Go to Qiita Advent Calendar 2024 Top
LoginSignup
3
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?

More than 3 years have passed since last update.

@khoshina

IBM Cloud サーバでLet’sEncrypt証明書発行

Posted at

##目的
IBM Cloudの仮想サーバ(CentOS)で証明書の発行、更新の自動化をためす。
あんまりIBMCloud関係ないな...
とはいえIBM Cloud SSL、CertificateManager、ICLB、CISなどへ証明書を適用して利用できるので良しとする。
ブラウザから証明書を発行するだけなら、Webブラウザから証明書を簡単に発行可能なこちらをオススメします
どちらで実施しても、IBM Cloudの各種サービスで利用できます。

##環境

  • ローカル端末:macOS Catalina 10.15.6
  • プラットフォーム:IBMCloud
    • Webサーバ:CentOS 7.7.1908(Virtual Server for Classic)
      • Apache/2.4.6
  • 認証局証明書発行:Let's Encrypt

##certbotパッケージの導入

Webサーバでの作業

###デフォルトの状態では導入できない。
デフォルトの状態でcertbotをインストールしようとすると、利用できないと言われる。

#sudo yum -y install certbot
パッケージ certbot は利用できません。

###EPELリポジトリをインストール
epelを導入する。
EPEL(Extra Packages for Enterprise Linux)に関するページは、こちらを参照

#sudo yum -y install epel-release
=======================================================================================================================================
 Package                              アーキテクチャー               バージョン                   リポジトリー                    容量
=======================================================================================================================================
インストール中:
 epel-release                         noarch                         7-11                         extras                          15 k

トランザクションの要約
===================================================================================================================================
完了しました!

###cerbotをインストール
再度インストールを試みる

#sudo yum -y install certbot
=======================================================================================================================================
 Package                                     アーキテクチャー          バージョン                        リポジトリー             容量
=======================================================================================================================================
インストール中:
 certbot                                     noarch                    1.7.0-1.el7                       epel                     45 k
※その他省略
トランザクションの要約
===================================================================================================================================
完了しました!

##証明書の作成

Webサーバでの作業

  • certonly:証明書を発行する
  • --webroot:Apacheを停止なしで証明書を発行する
  • -w:DocumentRootを指定する
  • -d:発行先のドメイン名を指定する
  • --email:お知らせメールなどの送信先
  • --agree-tos:利用規約に自動で同意する
# sudo certbot certonly --webroot -w /var/www/html -d www.xcloudyx.com --email example@gmail.com

利用規約に同意するので、Aを入力

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A

お知らせメールを受け取るので、Yを入力


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for www.xcloudyx.com
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Subscribe to the EFF mailing list (email: example@gmail.com).
Starting new HTTPS connection (1): supporters.eff.org

証明書が置かる場所が記載されているので、ちゃんと作成されたか確認する。

  • サーバ証明書+公開鍵および中間証明書
  • /etc/letsencrypt/live/www.xcloudyx.com/fullchain.pem
  • 秘密鍵
  • /etc/letsencrypt/live/www.xcloudyx.com/privkey.pem
  • サーバ証明書+公開鍵
  • /etc/letsencrypt/live/www.xcloudyx.com/cert.pem
  • 中間証明書
  • /etc/letsencrypt/live/www.xcloudyx.com/chain.pem

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/www.xcloudyx.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/www.xcloudyx.com/privkey.pem
   Your cert will expire on 2020-12-04. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

# ls /etc/letsencrypt/live/www.xcloudyx.com/
README  cert.pem  chain.pem  fullchain.pem  privkey.pem

##証明書の更新

Webサーバでの作業

現在の証明書の期限を確認する。

# openssl x509 -noout -dates -in cert.pem
notBefore=Sep  5 12:07:28 2020 GMT
notAfter=Dec  4 12:07:28 2020 GMT

更新テスト(実際に更新はされません)

  • --force-renew:証明書を更新する。
  • --dry-run:このオプションを実施することで、実際に証明書の更新はしないテストが実施できる。
  • --webroo-path:DocumentRootを指定する
  • --post-hook:証明書の更新後に実施したいコマンドを記載する。今回はapacheをリロードする。
# certbot renew --force-renew --dry-run --webroot-path /var/www/html/ --post-hook "systemctl reload httpd"
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/www.xcloudyx.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.xcloudyx.com
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification...
Cleaning up challenges

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/www.xcloudyx.com/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/www.xcloudyx.com/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Running post-hook command: systemctl reload httpd

上記コマンドで一緒にhttpdもリロードしている

# systemctl status httpd
● httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled)
   Active: active (running) since 木 2020-08-27 20:13:17 CDT; 1 weeks 1 days ago
 9月 05 08:36:40 www.xcloudyx.com systemd[1]: Reloading The Apache HTTP Server.
 9月 05 08:36:45 www.xcloudyx.com systemd[1]: Reloaded The Apache HTTP Server.

実際に更新する。

# certbot renew --force-renew --webroot-path /var/www/html/ --post-hook "systemctl reload httpd"
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/www.xcloudyx.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Renewing an existing certificate

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/www.xcloudyx.com/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/www.xcloudyx.com/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Running post-hook command: systemctl reload httpd

apache確認

# systemctl status httpd
● httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled)
   Active: active (running) since 木 2020-08-27 20:13:17 CDT; 1 weeks 1 days ago
 9月 05 08:43:56 www.xcloudyx.com systemd[1]: Reloading The Apache HTTP Server.
 9月 05 08:43:56 www.xcloudyx.com systemd[1]: Reloaded The Apache HTTP Server.

証明書確認。ちゃんと更新されている。

# openssl x509 -noout -dates -in cert.pem
notBefore=Sep  5 12:44:09 2020 GMT
notAfter=Dec  4 12:44:09 2020 GMT

##証明書の自動更新

Webサーバでの作業

cronに自動実行刷るように設定する
毎月1日のAM2時に実行する。

00 02 01 * * root /bin/certbot renew --webroot-path /var/www/html/ --post-hook "systemctl reload httpd"
3
0
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
Sign upLogin
3
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?