CentOS7 + H2O + Let's Encrypt

# cat /etc/redhat-release
CentOS Linux release 7.3.1611 (Core)

H2O

tatsushid/h2o-rpm

# cat << 'EOF' >> /etc/yum.repos.d/h2o.repo
[bintray-tatsushid-h2o-rpm]
name=bintray-tatsushid-h2o-rpm
baseurl=https://dl.bintray.com/tatsushid/h2o-rpm/centos/$releasever/$basearch/
gpgcheck=0
repo_gpgcheck=0
enabled=1
EOF

# yum -y install h2o
# systemctl enable h2o

lotatelogs を使いたいので httpd もインストールしとく

# yum -y install httpd

Let's Encrypt とやりとりするする必要があるので、とりあえず http で動かす

/etc/h2o/h2o.conf

user: nobody
server-name: h2o
pid-file: /var/run/h2o/h2o.pid
error-log: "| rotatelogs /var/log/h2o/error.%Y%m%d 86400"
access-log: "| rotatelogs /var/log/h2o/access.%Y%m%d 86400"
hosts:
  "*.oppara.tv:80":
    listen:
      port: 80
    paths:
      "/":
        file.dir: /srv/oppara.tv/htdocs

設定をチェックして起動

# h2o -t -c h2o.conf
# systemctl start h2o

Let's Encrypt

# yum -y install certbot
# certbot certonly --webroot -w /srv/oppara.tv/htdocs -d oppara.tv -d www.oppara.tv --agree-tos
# ls -l /etc/letsencrypt/live

削除する場合は以下

# certbot delete --cert-name oppara.tv

H2O 設定

/etc/h2o/h2o.conf

user: nobody
server-name: h2o
pid-file: /var/run/h2o/h2o.pid
error-log: "| rotatelogs /var/log/h2o/error.%Y%m%d 86400"
access-log: "| rotatelogs /var/log/h2o/access.%Y%m%d 86400"
hosts:
  "*.oppara.tv:443":
    listen:
      port: 443
      ssl:
        certificate-file: /etc/letsencrypt/live/oppara.tv/fullchain.pem
        key-file: /etc/letsencrypt/live/oppara.tv/privkey.pem
        cipher-suite: "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"
        cipher-preference: server
    paths:
      "/":
        file.dir: /srv/oppara.tv/htdocs
  "*.oppara.tv:80":
    listen:
      port: 80
    paths:
      "/":
        redirect: "https://oppara.tv/"

# systemctl restart h2o

自動更新設定

dry-run

# certbot renew --post-hook "systemctl restart h2o" --dry-run

# crontab -l
03 05 01 * * /bin/certbot renew --post-hook "systemctl restart h2o"