Edited at

Let's Encrypt 証明書でhttps化

More than 1 year has passed since last update.

Let's Encrypt の証明書でhttps化


httpsにすべく証明書を取得。勉強がてらLet's Encryptを使ってみることに。



Let's Encrypt 総合ポータル



  • [OS] CentOS 7 64bit

  • [Webサーバ] Apache 2.4


CertbotはLet's Encrtptで証明書を取得するために必要なクライアントであるため、それをインストールする。

  • サーバにrootユーザでログインし、git clone

# git clone https://github.com/certbot/certbot /usr/local/certbot



  • 最初、不足しているものを自動でインストールしてくれる。

# cd /usr/local/certbot

# ./certbot-auto certonly
Bootstrapping dependencies for RedHat-based OSes... (you can skip this with --no-bootstrap)
yum is /bin/yum
yum is hashed (/bin/yum)
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
Dependencies Resolved

Package Arch Version Repository Size
Installing for dependencies:

Transaction Summary
Install 7 Packages (+13 Dependent packages)

Total download size: 11 M
Installed size: 29 M
Is this ok [y/d/N]: y # <- type 'y'
Downloading packages:
Total 5.4 MB/s | 11 MB 00:02
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Creating virtual environment...
Installing Python packages...
Installation succeeded.
Saving debug log to /var/log/letsencrypt/letsencrypt.log

  • 質問の通りに回答していく。まずは、ドメインの認証方法を選択。

How would you like to authenticate with the ACME CA?

1: Apache Web Server plugin - Beta (apache)
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)
Select the appropriate number [1-3] then [enter] (press 'c' to cancel):3 # <- type '3'
Plugins selected: Authenticator webroot, Installer None

  • 続いて、ドメイン所有者として連絡の付くメールアドレスの入力。

Enter email address (used for urgent renewal and security notices) (Enter 'c' to

cancel): xxxx@hogehoge.com # <- type my e-mail

  • 利用規約への同意。


Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
(A)gree/(C)ancel: A # <- type 'A'

  • メールアドレスの利用についての同意。


Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about EFF and
our work to encrypt the web, protect its users and defend digital rights.
(Y)es/(N)o: Y # <- type 'Y'

  • ここで間違って Ctl + Cを押してしまったのでやり直し・・・:sweat::sweat:

  • Webサーバのドキュメントルートは/var/www/html を、ドメインの認証方法はwebrootを指定して続きを実施。

# ./certbot-auto certonly --webroot -w /var/www/html

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None-webroot -w /usr/share/htt

  • ドメイン名を入力。

Please enter in your domain name(s) (comma and/or space separated)  (Enter 'c'

to cancel): hogehoge.hoge # <- type domain name
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for hogehoge.hoge
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification...
Cleaning up challenges

- Congratulations! Your certificate and chain have been saved at:
Your key file has been saved at:
Your cert will expire on 2018-08-28. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again. To non-interactively renew *all* of your certificates, run
"certbot-auto renew"
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

  • サーバ証明書が下記に作成された:bangbang:

    • /etc/letsencrypt/live/hogehoge.hoge/fullchain.pem

  • サーバの秘密鍵が下記に作成された:bangbang:

    • /etc/letsencrypt/live/hogehoge.hoge/privkey.pem


  • apache の ssl.confの、サーバ証明書のパス、秘密鍵のパス、中間CAの証明書のパスを修正する。

  • /etc/https/conf.d/ssl.conf


# When we also provide SSL we have to listen to the
# the HTTPS port in addition.
Listen 443 https


# Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
# pass phrase. Note that a kill -HUP will prompt again. A new
# certificate can be generated using the genkey(1) command.
SSLCertificateFile /etc/letsencrypt/live/hogehoge.hoge/fullchain.pem

# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you've both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile /etc/letsencrypt/live/hogehoge.hoge/privkey.pem

# Server Certificate Chain:
# Point SSLCertificateChainFile at a file containing the
# concatenation of PEM encoded CA certificates which form the
# certificate chain for the server certificate. Alternatively
# the referenced file can be the same as SSLCertificateFile
# when the CA certificates are directly appended to the server
# certificate for convinience.
#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
SSLCertificateChainFile /etc/letsencrypt/live/hogehoge.hoge/chain.pem


  • Apacheを再起動する。

# service httpd restart

  • エラーが出力されなければ、再起動完了。



  • HTTPS通信成功:raised_hands::raised_hands: