LoginSignup
5
8

More than 5 years have passed since last update.

@meguroman

nginx, apacheへのLet’s Encryptの導入方法メモ

Last updated at Posted at 2017-10-18

certbotインストール

$ sudo yum install epel-release
$ sudo yum install certbot

証明書の生成

$ certbot certonly --webroot -w /var/www/html/ -d yourdomain.com -m yourmail@gmail.com --agree-tos

nginx設定

無料SSL/TLS証明書 Let’s Encryptでnginxをhttps化する

Let's Encryptの証明書をnginxに設定してhttps化した | tsuchikazu blog
https://tsuchikazu.net/lets-encrypt-nginx/

Let’s EncryptのSSL証明書で、安全なウェブサイトを公開 - さくらのナレッジ
http://knowledge.sakura.ad.jp/knowledge/5573/

Let's Encrypt + Nginxでhttpsアクセスにする! - とあるプロダーツプレイヤーの徒然日記
http://yamadagenki.hatenablog.com/entry/2016/01/27/162714

Let's Encrypt + Nginxでhttpsアクセスにする! - Qiita
http://qiita.com/yamadagenki/items/111185931ef9a59eb054

/etc/nginx/conf.d/sample_ssl.conf
server {
  listen  4433 ssl;
  server_name  localhost;
  root  /root/nginx/sample/;

  ssl_certificate  /etc/letsencrypt/live/data.sample.co.jp/fullchain.pem;
  ssl_certificate_key  /etc/letsencrypt/live/data.sample.co.jp/privkey.pem;

  location / {
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Host $http_host;
    proxy_pass http://unix:/root/nginx/sample/tmp/app.sock; #Unicornのドメインソケットにプロキシ
  }
}

apache用設定

無料のSSL証明書 Let's EncryptでApacheをSSL化 - ex1-lab
https://ex1.m-yabe.com/archives/2086

Let’s Encrypt サーバー証明書の取得と自動更新設定メモ | あぱーブログ
https://blog.apar.jp/linux/3619/

$ sudo vim /etc/httpd/conf.d/httpd-ssl-vhosts.conf

<VirtualHost *.443>                                                                                                    
  DocumentRoot /var/www/html
  ServerName herofit.club

  SetEnvIf Request_URI "\.(gif|jpg|png|css|js)$" nolog
  ErrorLog /var/www/log/ssl_error.log
  CustomLog /var/www/log/ssl_access.log combined env=!nolog

  SSLEngine on
  SSLHonorCipherOrder on
  Header set Strict-Transport-Security "max-age=31536000; includeSubDomains"
  SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2
  SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5

  SSLCertificateFile /etc/letsencrypt/live/herofit.club/cert.pem
  SSLCertificateKeyFile /etc/letsencrypt/live/herofit.club/privkey.pem
  SSLCertificateChainFile /etc/letsencrypt/live/herofit.club/chain.pem

  <Directory /var/www/html/>
    Options +FollowSymlinks
    AllowOverride All
  </Directory>
</VirtualHost>

apache再起動時に以下のようなエラーがでることがある。

$ systemctl reload httpd
Job for httpd.service failed because the control process exited with error code. See "systemctl status httpd.service"
and "journalctl -xe" for details.

$ journalctl -xe
12月 14 14:12:15 web01 httpd[63857]: [Wed Dec 14 14:12:15.527519 2016] [core:error] [pid 63857] (EAI 2)Name or service
12月 14 14:12:15 web01 httpd[63857]: AH00526: Syntax error on line 9 of /etc/httpd/conf.d/httpd-ssl-vhosts.conf:
12月 14 14:12:15 web01 httpd[63857]: Invalid command 'SSLEngine', perhaps misspelled or defined by a module not includ
12月 14 14:12:15 web01 systemd[1]: httpd.service: main process exited, code=exited, status=1/FAILURE
12月 14 14:12:15 web01 kill[63858]: kill: cannot find process ""
12月 14 14:12:15 web01 systemd[1]: httpd.service: control process exited, code=exited status=1
12月 14 14:12:15 web01 systemd[1]: Failed to start The Apache HTTP Server.

mod_sslが存在しないことが原因とのことで以下を設定。

$ sudo yum install mod_ssl
$ vim /etc/httpd/conf.modules.d/00-base.conf

#以下を追記
LoadModule ssl_module modules/mod_ssl.so

再度エラー、ログ出力ディレクトリが存在しないことが原因のようなので、ディレクトリ作成

$ journalctl -xe
-- Unit httpd.service has begun starting up.
12月 14 14:26:55 web01 httpd[64312]: [Wed Dec 14 14:26:55.583165 2016] [so:warn] [pid 64312] AH01574: module ssl_modul
12月 14 14:26:55 web01 httpd[64312]: [Wed Dec 14 14:26:55.594711 2016] [core:error] [pid 64312] (EAI 2)Name or service
12月 14 14:26:55 web01 httpd[64312]: (2)No such file or directory: AH02291: Cannot access directory '/var/www/log/' fo
12月 14 14:26:55 web01 httpd[64312]: AH00014: Configuration check failed
12月 14 14:26:55 web01 systemd[1]: httpd.service: main process exited, code=exited, status=1/FAILURE
12月 14 14:26:55 web01 kill[64313]: kill: cannot find process ""
12月 14 14:26:55 web01 systemd[1]: httpd.service: control process exited, code=exited status=1
12月 14 14:26:55 web01 systemd[1]: Failed to start The Apache HTTP Server.

$ ll /var/www/
合計 0
drwxr-xr-x 2 root root  6 11月 15 03:05 cgi-bin
drwxr-xr-x 4 root root 67 11月 15 03:05 html
$ sudo mkdir /var/www/log
$ ll /var/www/
合計 0
drwxr-xr-x 2 root root  6 11月 15 03:05 cgi-bin
drwxr-xr-x 4 root root 67 11月 15 03:05 html
drwxr-xr-x 2 root root  6 12月 14 14:30 log

自動更新設定

crontab
# 毎週日曜の早朝02:07に更新
07 02 * * 0 certbot renew | mail -s 'lets encrypt renew log' your@email.com; /usr/sbin/nginx -s reload
5
8
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
Sign upLogin
5
8