エージェントをインストールします。
# dnf list certbot python3-certbot-apache
Last metadata expiration check: 0:01:54 ago on Mon 14 Oct 2019 12:59:22 PM JST.
Available Packages
certbot.noarch 0.39.0-1.fc30 updates
python3-certbot-apache.noarch 0.39.0-1.fc30 updates
# dnf install certbot python3-certbot-apache
(略)
インストールされました。
早速、証明書を作成してみます。
# certbot certonly --webroot -w /var/www/html/ -d <url>
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): <your_email>
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: N
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for <url>
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
(略)
証明書は、以下に出来ていました。
しかしながら、このパスだと、SELinux のラベルがよくありません。
# ls -lZ /etc/letsencrypt/live/<url>/
total 4
lrwxrwxrwx. 1 root root unconfined_u:object_r:etc_t:s0 53 Oct 14 13:07 cert.pem -> ../../archive/<url>/cert1.pem
lrwxrwxrwx. 1 root root unconfined_u:object_r:etc_t:s0 54 Oct 14 13:07 chain.pem -> ../../archive/<url>/chain1.pem
lrwxrwxrwx. 1 root root unconfined_u:object_r:etc_t:s0 58 Oct 14 13:07 fullchain.pem -> ../../archive/<url>/fullchain1.pem
lrwxrwxrwx. 1 root root unconfined_u:object_r:etc_t:s0 56 Oct 14 13:07 privkey.pem -> ../../archive/<url>/privkey1.pem
-rw-r--r--. 1 root root unconfined_u:object_r:etc_t:s0 692 Oct 14 13:07 README
それぞれを、/etc/pki/tls 配下の正しい場所にコピーします。
# cp /etc/letsencrypt/archive/<url>/cert1.pem /etc/pki/tls/certs
# cp /etc/letsencrypt/archive/<url>/privkey1.pem /etc/pki/tls/private/
# cp /etc/letsencrypt/archive/<url>/chain1.pem /etc/pki/tls/certs/
Apache の設定です。
# vim /etc/httpd/conf/httpd.conf
Listen 80 443
# vim /etc/httpd/conf.d/ssl.conf
SSLCertificateFile /etc/pki/tls/certs/cert1.pem
SSLCertificateKeyFile /etc/pki/tls/private/privkey1.pem
SSLCertificateChainFile /etc/pki/tls/certs/chain1.pem
# systemctl restart httpd.service
アクセスしてみると、Let's Encrypt の証明書を使っていることがわかります。