3
3

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?

Let’s Encrypt for Amazon Linux (Nginx)

Last updated at Posted at 2019-09-19

紆余曲折あったが最終的に公式に従うことにする

####Amazon Linux

【AWS公式】Certificate Automation: Amazon Linux での Let's Encrypt と Certbot の使用

$ cd /etc/nginx/
$ sudo yum-config-manager --enable epel
$ wget https://dl.eff.org/certbot-auto
$ chmod a+x /etc/nginx/certbot-auto
$ sudo /etc/nginx/certbot-auto --nginx --debug

####Amazon Linux 2

Certificate Automation: Amazon Linux 2 での Let's Encrypt と Certbot の使用

$ cd /home/ec2-user
$ sudo wget -r --no-parent -A 'epel-release-*.rpm' https://dl.fedoraproject.org/pub/epel/7/x86_64/Packages/e/
$ sudo rpm -Uvh dl.fedoraproject.org/pub/epel/7/x86_64/Packages/e/epel-release-*.rpm
$ sudo yum-config-manager --enable epel*
$ sudo yum repolist all
$ sudo yum install certbot-nginx
# sudo certbot --nginx

####問答(選択肢がYes/Noだったりするけどそれに応じて)

Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): 
$ info@example.com
#通知宛先メールアドレス
-------------------------------------------------------------------------------
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf. You must agree
in order to register with the ACME server at
https://acme-v01.api.letsencrypt.org/directory
-------------------------------------------------------------------------------
(A)gree/(C)ancel:
$ A

-------------------------------------------------------------------------------
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about EFF and
our work to encrypt the web, protect its users and defend digital rights.
-------------------------------------------------------------------------------
(Y)es/(N)o:
$ N
Which names would you like to activate HTTPS for?
-------------------------------------------------------------------------------
1: example.com
-------------------------------------------------------------------------------
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
-------------------------------------------------------------------------------
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):
$ 2
#httpsへのリダイレクト

Congratulations! 言われたらおk

証明書の更新を自動化設定するには

$ crontab -e
39 1,13 * * * root certbot renew --no-self-upgrade
#毎日、01:39 と 13:39 にコマンドが実行

詳細は上記リンク先のAWS公式ドキュメントを参照。
※Amazon Linuxが動かなかったけどAmazon Linux2やったら効くかもしらん

エラーになる場合

Lets Encryptで証明書更新時にcryptographyのエラーが出た時の対処法
Let’s Encryptでvirtualenv: error: unrecognized arguments: –no-site-packages

上記2つの解説で大体いける

###備考

[2021年にLet’s Encryptのルート証明書が変更!影響や備えておくべきこととは?]
(https://ssl.sakura.ad.jp/column/letsencrypt-root-certificate/)
Firefoxでエラーが出るとか嫌な予感がしたが出なかったので良しとした。

SSL有効確認

$ openssl s_client -connect [ドメイン]:443 -showcerts

設定変更

/etc/letsencrypt/options-ssl-nginx.conf
#ssl_session_timeout 1440m;
ssl_session_timeout 10m
3
3
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
3
3

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?