紆余曲折あったが最終的に公式に従うことにする
Amazon Linux
【AWS公式】Certificate Automation: Amazon Linux での Let's Encrypt と Certbot の使用
$ cd /etc/nginx/
$ sudo yum-config-manager --enable epel
$ wget https://dl.eff.org/certbot-auto
$ chmod a+x /etc/nginx/certbot-auto
$ sudo /etc/nginx/certbot-auto --nginx --debug
Amazon Linux 2
Certificate Automation: Amazon Linux 2 での Let's Encrypt と Certbot の使用
$ cd /home/ec2-user
$ sudo wget -r --no-parent -A 'epel-release-*.rpm' https://dl.fedoraproject.org/pub/epel/7/x86_64/Packages/e/
$ sudo rpm -Uvh dl.fedoraproject.org/pub/epel/7/x86_64/Packages/e/epel-release-*.rpm
$ sudo yum-config-manager --enable epel*
$ sudo yum repolist all
$ sudo yum install certbot-nginx
# sudo certbot --nginx
問答(選択肢がYes/Noだったりするけどそれに応じて)
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel):
$ info@example.com
#通知宛先メールアドレス
-------------------------------------------------------------------------------
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf. You must agree
in order to register with the ACME server at
https://acme-v01.api.letsencrypt.org/directory
-------------------------------------------------------------------------------
(A)gree/(C)ancel:
$ A
-------------------------------------------------------------------------------
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about EFF and
our work to encrypt the web, protect its users and defend digital rights.
-------------------------------------------------------------------------------
(Y)es/(N)o:
$ N
Which names would you like to activate HTTPS for?
-------------------------------------------------------------------------------
1: example.com
-------------------------------------------------------------------------------
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
-------------------------------------------------------------------------------
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):
$ 2
#httpsへのリダイレクト
Congratulations! 言われたらおk
証明書の更新を自動化設定するには
$ crontab -e
39 1,13 * * * root certbot renew --no-self-upgrade
#毎日、01:39 と 13:39 にコマンドが実行
詳細は上記リンク先のAWS公式ドキュメントを参照。
※Amazon Linuxが動かなかったけどAmazon Linux2やったら効くかもしらん
エラーになる場合
Lets Encryptで証明書更新時にcryptographyのエラーが出た時の対処法
Let’s Encryptでvirtualenv: error: unrecognized arguments: –no-site-packages
上記2つの解説で大体いける
備考
2021年にLet’s Encryptのルート証明書が変更!影響や備えておくべきこととは?
Firefoxでエラーが出るとか嫌な予感がしたが出なかったので良しとした。
SSL有効確認
$ openssl s_client -connect [ドメイン]:443 -showcerts