Help us understand the problem. What is going on with this article?

<成功した手順> 新しいバージョン(1.7.9)の Personium を Ansibleでインストールする

『情報銀行のプラットフォームとして利用できるかもしれない… シリーズ』は、<APIでExtRoleを触ってみる> までをやりきって、満足感に浸っている状況なので… 一旦ここで趣を変えてみましょうかと思います。 今過去のエントリである <Ansibleでインストールする> の通りに、構築を進めると多分うまくいかないはずなのです。 なのでここでもう一度、新しいバージョンでの構築を、おさらいの意味も含めてやってみようかなぁ… と。


こちらの手順は、別のエントリーで、ワイルドカード指定で取得したサーバ証明書が、仕様に合っておらず https で正しくアクセスができなかった手順の改善版で、スルっと構築できる手順です。

どんな間違いを犯して、丸1日を無駄にしたのかを、確認したいという好奇心をお持ちの輩は、以下のエントリを参照するのもおもろいかもしれません…

<失敗した手順> 新しいバージョン(1.7.9)の Personium を Ansibleでインストールする


はい。こちらのエントリを確認したい方は、能書きは不要 もしくは 手順だけ分かりゃいいのよ! という方々なので… 手順だけをドンドン進めます。

1.7.5 から変更が加えられているポイント。

旧仕様)
 https:// {{ユニットを示すFQDN}} / {{ユニット内の Cell名}} / {{コマンド や Box名}} / …

新仕様)
 https:// {{ユニット内の Cell名}} . {{ユニットを示すFQDN}} / {{コマンド や Box名}} / …

っで… 前のエントリで、{{CELL}}.personium.takky.info のようなワイルドカード指定で、対応する想定で進めたら、なんと! Let's Encrypt の仕様で「*.personium.takky.info」のワイルドカードの証明書が取得できなかったので「*.takky.info」で取得したのですが、そうすると「*.*.takky.info」は証明書の対象とはならなかったのでした。
なので、さらに新しいドメイン( takky.work )を取得して対応することとしました。
 ※ takky.info は他の利用方法がありそうなのですが、この検証でしか利用できないことになるので、温存することにしました。


整理

まずは、やらなきゃいかんことを整理しましょう。

  • インスタンスの準備 ・・・ いつもと同じように Azure のインスタンスを立てましょう。
  • ホスト名       ・・・ 前の環境と同様に… takky.work にしました。
  • Cell毎のFQDN    ・・・ DNSでワイルドカード指定で、*.takky.work に A レコードを指定します。
  • サーバ証明書     ・・・ 「Let's Encrypt」がワイルドカードで対応します
  • Ansibleの取得    ・・・ Ver 1.5.1 で進めます。
  • Ansibleの実行と確認 ・・・ 前のエントリの手順で進めればOKです。

セットアップ

いざ! セットアップ!!
<失敗した手順> 新しいバージョン(1.7.9)の Personium を Ansibleでインストールする のコマンドをどんどん実行して行きましょう!

1.環境の準備

設定項目
Host名 takky.work
Cell名1 unitamdin.takky.work
Cell名2 amdin.takky.work
TXT _acme-challenge.takky.work="TEST"
Private IP 10.0.14.4
OS CentOS 7.5
インスタンスサイズ Azure Standard D2sv3 (2vcpu、8GBメモリ) <最低メモリ:4GB>
解放ポート ssh(22),https(443),http(80)  ※必要に応じ解放範囲を限定

そして今回は、CELLを含めたFQDNで「名前解決」の他に、「 _acme-challenge.takky.work 」のTXTが重要で… そして Let's Encrypt の証明書取得を始めてから TXT レコードを更新するひつ表があるため、TTLの値を短くした状態で証明書取得を始めたいので、最初にダミーの値で登録しておきます。
 

_acme-challenge.takky.work
$ dig _acme-challenge.takky.work TXT +noedns

; <<>> DiG 9.10.6 <<>> _acme-challenge.takky.work TXT +noedns
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51498
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;_acme-challenge.takky.work.    IN  TXT

;; ANSWER SECTION:
_acme-challenge.takky.work. 591 IN  TXT "gMTNZ8vbUJhtAa4KQjpXhC4COeQzbnk1-RgUyh3A1LM"

;; Query time: 4 msec
;; SERVER: 172.16.15.254#53(172.16.15.254)
;; WHEN: Mon Apr 22 15:19:33 JST 2019
;; MSG SIZE  rcvd: 100

 

takky.work
$ dig takky.work +noedns
; <<>> DiG 9.10.6 <<>> takky.work +noedns
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38162
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;takky.work.            IN  A

;; ANSWER SECTION:
takky.work.     445 IN  A   13.73.20.18

;; Query time: 2 msec
;; SERVER: 172.16.15.254#53(172.16.15.254)
;; WHEN: Mon Apr 22 15:21:04 JST 2019
;; MSG SIZE  rcvd: 44

 

unitadmin.takky.work
$ dig unitadmin.takky.work +noedns
; <<>> DiG 9.10.6 <<>> unitadmin.takky.work +noedns
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63191
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;unitadmin.takky.work.      IN  A

;; ANSWER SECTION:
unitadmin.takky.work.   600 IN  A   13.73.20.18

;; Query time: 47 msec
;; SERVER: 172.16.15.254#53(172.16.15.254)
;; WHEN: Mon Apr 22 15:21:37 JST 2019
;; MSG SIZE  rcvd: 54

 

admin.takky.work
$ dig admin.takky.work +noedns
; <<>> DiG 9.10.6 <<>> admin.takky.work +noedns
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52206
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;admin.takky.work.      IN  A

;; ANSWER SECTION:
admin.takky.work.   600 IN  A   13.73.20.18

;; Query time: 35 msec
;; SERVER: 172.16.15.254#53(172.16.15.254)
;; WHEN: Mon Apr 22 15:22:05 JST 2019
;; MSG SIZE  rcvd: 50

OKです。

2.Ansibleの展開

では、まずはサーバーにログイン

$ ssh {user}@takky.work
The authenticity of host 'takky.work (13.73.20.18)' can't be established.
ECDSA key fingerprint is SHA256:MusNSZeF7g6gY3XRRZv26TiJbujnT76GdWCZSSSi4wI.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'takky.work,13.73.20.18' (ECDSA) to the list of known hosts.
Password: 
[{user}@personium ~]$

 
最新版の Ansible の取得と圧縮ファイルの伸張

$ wget https://github.com/personium/ansible/archive/master.zip
--2019-04-22 02:56:19--  https://github.com/personium/ansible/archive/master.zip
github.com (github.com) をDNSに問いあわせています... 192.30.255.113, 192.30.255.112
github.com (github.com)|192.30.255.113|:443 に接続しています... 接続しました。
HTTP による接続要求を送信しました、応答を待っています... 302 Found
場所: https://codeload.github.com/personium/ansible/zip/master [続く]
--2019-04-22 02:56:20--  https://codeload.github.com/personium/ansible/zip/master
codeload.github.com (codeload.github.com) をDNSに問いあわせています... 192.30.255.120, 192.30.255.121
codeload.github.com (codeload.github.com)|192.30.255.120|:443 に接続しています... 接続しました。
HTTP による接続要求を送信しました、応答を待っています... 200 OK
長さ: 特定できません [application/zip]
`master.zip' に保存中

    [   <=>                                                                                 ] 555,837     1.02MB/s 時間 0.5s   

2019-04-22 02:56:21 (1.02 MB/s) - `master.zip' へ保存終了 [555837]

$ ls
master.zip

$ unzip master.zip
Archive:  master.zip
8f2978c80345e4ddac773f4ecd31ad3a1fa102fc
   creating: ansible-master/
   creating: ansible-master/1-server_unit/
  inflating: ansible-master/1-server_unit/1-server_unit.jpg  
  inflating: ansible-master/1-server_unit/Ansible_Settings_Instruction.md  
  inflating: ansible-master/1-server_unit/README.md  
  inflating: ansible-master/1-server_unit/ansible.cfg  
   :
  inflating: ansible-master/Create_Server_Certificate_for_Letsencript.md  
  inflating: ansible-master/How_to_generate_Self-signed_Unit_Certificate.md  
  inflating: ansible-master/LICENSE  
  inflating: ansible-master/README.md  

$ ls
ansible-master  master.zip

Ansibleの実行用に配置(1-server)

$ sudo ln -s /home/pds/ansible-master/1-server_unit/ /root/ansible

$ sudo ls -l /root | grep ^l
lrwxrwxrwx. 1 root root   39  4月 22 02:58 ansible -> /home/pds/ansible-master/1-server_unit/

3.Ansibleの設定ファイル(static_inventory/hosts)を環境に合わせるため修正

$ vim ~/ansible-master/1-server_unit/static_inventory/hosts

############ Private IP Address of Bastion server ############
[tag_ServerType_bastion]
#Fill in the Private IP Address of Bastion server
#{Bastion_Private_IP}
# 上の行を、下 ↓ ↓ ↓ のようにプライベートIPに修正
10.0.14.4

############ Private IP Address of Personium server ############
[tag_ServerType_personium]
#Fill in the Private IP Address of Personium server
#{Personium_Private_IP}
# 上の行を、下 ↓ ↓ ↓ のようにプライベートIPに修正
10.0.14.4

############ Setting items of bastion server ############
[tag_ServerType_bastion:vars]

# Hostname
#tag_Name={Bastion_Tag_Name}
# 上の行を、下 ↓ ↓ ↓ のように修正
tag_Name=bastion-web

## User who runs ansible
#ansible_ssh_user={Ansible_Execution_User}
# 上の行を、下 ↓ ↓ ↓ のようにユーザー名に修正
ansible_ssh_user=root

## Secret key for executing ansible(Absolute path)
#ansible_ssh_private_key_file={SSH_PrivateKey}
# 上の行を、下 ↓ ↓ ↓ のようにホルダー名に修正
ansible_ssh_private_key_file=/root/.ssh/id_rsa

# Master Token of Personium
#master_token={Master_Token}
# 上の行を、下 ↓ ↓ ↓ のようにパスワードに修正
# 非常に強力なユーザーのパスワードなので、容易に想像できないものを設定
# 且つ第三者に渡らないよう管理してください。
master_token= TOKEN

## Web server FQDN
#base_url={Personium_FQDN}
# 上の行を、下 ↓ ↓ ↓ のようにFQDNに修正
base_url=takky.work

## URL format to access cell
## true:path based cell url
## false:per cell fqdn url
#path_based_cell_url_enabled={Path_Based_Cell_Url_Enabled}
# 上の行を、下 ↓ ↓ ↓ のように false に修正
path_based_cell_url_enabled=false

############ Setting items of Personium server ############
[tag_ServerType_personium:vars]

# Hostname
#tag_Name={Personium_Tag_Name}
# 上の行を、下 ↓ ↓ ↓ のように修正
tag_Name=test-ap

## User who runs ansible
#ansible_ssh_user={Ansible_Execution_User}
# 上の行を、下 ↓ ↓ ↓ のようにユーザー名に修正
ansible_ssh_user=root

## Secret key for executing ansible(Absolute path)
#ansible_ssh_private_key_file={SSH_PrivateKey}
# 上の行を、下 ↓ ↓ ↓ のようにホルダー名に修正
ansible_ssh_private_key_file=/root/.ssh/id_rsa

# Master Token of Personium
#master_token={Master_Token}
# 上の行を、下 ↓ ↓ ↓ のように(bastionで設定しものと同じ)パスワードに修正
# 非常に強力なユーザーのパスワードなので、容易に想像できないものを設定
# 且つ第三者に渡らないよう管理してください。
master_token= TOKEN

## Web server FQDN
#base_url={Personium_FQDN}
# 上の行を、下 ↓ ↓ ↓ のようにFQDNに修正
base_url=takky.work

## URL format to access cell
## true:path based cell url
## false:per cell fqdn url
#path_based_cell_url_enabled={Path_Based_Cell_Url_Enabled}
# 上の行を、下 ↓ ↓ ↓ のように false に修正
path_based_cell_url_enabled=false

 

4.ユニット証明として利用するサーバ証明書を生成する

$ sudo su -

# cd /root/ansible/resource/ap/opt/x509/
# ls
empty

# openssl genrsa -out unit.key 2048 -outform DER
Generating RSA private key, 2048 bit long modulus
................................+++
.....................+++
e is 65537 (0x10001)


# ls
empty  unit.key

# openssl req -new -key unit.key -out unit.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:        takky.work
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

# ls
empty  unit.csr  unit.key

# openssl x509 -req -days 3650 -signkey unit.key -out unit-self-sign.crt < unit.csr
Signature ok
subject=/C=XX/L=Default City/O=Default Company Ltd/CN=takky.work
Getting Private key

# ls
empty  unit.csr  unit.key  unit-self-sign.crt

 

5.nginx にセットする、サーバ証明書を Let's Encrypt で取得する

 

Gitのインストール
$ sudo su -
[sudo] {user} のパスワード:
最終ログイン: 2019/04/22 (月) 03:12:37 UTC日時 pts/0

# yum install git-all
Loaded plugins: fastestmirror, langpacks
Determining fastest mirrors
base                                                        | 3.6 kB  00:00:00     
extras                                                      | 3.4 kB  00:00:00     
  :
Install  1 Package  (+118 Dependent packages)
Upgrade             (   2 Dependent packages)

Total download size: 73 M
Is this ok [y/d/N]:                 yを入力
  :

Dependency Updated:
  freetype.x86_64 0:2.8-12.el7_6.1                                                        glib2.x86_64 0:2.56.1-2.el7                                                       

Complete!

 

Let's Encrypt の証明書のインストール

まずは、certbot を Git から持ってきます。

# cd /usr/local

# git clone https://github.com/certbot/certbot
Cloning into 'certbot'...
remote: Enumerating objects: 20, done.
remote: Counting objects: 100% (20/20), done.
remote: Compressing objects: 100% (20/20), done.
remote: Total 64348 (delta 7), reused 4 (delta 0), pack-reused 64328
Receiving objects: 100% (64348/64348), 21.24 MiB | 9.22 MiB/s, done.
Resolving deltas: 100% (47036/47036), done.

 
以下のようなコマンドで実行します。

./certbot-auto certonly --manual \
 --server https://acme-v02.api.letsencrypt.org/directory \
 --preferred-challenges dns \
 -d *.takky.work \
 -m {メールアドレス} \
 --agree-tos \
 --manual-public-ip-logging-ok

# cd /usr/local/certbot/

# ./certbot-auto certonly --manual \
--server https://acme-v02.api.letsencrypt.org/directory \
--preferred-challenges dns \
-d *.takky.work \
-m {メールアドレス} \
--agree-tos \
--manual-public-ip-logging-ok
Bootstrapping dependencies for RedHat-based OSes... (you can skip this with --no-bootstrap)
yum is /bin/yum
yum is hashed (/bin/yum)
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
epel/x86_64/metalink                                      | 6.5 kB  00:00:00     
 * epel: www.ftp.ne.jp
base                                                      | 3.6 kB  00:00:00     
extras                                                    | 3.4 kB  00:00:00     
openlogic                                                 | 2.9 kB  00:00:00     
updates                                                   | 3.4 kB  00:00:00     
Package ca-certificates-2018.2.22-70.0.el7_5.noarch already installed and latest version
Package 1:mod_ssl-2.4.6-88.el7.centos.x86_64 already installed and latest version
  :
  :
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o:                                                    ← yを指定

Starting new HTTPS connection (1): supporters.eff.org
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for takky.info

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.takky.work with the following value:     ←← _acme-challenge.takky.work に

gMTNZ8vbUJhtAa4KQjpXhC4COeQzbnk1-RgUyh3A1LM              ←← この値を設定する

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue             ←←← ここで上記の DNS TXTの 値 "gMTNZ … 3A1LM" をDNSに登録する
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/takky.work/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/takky.work/privkey.pem
   Your cert will expire on 2019-07-21. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again. To non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

 
「Press Enter to Continue」 のとろこで DNSに DNS TXTの 値 "gMTNZ … 3A1LM" を登録後、以下のように 指定の TXT が引けるようになっていることを確認できてから Enter します。

$ dig _acme-challenge.takky.work TXT +noedns

; <<>> DiG 9.10.6 <<>> _acme-challenge.takky.work TXT +noedns
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51498
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;_acme-challenge.takky.work.    IN  TXT

;; ANSWER SECTION:
_acme-challenge.takky.work. 591 IN  TXT "gMTNZ8vbUJhtAa4KQjpXhC4COeQzbnk1-RgUyh3A1LM"

;; Query time: 4 msec
;; SERVER: 172.16.15.254#53(172.16.15.254)
;; WHEN: Mon Apr 22 15:19:33 JST 2019
;; MSG SIZE  rcvd: 100

 
(ドメインは takky.work です…) あります。 あります…

# ls -alh /etc/letsencrypt/live/takky.work/
total 4.0K
drwxr-xr-x. 2 root root  93 Apr 22 04:28 .
drwx------. 3 root root  38 Apr 22 04:28 ..
lrwxrwxrwx. 1 root root  34 Apr 22 04:28 cert.pem -> ../../archive/takky.work/cert1.pem
lrwxrwxrwx. 1 root root  35 Apr 22 04:28 chain.pem -> ../../archive/takky.work/chain1.pem
lrwxrwxrwx. 1 root root  39 Apr 22 04:28 fullchain.pem -> ../../archive/takky.work/fullchain1.pem
lrwxrwxrwx. 1 root root  37 Apr 22 04:28 privkey.pem -> ../../archive/takky.work/privkey1.pem
-rw-r--r--. 1 root root 692 Apr 22 04:28 README

 
次に、取得した Let's Encrypt の証明書を、Ansible実行時の環境に合わせて配置します。

# cd /root/ansible/resource/web/opt/nginx/conf

# ls
backend.conf.j2  host-acl.conf  nginx.conf  personium_version.d  server_name.conf

# ln -s /etc/letsencrypt/live/takky.work/fullchain.pem server.crt
# ln -s /etc/letsencrypt/live/takky.work/privkey.pem server.key

# ls -l | grep ^l
lrwxrwxrwx. 1 root root   46 Apr 22 07:07 server.crt -> /etc/letsencrypt/live/takky.work/fullchain.pem
lrwxrwxrwx. 1 root root   44 Apr 22 07:07 server.key -> /etc/letsencrypt/live/takky.work/privkey.pem

 

6.公開鍵を生成

# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):  <Enter>
Created directory '/root/.ssh'. 
Enter passphrase (empty for no passphrase):               <任意のパスフレーズを入力>
Enter same passphrase again:                              <任意のパスフレーズを再入力>
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:jdz79bA5gBY/Lp11lXHkuW1nus5Rv9aqwSVrb8pB+2o root@personium
The key's randomart image is:
+---[RSA 2048]----+
|               ..|
|               oo|
|               .=|
|       . +.    .+|
|        S o+o ..B|
|          o++=.=+|
|         ..oB==.o|
|          .+EBoOo|
|           o**@+.|
+----[SHA256]-----+

# cp /root/.ssh/id_rsa.pub /root/.ssh/authorized_keys

# chmod 600 /root/.ssh/authorized_keys

# ls -alh /root/.ssh/
total 12K
drwx------. 2 root root   61 Apr 22 06:26 .
dr-xr-x---. 6 root root  238 Apr 22 06:26 ..
-rw-------. 1 root root  396 Apr 22 06:26 authorized_keys
-rw-------. 1 root root 1.8K Apr 22 06:26 id_rsa
-rw-r--r--. 1 root root  396 Apr 22 06:26 id_rsa.pub

 

7.Ansible の実行

 
まずは、EPEL(7-11)リポジトリの追加ですね。
(Azureのデフォルトが7.5から7.7に変更されていて… )CentOS7.7では「このリポジトリの追加」は不要のようです。

$ sudo su -

# yum localinstall http://dl.fedoraproject.org/pub/epel/7/x86_64/Packages/e/epel-release-7-11.noarch.rpm
Loaded plugins: fastestmirror, langpacks
epel-release-7-11.noarch.rpm                                                                             |  15 kB  00:00:00     
Examining /var/tmp/yum-root-ZK6YtV/epel-release-7-11.noarch.rpm: epel-release-7-11.noarch
Marking /var/tmp/yum-root-ZK6YtV/epel-release-7-11.noarch.rpm to be installed
Resolving Dependencies
--> Running transaction check
---> Package epel-release.noarch 0:7-11 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================================================================
 Package                       Arch                    Version                 Repository                                  Size
================================================================================================================================
Installing:
 epel-release                  noarch                  7-11                    /epel-release-7-11.noarch                   24 k

Transaction Summary
================================================================================================================================
Install  1 Package

Total size: 24 k
Installed size: 24 k
Is this ok [y/d/N]:                       ←← y
Downloading packages:
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : epel-release-7-11.noarch                                    1/1 
  Verifying  : epel-release-7-11.noarch                                    1/1 

Installed:
  epel-release.noarch 0:7-11                                                                                                    

Complete!

次に、ansible のインストール

# yum install ansible
Loading mirror speeds from cached hostfile
epel/x86_64/metalink                                     | 4.7 kB  00:00:00     
 * epel: ftp.jaist.ac.jp
epel                                                     | 4.7 kB  00:00:00     
(1/3): epel/x86_64/group_gz                              |  88 kB  00:00:00     
(2/3): epel/x86_64/updateinfo                            | 988 kB  00:00:00     
(3/3): epel/x86_64/primary_db                            | 6.7 MB  00:00:00     
Resolving Dependencies
--> Running transaction check
---> Package ansible.noarch 0:2.7.10-1.el7 will be installed
  :
  :
Transaction Summary
================================================================================================================================
Install  1 Package (+17 Dependent packages)

Total download size: 16 M
Installed size: 79 M
Is this ok [y/d/N]:                                       ←← yを入力
Downloading packages:
(1/18): libtomcrypt-1.17-26.el7.x86_64.rpm                                                               | 224 kB  00:00:00     
(2/18): libtommath-0.42.0-6.el7.x86_64.rpm                                                               |  36 kB  00:00:00
  :
  :
Importing GPG key 0x352C64E5:
 Userid     : "Fedora EPEL (7) <epel@fedoraproject.org>"
 Fingerprint: 91e9 7d7c 4a5e 96f1 7f3e 888f 6a2f aea2 352c 64e5
 Package    : epel-release-7-11.noarch (installed)
 From       : /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
Is this ok [y/N]:                                         ←← yを入力
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : python-enum34-1.0.4-1.el7.noarch                                                                            1/18 
  Installing : python-httplib2-0.9.2-1.el7.noarch                                                                          2/18 
  Installing : sshpass-1.06-2.el7.x86_64                                                                                   3/18
  :
  :
Dependency Installed:
  libtomcrypt.x86_64 0:1.17-26.el7          libtommath.x86_64 0:0.42.0-6.el7        python-babel.noarch 0:0.9.6-8.el7           
  python-cffi.x86_64 0:1.6.0-5.el7          python-enum34.noarch 0:1.0.4-1.el7      python-httplib2.noarch 0:0.9.2-1.el7        
  python-idna.noarch 0:2.4-1.el7            python-jinja2.noarch 0:2.7.2-2.el7      python-keyczar.noarch 0:0.71c-2.el7         
  python-markupsafe.x86_64 0:0.11-10.el7    python-paramiko.noarch 0:2.1.1-9.el7    python-ply.noarch 0:3.4-11.el7              
  python-pycparser.noarch 0:2.14-1.el7      python2-crypto.x86_64 0:2.6.1-16.el7    python2-cryptography.x86_64 0:1.7.2-2.el7   
  python2-jmespath.noarch 0:0.9.0-3.el7     sshpass.x86_64 0:1.06-2.el7            

Complete!

 
Oracle JDK(1.8.0_131) のダウンロード

$ sudo su -

# wget -q -O /usr/src/jdk1.8.0_131.tar.gz --no-cookies --no-check-certificate --header "Cookie: oraclelicense=accept-securebackup-cookie" http://download.oracle.com/otn-pub/java/jdk/8u131-b11/d54c1d3a095b4ff2b6607d096fa80163/jdk-8u131-linux-x64.tar.gz creates=/usr/src/jdk1.8.0_131.tar.gz

 
Ansible 実行

# cd /root/ansible/

# date; ansible-playbook init_personium.yml ; date
[DEPRECATION WARNING]: Instead of sudo/sudo_user, use become/become_user and make sure become_method is 'sudo' (default). This 
feature will be removed in version 2.9. Deprecation warnings can be disabled by setting deprecation_warnings=False in 
ansible.cfg.

PLAY [tag_ServerType_bastion] **************************************************************************************************

TASK [Change base_url] *********************************************************************************************************
skipping: [10.0.14.4]

TASK [install unzip] ***********************************************************************************************************
ok: [10.0.14.4]

TASK [install wget] ************************************************************************************************************
ok: [10.0.14.4]
  :
  :
PLAY [tag_ServerType_personium] ************************************

TASK [Deploy /etc/cron.d/log-delete-cron] **************************
Enter passphrase for key '/root/.ssh/id_rsa':        <公開鍵生成 時のパスフレーズを入力>
changed: [10.0.14.4]

TASK [install unzip] ***********************************************************************************************************
ok: [10.0.14.4]

TASK [install wget] ************************************************************************************************************
ok: [10.0.14.4]
  :
  :
TASK [Delete /tmp/personium-init-svcmgr.sh] ************************************************************************************
changed: [10.0.14.4]

TASK [Delete personium-init-svcmgr.log] ****************************************************************************************
changed: [10.0.14.4]

PLAY RECAP *********************************************************************************************************************
10.0.14.4                  : ok=271  changed=48   unreachable=0    failed=0   

Mon Apr 22 07:14:21 UTC 2019

OK!!

では、正しい確認方法で確認しましょう。

# curl -L -i https://unitadmin.takky.work/
HTTP/1.1 412 
Date: Mon, 22 Apr 2019 07:17:02 GMT
Content-Type: application/json
Content-Length: 98
Connection: keep-alive
X-Personium-Version: 1.7.10
Server: Personium

{
  "code":"PR412-UI-0001","message":{
    "lang":"en",
    "value":"Property [relayhtmlurl] not configured."
  }
}

当然 OK!!

8.personium-plugins のインストール

mavenのインストール

$ sudo su -

# mkdir ~/maven
# cd ~/maven

# wget http://ftp.jaist.ac.jp/pub/apache/maven/maven-3/3.6.0/binaries/apache-maven-3.6.0-bin.tar.gz
--2019-04-22 07:18:25--  http://ftp.jaist.ac.jp/pub/apache/maven/maven-3/3.6.0/binaries/apache-maven-3.6.0-bin.tar.gz
Resolving ftp.jaist.ac.jp (ftp.jaist.ac.jp)... 150.65.7.130, 2001:df0:2ed:feed::feed
Connecting to ftp.jaist.ac.jp (ftp.jaist.ac.jp)|150.65.7.130|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 9063587 (8.6M) [application/x-gzip]
Saving to: ‘apache-maven-3.6.0-bin.tar.gz’

100%[======================================================================================>] 9,063,587   10.6MB/s   in 0.8s   

2019-04-22 07:18:26 (10.6 MB/s) - ‘apache-maven-3.6.0-bin.tar.gz’ saved [9063587/9063587]

# tar xzvf apache-maven-3.6.0-bin.tar.gz
# ls
apache-maven-3.6.0  apache-maven-3.6.0-bin.tar.gz

# ln -s ~/maven/apache-maven-3.6.0/bin/mvn /opt/jdk/bin/
# ls -l /opt/jdk/bin | grep ^l
lrwxrwxrwx. 1 root root     38 Apr 22 07:19 mvn -> /root/maven/apache-maven-3.6.0/bin/mvn

# exit

$ sudo su -
[sudo] pds のパスワード:

# cd ~/maven
# mvn -v
Apache Maven 3.6.0 (97c98ec64a1fdfee7767ce5ffb20918da4f719f3; 2018-10-24T18:41:47Z)
Maven home: /root/maven/apache-maven-3.6.0
Java version: 1.8.0_192, vendor: Oracle Corporation, runtime: /opt/jdk8u192-b12/jre
Default locale: en_US, platform encoding: UTF-8
OS name: "linux", version: "3.10.0-862.11.6.el7.x86_64", arch: "amd64", family: "unix"

 

9.personium-plugins(4つ)のインストール

 
personium-ex-httpclient

# mkdir /personium/personium-ex-xxxxx
# cd /personium/personium-ex-xxxxx

# wget https://github.com/personium/personium-ex-httpclient/archive/master.zip
--2019-04-22 07:21:45--  https://github.com/personium/personium-ex-httpclient/archive/master.zip
Resolving github.com (github.com)... 192.30.255.112, 192.30.255.113
Connecting to github.com (github.com)|192.30.255.112|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://codeload.github.com/personium/personium-ex-httpclient/zip/master [following]
--2019-04-22 07:21:45--  https://codeload.github.com/personium/personium-ex-httpclient/zip/master
Resolving codeload.github.com (codeload.github.com)... 192.30.255.120, 192.30.255.121
Connecting to codeload.github.com (codeload.github.com)|192.30.255.120|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [application/zip]
Saving to: ‘master.zip’

    [ <=>                                     ] 23,059      --.-K/s   in 0.1s    

2019-04-22 07:21:46 (214 KB/s) - ‘master.zip’ saved [23059]

# unzip master.zip
  :
   creating: personium-ex-httpclient-master/src/test/java/io/personium/engine/extension/
   creating: personium-ex-httpclient-master/src/test/java/io/personium/engine/extension/httpclient/
  inflating: personium-ex-httpclient-master/src/test/java/io/personium/engine/extension/httpclient/Ext_HttpClientTest.java 

# cd personium-ex-httpclient-master/
# mvn clean package -DskipTests
  :
[INFO] Replacing /personium/personium-ex-xxxxx/personium-ex-httpclient-master/target/personium-ex-httpclient.jar with /personium/personium-ex-xxxxx/personium-ex-httpclient-master/target/personium-ex-httpclient-1.1.3-shaded.jar
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  15.193 s
[INFO] Finished at: 2019-04-22T07:23:00Z
[INFO] ------------------------------------------------------------------------

# ln -s /personium/personium-ex-xxxxx/personium-ex-httpclient-master/target/personium-ex-httpclient.jar  /personium/personium-engine/extensions

# ls -l /personium/personium-engine/extensions | grep ^l
lrwxrwxrwx. 1 root root 95 Apr 22 07:23 personium-ex-httpclient.jar -> /personium/personium-ex-xxxxx/personium-ex-httpclient-master/target/personium-ex-httpclient.jar

# mv ../master.zip ../personium-ex-httpclient.zip

 
personium-ex-mailsender

# cd /personium/personium-ex-xxxxx

# wget https://github.com/personium/personium-ex-mailsender/archive/master.zip
--2019-04-22 07:24:02--  https://github.com/personium/personium-ex-mailsender/archive/master.zip
Resolving github.com (github.com)... 192.30.255.112, 192.30.255.113
Connecting to github.com (github.com)|192.30.255.112|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://codeload.github.com/personium/personium-ex-mailsender/zip/master [following]
--2019-04-22 07:24:02--  https://codeload.github.com/personium/personium-ex-mailsender/zip/master
Resolving codeload.github.com (codeload.github.com)... 192.30.255.121, 192.30.255.120
Connecting to codeload.github.com (codeload.github.com)|192.30.255.121|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [application/zip]
Saving to: ‘master.zip’

    [ <=>                                     ] 23,715      --.-K/s   in 0.1s    

2019-04-22 07:24:03 (192 KB/s) - ‘master.zip’ saved [23715]

# unzip master.zip
   :
   creating: personium-ex-mailsender-master/src/test/java/io/personium/engine/
   creating: personium-ex-mailsender-master/src/test/java/io/personium/engine/extension/
   creating: personium-ex-mailsender-master/src/test/java/io/personium/engine/extension/mailsender/
  inflating: personium-ex-mailsender-master/src/test/java/io/personium/engine/extension/mailsender/Ext_MailSenderTest.java  

# cd personium-ex-mailsender-master/
# mvn clean package -DskipTests
  :
[INFO] Replacing /personium/personium-ex-xxxxx/personium-ex-mailsender-master/target/personium-ex-mailsender.jar with /personium/personium-ex-xxxxx/personium-ex-mailsender-master/target/personium-ex-mailsender-1.5.2-shaded.jar
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  5.657 s
[INFO] Finished at: 2019-04-22T07:25:02Z
[INFO] ------------------------------------------------------------------------

# ln -s /personium/personium-ex-xxxxx/personium-ex-mailsender-master/target/personium-ex-mailsender.jar  /personium/personium-engine/extensions

# ls -l /personium/personium-engine/extensions | grep ^l
lrwxrwxrwx. 1 root root 95 Apr 22 07:23 personium-ex-httpclient.jar -> /personium/personium-ex-xxxxx/personium-ex-httpclient-master/target/personium-ex-httpclient.jar
lrwxrwxrwx. 1 root root 95 Apr 22 07:25 personium-ex-mailsender.jar -> /personium/personium-ex-xxxxx/personium-ex-mailsender-master/target/personium-ex-mailsender.jar

# mv ../master.zip ../personium-ex-mailsender.zip

 
personium-ex-slack-messenger

# cd /personium/personium-ex-xxxxx

# wget https://github.com/personium/personium-ex-slack-messenger/archive/master.zip 
--2019-04-22 07:26:04--  https://github.com/personium/personium-ex-slack-messenger/archive/master.zip
Resolving github.com (github.com)... 192.30.255.113, 192.30.255.112
Connecting to github.com (github.com)|192.30.255.113|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://codeload.github.com/personium/personium-ex-slack-messenger/zip/master [following]
--2019-04-22 07:26:05--  https://codeload.github.com/personium/personium-ex-slack-messenger/zip/master
Resolving codeload.github.com (codeload.github.com)... 192.30.255.120, 192.30.255.121
Connecting to codeload.github.com (codeload.github.com)|192.30.255.120|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [application/zip]
Saving to: ‘master.zip’

    [ <=>                                     ] 18,144      --.-K/s   in 0.1s    

2019-04-22 07:26:05 (166 KB/s) - ‘master.zip’ saved [18144]

# unzip master.zip
   :
   creating: personium-ex-slack-messenger-master/src/test/java/io/personium/engine/
   creating: personium-ex-slack-messenger-master/src/test/java/io/personium/engine/extension/
   creating: personium-ex-slack-messenger-master/src/test/java/io/personium/engine/extension/slack/
  inflating: personium-ex-slack-messenger-master/src/test/java/io/personium/engine/extension/slack/Ext_SlackTest.java  

# cd personium-ex-slack-messenger-master/
# mvn clean package -DskipTests
   :
[INFO] Replacing /personium/personium-ex-xxxxx/personium-ex-slack-messenger-master/target/personium-ex-slack.jar with /personium/personium-ex-xxxxx/personium-ex-slack-messenger-master/target/personium-ex-slack-1.0.1-shaded.jar
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  25.024 s
[INFO] Finished at: 2019-04-22T07:27:27Z
[INFO] ------------------------------------------------------------------------

# ln -s /personium/personium-ex-xxxxx/personium-ex-slack-messenger-master/target/personium-ex-slack.jar  /personium/personium-engine/extensions

# ls -l /personium/personium-engine/extensions | grep ^l
lrwxrwxrwx. 1 root root 95 Apr 22 07:23 personium-ex-httpclient.jar -> /personium/personium-ex-xxxxx/personium-ex-httpclient-master/target/personium-ex-httpclient.jar
lrwxrwxrwx. 1 root root 95 Apr 22 07:25 personium-ex-mailsender.jar -> /personium/personium-ex-xxxxx/personium-ex-mailsender-master/target/personium-ex-mailsender.jar
lrwxrwxrwx. 1 root root 95 Apr 22 07:27 personium-ex-slack.jar -> /personium/personium-ex-xxxxx/personium-ex-slack-messenger-master/target/personium-ex-slack.jar

# mv ../master.zip ../personium-ex-slack-messenger.zip

 
personium-ex-ew-services

# cd /personium/personium-ex-xxxxx

# wget https://github.com/personium/personium-ex-ew-services/archive/master.zip 
--2019-04-22 07:28:26--  https://github.com/personium/personium-ex-ew-services/archive/master.zip
Resolving github.com (github.com)... 192.30.255.113, 192.30.255.112
Connecting to github.com (github.com)|192.30.255.113|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://codeload.github.com/personium/personium-ex-ew-services/zip/master [following]
--2019-04-22 07:28:26--  https://codeload.github.com/personium/personium-ex-ew-services/zip/master
Resolving codeload.github.com (codeload.github.com)... 192.30.255.120, 192.30.255.121
Connecting to codeload.github.com (codeload.github.com)|192.30.255.120|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [application/zip]
Saving to: ‘master.zip’

    [ <=>                                     ] 14,024      --.-K/s   in 0.1s    

2019-04-22 07:28:27 (132 KB/s) - ‘master.zip’ saved [14024]

# unzip master.zip
   :
   creating: personium-ex-ew-services-master/src/main/java/io/personium/engine/
   creating: personium-ex-ew-services-master/src/main/java/io/personium/engine/extension/
   creating: personium-ex-ew-services-master/src/main/java/io/personium/engine/extension/ews/
  inflating: personium-ex-ew-services-master/src/main/java/io/personium/engine/extension/ews/Ext_Ews.java  

# cd personium-ex-ew-services-master/
# mvn clean package -DskipTests
   :
[INFO] Replacing /personium/personium-ex-xxxxx/personium-ex-ew-services-master/target/personium-ex-ew-services.jar with /personium/personium-ex-xxxxx/personium-ex-ew-services-master/target/personium-ex-ew-services-1.0.1-shaded.jar
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  10.999 s
[INFO] Finished at: 2019-04-22T07:29:25Z
[INFO] ------------------------------------------------------------------------

# ln -s /personium/personium-ex-xxxxx/personium-ex-ew-services-master/target/personium-ex-ew-services.jar  /personium/personium-engine/extensions

# ls -l /personium/personium-engine/extensions | grep ^l
lrwxrwxrwx. 1 root root 97 Apr 22 07:29 personium-ex-ew-services.jar -> /personium/personium-ex-xxxxx/personium-ex-ew-services-master/target/personium-ex-ew-services.jar
lrwxrwxrwx. 1 root root 95 Apr 22 07:23 personium-ex-httpclient.jar -> /personium/personium-ex-xxxxx/personium-ex-httpclient-master/target/personium-ex-httpclient.jar
lrwxrwxrwx. 1 root root 95 Apr 22 07:25 personium-ex-mailsender.jar -> /personium/personium-ex-xxxxx/personium-ex-mailsender-master/target/personium-ex-mailsender.jar
lrwxrwxrwx. 1 root root 95 Apr 22 07:27 personium-ex-slack.jar -> /personium/personium-ex-xxxxx/personium-ex-slack-messenger-master/target/personium-ex-slack.jar


# mv ../master.zip ../personium-ex-ew-services.zip

 
Tomcatの再起動

# systemctl restart tomcat

 
さぁ… 終わりました。
たぶん、これで大丈夫です!

実際に https://unitadmin.takky.work/ アクセスして、確認してみましょう

image.png

今回は、ちゃんとアクセスできています。


10.ユニットマネージャでのユニットへのアクセス

「ユニットアドミンのパスワード」の取得

$ sudo grep unitudmin /root/ansible/unitadmin_account
unitudmin_password=******************

 
ユニットマネージャへのアクセス
 URL: https://app-uc-unit-manager.demo.personium.io/__/html/login.html

image.png

っで… 満を持して、Sign In です!

image.png

おぉ〜〜〜〜〜!! 完了です。
 


最後に

ここまで、なんやかんやで… 2日くらいかかっちゃいましたねぇ…
やはり、このエントリの内容くらい"何をどうやって、何を確認して…"という作業内容がわからないと、このくらいの時間が掛かっちゃうんですよね!

そして今回は、まだリリースされて間もない Let's Encrypt のワイルドカードタイプの証明書の取得も、コツを掴むまでにも時間がかかる要素がありますしね…
まだ自動更新の手順は理解していませんが、3ヶ月以内にはトライしてみないといけないですよね…

ただここまで整理されていれば、ヘンな凡ミスがなければ 3時間程度で構築できちゃいますし、もし凡ミスしてもどこまで正しくできているかが判断できますので、闇雲にいろいろやってみたり… ドキュメントをググりまくったりする必要はありません。
Personium の構築の際は、ぜひ、このエントリにたどり着き、参考にしてもらえると嬉しいですね。

ここからまた、新しいバージョンでのAPIアクセスなど、確認すべきことはあるのですが… とりあえずはこの辺までとし、また余裕のある時に確認してみたいと思います。

 

メニュー

Why not register and get more from Qiita?
  1. We will deliver articles that match you
    By following users and tags, you can catch up information on technical fields that you are interested in as a whole
  2. you can read useful information later efficiently
    By "stocking" the articles you like, you can search right away
Comments
No comments
Sign up for free and join this conversation.
If you already have a Qiita account
Why do not you register as a user and use Qiita more conveniently?
You need to log in to use this function. Qiita can be used more conveniently after logging in.
You seem to be reading articles frequently this month. Qiita can be used more conveniently after logging in.
  1. We will deliver articles that match you
    By following users and tags, you can catch up information on technical fields that you are interested in as a whole
  2. you can read useful information later efficiently
    By "stocking" the articles you like, you can search right away
ユーザーは見つかりませんでした