Edited at

Let's Encrypt 証明書でhttps化

More than 1 year has passed since last update.


Let's Encrypt の証明書でhttps化

そろそろ勉強用に一個くらいサーバ持っとこ思うて、Webサーバ立てた。

httpsにすべく証明書を取得。勉強がてらLet's Encryptを使ってみることに。

金ないし:grinning::grinning:

ということでその時の作業メモ。


Let's Encrypt 総合ポータル

https://letsencrypt.jp/



環境


  • [OS] CentOS 7 64bit

  • [Webサーバ] Apache 2.4


Certbotをインストール

CertbotはLet's Encrtptで証明書を取得するために必要なクライアントであるため、それをインストールする。


  • サーバにrootユーザでログインし、git clone

# git clone https://github.com/certbot/certbot /usr/local/certbot


証明書を発行してもらう

インストールしたcertbotを使って下記の通りインストール


  • 最初、不足しているものを自動でインストールしてくれる。

# cd /usr/local/certbot

# ./certbot-auto certonly
Bootstrapping dependencies for RedHat-based OSes... (you can skip this with --no-bootstrap)
yum is /bin/yum
yum is hashed (/bin/yum)
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
・・・
(中略)
・・・
Dependencies Resolved

================================================================================
Package Arch Version Repository Size
================================================================================
Installing:
・・・
(中略)
・・・
Installing for dependencies:
・・・
(中略)
・・・

Transaction Summary
================================================================================
Install 7 Packages (+13 Dependent packages)

Total download size: 11 M
Installed size: 29 M
Is this ok [y/d/N]: y # <- type 'y'
Downloading packages:
・・・
(中略)
・・・
--------------------------------------------------------------------------------
Total 5.4 MB/s | 11 MB 00:02
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
・・・
(中略)
・・・
Complete!
Creating virtual environment...
Installing Python packages...
Installation succeeded.
Saving debug log to /var/log/letsencrypt/letsencrypt.log


  • 質問の通りに回答していく。まずは、ドメインの認証方法を選択。

How would you like to authenticate with the ACME CA?

-------------------------------------------------------------------------------
1: Apache Web Server plugin - Beta (apache)
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)
-------------------------------------------------------------------------------
Select the appropriate number [1-3] then [enter] (press 'c' to cancel):3 # <- type '3'
Plugins selected: Authenticator webroot, Installer None


  • 続いて、ドメイン所有者として連絡の付くメールアドレスの入力。

Enter email address (used for urgent renewal and security notices) (Enter 'c' to

cancel): xxxx@hogehoge.com # <- type my e-mail


  • 利用規約への同意。

-------------------------------------------------------------------------------

Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v01.api.letsencrypt.org/directory
-------------------------------------------------------------------------------
(A)gree/(C)ancel: A # <- type 'A'


  • メールアドレスの利用についての同意。

-------------------------------------------------------------------------------

Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about EFF and
our work to encrypt the web, protect its users and defend digital rights.
-------------------------------------------------------------------------------
(Y)es/(N)o: Y # <- type 'Y'


  • ここで間違って Ctl + Cを押してしまったのでやり直し・・・:sweat::sweat:

  • Webサーバのドキュメントルートは/var/www/html を、ドメインの認証方法はwebrootを指定して続きを実施。

# ./certbot-auto certonly --webroot -w /var/www/html

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None-webroot -w /usr/share/htt


  • ドメイン名を入力。

Please enter in your domain name(s) (comma and/or space separated)  (Enter 'c'

to cancel): hogehoge.hoge # <- type domain name
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for hogehoge.hoge
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/hogehoge.hoge/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/hogehoge.hoge/privkey.pem
Your cert will expire on 2018-08-28. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again. To non-interactively renew *all* of your certificates, run
"certbot-auto renew"
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le


  • サーバ証明書が下記に作成された:bangbang:


    • /etc/letsencrypt/live/hogehoge.hoge/fullchain.pem



  • サーバの秘密鍵が下記に作成された:bangbang:


    • /etc/letsencrypt/live/hogehoge.hoge/privkey.pem




Apacheの設定ファイルを修正


  • apache の ssl.confの、サーバ証明書のパス、秘密鍵のパス、中間CAの証明書のパスを修正する。

  • /etc/https/conf.d/ssl.conf

#

# When we also provide SSL we have to listen to the
# the HTTPS port in addition.
#
Listen 443 https

・・・
(中略)
・・・

# Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
# pass phrase. Note that a kill -HUP will prompt again. A new
# certificate can be generated using the genkey(1) command.
SSLCertificateFile /etc/letsencrypt/live/hogehoge.hoge/fullchain.pem

# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you've both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile /etc/letsencrypt/live/hogehoge.hoge/privkey.pem

# Server Certificate Chain:
# Point SSLCertificateChainFile at a file containing the
# concatenation of PEM encoded CA certificates which form the
# certificate chain for the server certificate. Alternatively
# the referenced file can be the same as SSLCertificateFile
# when the CA certificates are directly appended to the server
# certificate for convinience.
#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
SSLCertificateChainFile /etc/letsencrypt/live/hogehoge.hoge/chain.pem
・・・
(後略)
・・・


Apacheの再起動


  • Apacheを再起動する。

# service httpd restart


  • エラーが出力されなければ、再起動完了。


HTTPSでアクセス!

Apachetop.jpg


  • HTTPS通信成功:raised_hands::raised_hands:


おわりに

思ったよりずいぶん簡単に証明書の取得ができました!

certbot様様:woman_tone1::woman_tone1:

このあとは、Tomcat入れてJavaのアプリケーションサーバにして色々遊びたいと思いま~す:dancer_tone1::dancer_tone1: