Generate and Install a Let's Encrypt SSL Certificate for a Bitnami Application
redmineのカーネルはDebian 9 (Stretch)
sudo su
update
apt -y update
Step 1: Install The Lego Client
cd /tmp
curl -Ls https://api.github.com/repos/xenolf/lego/releases/latest | grep browser_download_url | grep linux_amd64 | cut -d '"' -f 4 | wget -i -
ダウンロードされたファイル名を調べて解凍する
tar xf lego_vX.Y.Z_linux_amd64.tar.gz
legoを移動する
sudo mkdir -p /opt/bitnami/letsencrypt
sudo mv lego /opt/bitnami/letsencrypt/lego
Step 2: Generate A Let’s Encrypt Certificate For Your Domain
サービスSTOP
sudo /opt/bitnami/ctlscript.sh stop
LEGO
sudo /opt/bitnami/letsencrypt/lego --tls --email="EMAIL-ADDRESS" --domains="ドメイン名" --domains="www.ドメイン名" --path="/opt/bitnami/letsencrypt" run
実行結果
!!!! HEADS UP !!!!
Your account credentials have been saved in your Let's Encrypt
configuration directory at "/opt/bantam/letsencrypt/accounts".
You should make a secure backup of this folder now. This
configuration directory will also contain certificates and
private keys obtained from Let's Encrypt so making regular
backups of this folder is ideal.2020/02/13 12:58:33 [INFO] [sugasaki.net] acme: Obtaining bundled SAN certificate
2020/02/13 12:58:33 [INFO] [ドメイン名] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/2789761459
2020/02/13 12:58:33 [INFO] [ドメイン名] acme: use tls-alpn-01 solver
2020/02/13 12:58:33 [INFO] [ドメイン名] acme: Trying to solve TLS-ALPN-01
2020/02/13 12:58:40 [INFO] [ドメイン名] The server validated our request
2020/02/13 12:58:40 [INFO] [ドメイン名] acme: Validations succeeded; requesting certificates
2020/02/13 12:58:40 [INFO] [ドメイン名] Server responded with a certificate.
ファイルが作成されているか確認する
ls -ll /opt/bitnami/letsencrypt/certificates/
シンボリックリンクの作成
backup
sudo mv /opt/bitnami/apache2/conf/server.crt /opt/bitnami/apache2/conf/server.crt.old
sudo mv /opt/bitnami/apache2/conf/server.key /opt/bitnami/apache2/conf/server.key.old
sudo mv /opt/bitnami/apache2/conf/server.csr /opt/bitnami/apache2/conf/server.csr.old
シンボリックリンクの作成
sudo ln -sf /opt/bitnami/letsencrypt/certificates/ドメイン名.key /opt/bitnami/apache2/conf/server.key
sudo ln -sf /opt/bitnami/letsencrypt/certificates/ドメイン名.crt /opt/bitnami/apache2/conf/server.crt
確認
ls -ll /opt/bitnami/apache2/conf/server*
権限変更
sudo chown root:root /opt/bitnami/apache2/conf/server*
sudo chmod 600 /opt/bitnami/apache2/conf/server*
起動
sudo /opt/bitnami/ctlscript.sh start
Step 3:自動更新
vi /opt/bitnami/letsencrypt/scripts/renew-certificate.sh
enew-certificate.sh
#!/bin/bash
sudo /opt/bitnami/ctlscript.sh stop apache
sudo /opt/bitnami/letsencrypt/lego --tls --email="EMAIL-ADDRESS" --domains="ドメイン名" --path="/opt/bitnami/letsencrypt" renew --days 90
sudo /opt/bitnami/ctlscript.sh start apache
- Make the script executable:
sudo chmod +x /opt/bitnami/letsencrypt/scripts/renew-certificate.sh
- Execute the following command to open the crontab editor:
sudo crontab -e
以下を追加 (毎月1日の4時00分にスクリプトを実行)
crontab
0 4 1 * * /opt/bitnami/letsencrypt/scripts/renew-certificate.sh 2> /dev/null
ログ出力
デフォルト設定ではOFFになっている
vi /etc/rsyslog.conf
cronの行を探し、先頭の#を削除
#/etc/rsyslog.conf
↓
/etc/rsyslog.conf
ログの確認は以下で
vi /var/log/cron.log
CRONのステータス確認
起動確認は以下
/etc/init.d/cron status
参考
Separate a Single WordPress Multisite Instance into Multiple Independent WordPress Websites/Blogs
Let’s Encrypt の証明書の更新を自動化する手順 (cron) | WEB ARCH LABO
Generate and Install a Let's Encrypt SSL Certificate for a Bitnami Application
逐次更新方法
自動更新ではなく、毎回実行したい場合は以下
/opt/bitnami/ctlscript.sh stop
lego --email=EMAIL@ADDRESS --domains=DOMAIN.com --path="/etc/lego" renew
/opt/bitnami/ctlscript.sh start