Go to Qiita Advent Calendar 2024 Top
LoginSignup
6
8

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?

More than 5 years have passed since last update.

@samiii(さみー)

Let's Encrypt 証明書でhttps化

Last updated at Posted at 2018-05-30

#Let's Encrypt の証明書でhttps化
そろそろ勉強用に一個くらいサーバ持っとこ思うて、Webサーバ立てた。
httpsにすべく証明書を取得。勉強がてらLet's Encryptを使ってみることに。
金ないし:grinning::grinning:

ということでその時の作業メモ。

Let's Encrypt 総合ポータル
https://letsencrypt.jp/

##環境

  • [OS] CentOS 7 64bit
  • [Webサーバ] Apache 2.4

Certbotをインストール

CertbotはLet's Encrtptで証明書を取得するために必要なクライアントであるため、それをインストールする。

  • サーバにrootユーザでログインし、git clone 
# git clone https://github.com/certbot/certbot /usr/local/certbot

証明書を発行してもらう

インストールしたcertbotを使って下記の通りインストール

  • 最初、不足しているものを自動でインストールしてくれる。
# cd /usr/local/certbot
# ./certbot-auto certonly
Bootstrapping dependencies for RedHat-based OSes... (you can skip this with --no-bootstrap)
yum is /bin/yum
yum is hashed (/bin/yum)
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
・・・
(中略)
・・・
Dependencies Resolved

================================================================================
 Package                 Arch       Version                   Repository   Size
================================================================================
Installing:
・・・
(中略)
・・・
Installing for dependencies:
・・・
(中略)
・・・

Transaction Summary
================================================================================
Install  7 Packages (+13 Dependent packages)

Total download size: 11 M
Installed size: 29 M
Is this ok [y/d/N]: y            # <- type 'y'
Downloading packages:
・・・
(中略)
・・・
--------------------------------------------------------------------------------
Total                                              5.4 MB/s |  11 MB  00:02
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
・・・
(中略)
・・・
Complete!
Creating virtual environment...
Installing Python packages...
Installation succeeded.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
  • 質問の通りに回答していく。まずは、ドメインの認証方法を選択。
How would you like to authenticate with the ACME CA?
-------------------------------------------------------------------------------
1: Apache Web Server plugin - Beta (apache)
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)
-------------------------------------------------------------------------------
Select the appropriate number [1-3] then [enter] (press 'c' to cancel):3  # <- type '3'
Plugins selected: Authenticator webroot, Installer None
  • 続いて、ドメイン所有者として連絡の付くメールアドレスの入力。
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): xxxx@hogehoge.com       # <- type my e-mail
  • 利用規約への同意。
-------------------------------------------------------------------------------
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v01.api.letsencrypt.org/directory
-------------------------------------------------------------------------------
(A)gree/(C)ancel: A              # <- type 'A'
  • メールアドレスの利用についての同意。
-------------------------------------------------------------------------------
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about EFF and
our work to encrypt the web, protect its users and defend digital rights.
-------------------------------------------------------------------------------
(Y)es/(N)o: Y                    # <- type 'Y'
  • ここで間違って Ctl + Cを押してしまったのでやり直し・・・:sweat::sweat:
  • Webサーバのドキュメントルートは/var/www/html を、ドメインの認証方法はwebrootを指定して続きを実施。
# ./certbot-auto certonly --webroot -w /var/www/html
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None-webroot -w /usr/share/htt
  • ドメイン名を入力。
Please enter in your domain name(s) (comma and/or space separated)  (Enter 'c'
to cancel): hogehoge.hoge             # <- type domain name
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for hogehoge.hoge
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/hogehoge.hoge/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/hogehoge.hoge/privkey.pem
   Your cert will expire on 2018-08-28. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again. To non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le
  • サーバ証明書が下記に作成された:bangbang:
    • /etc/letsencrypt/live/hogehoge.hoge/fullchain.pem
  • サーバの秘密鍵が下記に作成された:bangbang:
    • /etc/letsencrypt/live/hogehoge.hoge/privkey.pem

Apacheの設定ファイルを修正

  • apache の ssl.confの、サーバ証明書のパス、秘密鍵のパス、中間CAの証明書のパスを修正する。
  • /etc/https/conf.d/ssl.conf
#
# When we also provide SSL we have to listen to the
# the HTTPS port in addition.
#
Listen 443 https

・・・
(中略)
・・・

#   Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate.  If
# the certificate is encrypted, then you will be prompted for a
# pass phrase.  Note that a kill -HUP will prompt again.  A new
# certificate can be generated using the genkey(1) command.
SSLCertificateFile /etc/letsencrypt/live/hogehoge.hoge/fullchain.pem

#   Server Private Key:
#   If the key is not combined with the certificate, use this
#   directive to point at the key file.  Keep in mind that if
#   you've both a RSA and a DSA private key you can configure
#   both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile /etc/letsencrypt/live/hogehoge.hoge/privkey.pem

#   Server Certificate Chain:
#   Point SSLCertificateChainFile at a file containing the
#   concatenation of PEM encoded CA certificates which form the
#   certificate chain for the server certificate. Alternatively
#   the referenced file can be the same as SSLCertificateFile
#   when the CA certificates are directly appended to the server
#   certificate for convinience.
#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
SSLCertificateChainFile /etc/letsencrypt/live/hogehoge.hoge/chain.pem
・・・
(後略)
・・・

Apacheの再起動

  • Apacheを再起動する。
# service httpd restart
  • エラーが出力されなければ、再起動完了。

HTTPSでアクセス!

Apachetop.jpg

  • HTTPS通信成功:raised_hands::raised_hands:

おわりに

思ったよりずいぶん簡単に証明書の取得ができました!
certbot様様:woman_tone1::woman_tone1:

このあとは、Tomcat入れてJavaのアプリケーションサーバにして色々遊びたいと思いま~す:dancer_tone1::dancer_tone1:

6
8
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
Sign upLogin
6
8

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?