }
#
# error_page 500 502 503 504 /50x.html;
# location = /50x.html {
# }
}
}
nginxの事前状態確認
[root@hogehoge nginx]# systemctl status nginx.service
● nginx.service - The nginx HTTP and reverse proxy server
Loaded: loaded (/usr/lib/systemd/system/nginx.service; enabled; vendor preset: disabled)
Active: active (running) since Mon 2021-03-22 17:25:28 CST; 1 years 3 months ago
Main PID: 18626 (nginx)
CGroup: /system.slice/nginx.service
tq18626 nginx: master process /usr/sbin/nginx
mq18627 nginx: worker process
Warning: Journal has been rotated since unit was started. Log output is incomplete or unavailable.
nginxの再起動
[root@hogehoge nginx]# systemctl restart nginx.service
nginxの事後状態確認
[root@hogehoge nginx]# systemctl status nginx.service
● nginx.service - The nginx HTTP and reverse proxy server
Loaded: loaded (/usr/lib/systemd/system/nginx.service; enabled; vendor preset: disabled)
Active: active (running) since Thu 2022-06-30 17:36:50 CST; 3s ago
Process: 4828 ExecStart=/usr/sbin/nginx (code=exited, status=0/SUCCESS)
Process: 4826 ExecStartPre=/usr/sbin/nginx -t (code=exited, status=0/SUCCESS)
Process: 4825 ExecStartPre=/usr/bin/rm -f /run/nginx.pid (code=exited, status=0/SUCCESS)
Main PID: 4831 (nginx)
CGroup: /system.slice/nginx.service
tq4831 nginx: master process /usr/sbin/nginx
mq4832 nginx: worker process
Jun 30 17:36:50 hogehoge systemd[1]: Starting The nginx HTTP and reverse proxy server...
Jun 30 17:36:50 hogehoge nginx[4826]: nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
Jun 30 17:36:50 hogehoge nginx[4826]: nginx: configuration file /etc/nginx/nginx.conf test is successful
Jun 30 17:36:50 hogehoge systemd[1]: Failed to parse PID from file /run/nginx.pid: Invalid argument
Jun 30 17:36:50 hogehoge systemd[1]: Started The nginx HTTP and reverse proxy server.
リッスンポートの確認
[root@hogehoge nginx]# netstat -antp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 4831/nginx: master
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 799/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1036/master
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 4831/nginx: master
tcp 0 0 133.125.50.166:22 119.252.143.6:42784 ESTABLISHED 4913/sshd: [accepte
tcp 0 0 133.125.50.166:22 103.85.179.82:62800 ESTABLISHED 32390/sshd: hiroshi
tcp 0 0 133.125.50.166:22 43.226.239.162:47380 ESTABLISHED 32456/sshd: hiroshi
tcp 0 36 133.125.50.166:22 103.85.179.82:55504 ESTABLISHED 1732/sshd: hoge
tcp6 0 0 :::80 :::* LISTEN 4831/nginx: master
tcp6 0 0 :::16823 :::* LISTEN 5126/v2ray
5.SSL証明書の自動更新設定
Let's Encryptは有効期限が90日間と決まっています。90日が過ぎると有効期限が切れてサーバー証明書が無効である警告がブラウザに表示されてしまいます。これでは意味がないので、自動で有効期限を更新する設定を追加します。
5.1 証明書が更新可能な状態になっているかを確認
確認コマンド
[root@hogehoge nginx]# certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/www.hogehoge.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Account registered.
Simulating renewal of an existing certificate for www.hogehoge.com
Performing the following challenges:
http-01 challenge for www.hogehoge.com
Using the webroot path /home/www/www.hogehoge.com for all unmatched domains.
Waiting for verification...
Cleaning up challenges
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/www.hogehoge.com/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all simulated renewals succeeded:
/etc/letsencrypt/live/www.hogehoge.com/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
5.2 crontabで自動更新設定
毎日1:00と3:00に更新コマンドを実行する場合の記載です。(2回実行するように記載しているのは、1回目が失敗した場合のため)
※”--deploy-hook”オプションはサーバー証明書の更新が行われた場合のみ実行するコマンド
crontab設定
[root@hogehoge nginx]# crontab -e
00 1 * * * certbot renew -q --deploy-hook "systemctl restart nginx"
00 3 * * * certbot renew -q --deploy-hook "systemctl restart nginx"
crontab設定確認
[root@hogehoge nginx]# crontab -l
00 1 * * * certbot renew -q --deploy-hook "systemctl restart nginx"
00 3 * * * certbot renew -q --deploy-hook "systemctl restart nginx"
cron動作ログ確認
[root@hogehoge log]# pwd
/var/log
[root@hogehoge log]# more cron
Jul 3 05:27:01 hogehoge run-parts(/etc/cron.daily)[12278]: finished man-db.cron
Jul 3 05:27:01 hogehoge run-parts(/etc/cron.daily)[12254]: starting mlocate
Jul 3 05:27:02 hogehoge run-parts(/etc/cron.daily)[12289]: finished mlocate
Jul 3 05:27:02 hogehoge anacron[2160]: Job `cron.daily' terminated
Jul 3 05:30:01 hogehoge CROND[12454]: (root) CMD (/usr/lib64/sa/sa1 1 1)
Jul 3 05:40:01 hogehoge CROND[13005]: (root) CMD (/usr/lib64/sa/sa1 1 1)
Jul 3 05:47:01 hogehoge anacron[2160]: Job `cron.weekly' started
Jul 3 05:47:01 hogehoge anacron[2160]: Job `cron.weekly' terminated
Jul 3 05:47:01 hogehoge anacron[2160]: Normal exit (2 jobs run)
Jul 3 05:50:01 hogehoge CROND[13568]: (root) CMD (/usr/lib64/sa/sa1 1 1)