Help us understand the problem. What is going on with this article?

letsencryptをUbuntu16.04 + Nginxで使ってみた

More than 1 year has passed since last update.

概要

letsencryptを使えば、無料でSSLの証明書を取得することができます。
本文では、Ubuntu16.04 + Nginxでのletsencryptの使い方と、nginxの設定例をまとめました。

環境

  • Ubuntu16.04
  • Nginx

letsencryptをインストール

$ sudo apt-get install letsencrypt

SSL/TLS サーバ証明書の取得

# letsencryptがport80を使用するので、一旦nginxを停止する
$ sudo systemctl stop nginx

# 証明書を取得(-dオプションにはあなたのドメイン名を指定してください)
$ sudo letsencrypt certonly --standalone -d hoge.example.com
...
IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/hoge.example.com/fullchain.pem. Your
   cert will expire on 2016-08-24. To obtain a new version of the
   certificate in the future, simply run Certbot again.
...

nginxの設定例

/etc/nginx/conf.d/hoge.conf
server {
  listen 80;
  server_name hoge.example.com;
  return 301 https://$host$request_uri;
}

server {
  listen 443;
  server_name hoge.example.com;

  ssl on;
  ssl_certificate /etc/letsencrypt/live/hoge.example.com/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/hoge.example.com/privkey.pem;
  ...省略...
}

自動的に証明書を更新する

2018/6/8 追記: 一般的にはcertbot-autoで自動更新させるようです。
参考: Let's encrypt運用のベストプラクティス


90日で証明書の期限が切れるので、定期的に更新をする必要があります。
証明書を更新するには、以下のコマンドを実行します。

$ sudo service nginx stop
$ sudo letsencrypt renew
$ sudo service nginx start

これをcronで自動化する場合は、crontabに以下の設定を追加します(sudoコマンドを実行する必要があるので、スーパーユーザのcronに設定する)

$ sudo crontab -e
# 毎月1日の朝5時にSSL証明書を自動更新する(nginxが停止/起動されるので注意)
00 05 01 * * sudo systemctl stop nginx; sudo letsencrypt renew; sudo systemctl start nginx

参考

Why do not you register as a user and use Qiita more conveniently?
  1. We will deliver articles that match you
    By following users and tags, you can catch up information on technical fields that you are interested in as a whole
  2. you can read useful information later efficiently
    By "stocking" the articles you like, you can search right away
Comments
Sign up for free and join this conversation.
If you already have a Qiita account
Why do not you register as a user and use Qiita more conveniently?
You need to log in to use this function. Qiita can be used more conveniently after logging in.
You seem to be reading articles frequently this month. Qiita can be used more conveniently after logging in.
  1. We will deliver articles that match you
    By following users and tags, you can catch up information on technical fields that you are interested in as a whole
  2. you can read useful information later efficiently
    By "stocking" the articles you like, you can search right away