さくら VPS SSL証明書 Let’s Encrypt 導入

##さくら VPS （CentOS8 x86_64） で運用中のサイトに　Let’s Encryptの無料SSLを導入したときのメモ

mod_ssl がインストールされているか確認

# httpd -M | grep ssl
ssl_module (shared)

FireWall にSSLを許可

# firewall-cmd --zone=public --add-service=https --permanent
# firewall-cmd --reload
# firewall-cmd --list-all   確認
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources:
  services: cockpit dhcpv6-client http https ssh

Let’s Encryptのインストール

# dnf install certbot python2-certbot-apache -y

または

# dnf install certbot python3-certbot-apache -y

証明書のインストール　　
メールアドレスの入力以外は全部「Y」でOK

# certbot --apache -d  ドメイン

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Enter email address (used for urgent renewal and security notices)
 (Enter 'c' to cancel): メールアドレスを入力

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
Account registered.
Requesting a certificate for ドメイン
Performing the following challenges:
http-01 challenge for ドメイン
Waiting for verification...
Cleaning up challenges
Created an SSL vhost at /etc/httpd/conf.d/ドメイン-le-ssl.conf
Deploying Certificate to VirtualHost /etc/httpd/conf.d/ドメイン-le-ssl.conf
Redirecting vhost in /etc/httpd/conf.d/ドメイン.conf to ssl vhost in /etc/httpd/conf.d/ドメイン-le-ssl.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://ドメイン
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Subscribe to the EFF mailing list (email: メールアドレス).

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/ドメイン/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/ドメイン/privkey.pem
   Your certificate will expire on 2021-11-06. To obtain a new or
   tweaked version of this certificate in the future, simply run
   certbot again with the "certonly" option. To non-interactively
   renew *all* of your certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

終わったらApacheを再起動
＊いったんApacheを止めて上記で作成されたファイルに誤りがないかを確認した後で起動

# systemctl stop httpd.service
# apachectl configtest
Syntax OK
# systemctl start httpd.service

https://ドメイン でアクセスできることを確認する

証明書を削除する場合

# certbot delete -d ドメイン

証明書の更新

# certbot renew