nginx
Apache
SSL
letsencrypt

nginx, apacheへのLet’s Encryptの導入方法メモ

More than 1 year has passed since last update.

certbotインストール

$ sudo yum install epel-release
$ sudo yum install certbot

証明書の生成

$ certbot certonly --webroot -w /var/www/html/ -d yourdomain.com -m yourmail@gmail.com --agree-tos

nginx設定

無料SSL/TLS証明書 Let’s Encryptでnginxをhttps化する

Let's Encryptの証明書をnginxに設定してhttps化した | tsuchikazu blog
https://tsuchikazu.net/lets-encrypt-nginx/

Let’s EncryptのSSL証明書で、安全なウェブサイトを公開 - さくらのナレッジ
http://knowledge.sakura.ad.jp/knowledge/5573/

Let's Encrypt + Nginxでhttpsアクセスにする! - とあるプロダーツプレイヤーの徒然日記
http://yamadagenki.hatenablog.com/entry/2016/01/27/162714

Let's Encrypt + Nginxでhttpsアクセスにする! - Qiita
http://qiita.com/yamadagenki/items/111185931ef9a59eb054

/etc/nginx/conf.d/sample_ssl.conf
server {
  listen  4433 ssl;
  server_name  localhost;
  root  /root/nginx/sample/;

  ssl_certificate  /etc/letsencrypt/live/data.sample.co.jp/cert.pem;
  ssl_certificate_key  /etc/letsencrypt/live/data.sample.co.jp/privkey.pem;

  location / {
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Host $http_host;
    proxy_pass http://unix:/root/nginx/sample/tmp/app.sock; #Unicornのドメインソケットにプロキシ
  }
}

apache用設定

無料のSSL証明書 Let's EncryptでApacheをSSL化 - ex1-lab
https://ex1.m-yabe.com/archives/2086

Let’s Encrypt サーバー証明書の取得と自動更新設定メモ | あぱーブログ
https://blog.apar.jp/linux/3619/

$ sudo vim /etc/httpd/conf.d/httpd-ssl-vhosts.conf

<VirtualHost *.443>                                                                                                    
  DocumentRoot /var/www/html
  ServerName herofit.club

  SetEnvIf Request_URI "\.(gif|jpg|png|css|js)$" nolog
  ErrorLog /var/www/log/ssl_error.log
  CustomLog /var/www/log/ssl_access.log combined env=!nolog

  SSLEngine on
  SSLHonorCipherOrder on
  Header set Strict-Transport-Security "max-age=31536000; includeSubDomains"
  SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2
  SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5

  SSLCertificateFile /etc/letsencrypt/live/herofit.club/cert.pem
  SSLCertificateKeyFile /etc/letsencrypt/live/herofit.club/privkey.pem
  SSLCertificateChainFile /etc/letsencrypt/live/herofit.club/chain.pem

  <Directory /var/www/html/>
    Options +FollowSymlinks
    AllowOverride All
  </Directory>
</VirtualHost>


apache再起動時に以下のようなエラーがでることがある。

$ systemctl reload httpd
Job for httpd.service failed because the control process exited with error code. See "systemctl status httpd.service"
and "journalctl -xe" for details.

$ journalctl -xe
12月 14 14:12:15 web01 httpd[63857]: [Wed Dec 14 14:12:15.527519 2016] [core:error] [pid 63857] (EAI 2)Name or service
12月 14 14:12:15 web01 httpd[63857]: AH00526: Syntax error on line 9 of /etc/httpd/conf.d/httpd-ssl-vhosts.conf:
12月 14 14:12:15 web01 httpd[63857]: Invalid command 'SSLEngine', perhaps misspelled or defined by a module not includ
12月 14 14:12:15 web01 systemd[1]: httpd.service: main process exited, code=exited, status=1/FAILURE
12月 14 14:12:15 web01 kill[63858]: kill: cannot find process ""
12月 14 14:12:15 web01 systemd[1]: httpd.service: control process exited, code=exited status=1
12月 14 14:12:15 web01 systemd[1]: Failed to start The Apache HTTP Server.

mod_sslが存在しないことが原因とのことで以下を設定。

$ sudo yum install mod_ssl
$ vim /etc/httpd/conf.modules.d/00-base.conf

#以下を追記
LoadModule ssl_module modules/mod_ssl.so

再度エラー、ログ出力ディレクトリが存在しないことが原因のようなので、ディレクトリ作成

$ journalctl -xe
-- Unit httpd.service has begun starting up.
12月 14 14:26:55 web01 httpd[64312]: [Wed Dec 14 14:26:55.583165 2016] [so:warn] [pid 64312] AH01574: module ssl_modul
12月 14 14:26:55 web01 httpd[64312]: [Wed Dec 14 14:26:55.594711 2016] [core:error] [pid 64312] (EAI 2)Name or service
12月 14 14:26:55 web01 httpd[64312]: (2)No such file or directory: AH02291: Cannot access directory '/var/www/log/' fo
12月 14 14:26:55 web01 httpd[64312]: AH00014: Configuration check failed
12月 14 14:26:55 web01 systemd[1]: httpd.service: main process exited, code=exited, status=1/FAILURE
12月 14 14:26:55 web01 kill[64313]: kill: cannot find process ""
12月 14 14:26:55 web01 systemd[1]: httpd.service: control process exited, code=exited status=1
12月 14 14:26:55 web01 systemd[1]: Failed to start The Apache HTTP Server.

$ ll /var/www/
合計 0
drwxr-xr-x 2 root root  6 11月 15 03:05 cgi-bin
drwxr-xr-x 4 root root 67 11月 15 03:05 html
$ sudo mkdir /var/www/log
$ ll /var/www/
合計 0
drwxr-xr-x 2 root root  6 11月 15 03:05 cgi-bin
drwxr-xr-x 4 root root 67 11月 15 03:05 html
drwxr-xr-x 2 root root  6 12月 14 14:30 log

自動更新設定

crontab
# 毎週日曜の早朝02:07に更新
07 02 * * 0 certbot renew | mail -s 'lets encrypt renew log' your@email.com; /usr/sbin/nginx -s reload