Go to Qiita Advent Calendar Top
LoginSignup
0
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?

@tonoaki_sato

開発用Webサーバーをつくる - その3

Last updated at Posted at 2025-10-16

目的

サーバー証明書を自動的に更新できるウェブサーバーをつくる。

環境

  • OS: Rocky Linux release 9.5 (Blue Onyx)
  • IPアドレス: 192.168.56.15
  • FQDN: camel.example.local
  • DNS: 192.168.56.18 cheetah.example.local
  • CA: 192.168.56.16 serval.example.local

Apacheとmod_sslインストール

console
# dnf install httpd mod_ssl
# systemctl enable httpd
Created symlink /etc/systemd/system/multi-user.target.wants/httpd.service → /usr/lib/systemd/system/httpd.service.

バーチャルホスト設定

console
# vi /etc/httpd/conf.d/vhost.conf
NameVirtualHost *:80

<VirtualHost *:80>
ServerAdmin root@example.local
DocumentRoot /var/www/html
ServerName camel.example.local
</VirtualHost>
(ZZ)
# systemctl start httpd    // サーバー起動
# systemctl status httpd
Active: active (running) となっていればOK

// ポート開放
# firewall-cmd --add-service=http --zone=public --permanent
success
# firewall-cmd --add-service=https --zone=public --permanent
success
# firewall-cmd --reload
success
# firewall-cmd --list-services
http https ssh

ブラウザで確認

http://192.168.56.15 にアクセスしてApacheの初期画面が出ればOK
https://192.168.56.15 にアクセスして警告画面の後Apacheの初期画面が出ればOK

認証局の証明書の入手とインストール

console
vi /etc/resolv.conf    // ネームサーバーをcheetah(192.168.56.18)に変更
# Generated by NetworkManager
#nameserver 10.0.2.1
nameserver 192.168.56.18
(ZZ)

// 認証局とのTLS疎通確認
# openssl s_client -connect serval.example.local:443 </dev/null 2>/dev/null |openssl x509 -noout -subject -issuer -dates
subject=CN=Step Online CA
issuer=O=EXAMPLE.LOCAL, CN=EXAMPLE.LOCAL Intermediate CA
notBefore=Oct 16 01:45:42 2025 GMT
notAfter=Oct 17 01:46:42 2025 GMT

// 認証局のサーバー証明書を入手
# scp root@serval.example.local:/root/acme.crt .
The authenticity of host 'serval.example.local (192.168.56.16)' can't be established.
ED25519 key fingerprint is SHA256:HeK+r57Gw7BSTUutv1AfGdEhQ+W2vRyPmRznHAXbv5c.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'serval.example.local' (ED25519) to the list of known hosts.
root@serval.example.local's password:
acme.crt                                                            100%  652   396.3KB/s   00:00

// 認証局の証明書を使ってTLS疎通確認
# curl --cacert acme.crt -I https://serval.example.local:443/
HTTP/2 404
content-type: text/plain; charset=utf-8
x-content-type-options: nosniff
x-request-id: eed43ebc-9cbe-4761-a626-47df453f239f
content-length: 19
date: Thu, 16 Oct 2025 04:40:53 GMT

// 認証局のサーバー証明書をインストール
# cp acme.crt /usr/share/pki/ca-trust-source/anchors/
# update-ca-trust extract

認証局のACMEプロトコル用APIのリストを表示

console
# curl -s https://serval.example.local/acme/acme/directory | jq
{
  "newNonce": "https://serval.example.local/acme/acme/new-nonce",
  "newAccount": "https://serval.example.local/acme/acme/new-account",
  "newOrder": "https://serval.example.local/acme/acme/new-order",
  "revokeCert": "https://serval.example.local/acme/acme/revoke-cert",
  "keyChange": "https://serval.example.local/acme/acme/key-change"
}

certbotインストール

console
// ネームサーバーを外向けに戻す
# vi /etc/resolve.conf
# Generated by NetworkManager
nameserver 10.0.2.1
#nameserver 192.168.56.18
(ZZ)
// インストール
# dnf install certbot python3-certbot-apache

自身の証明書に認証局の署名を要求。サーバー証明書取得

console
// ネームサーバーを内向けに戻す
# vi /etc/resolve.conf
# Generated by NetworkManager
#nameserver 10.0.2.1
nameserver 192.168.56.18
(ZZ)

// 署名付きサーバー証明書を要求
# REQUESTS_CA_BUNDLE=/usr/share/pki/ca-trust-source/anchors/acme.crt \
> certbot --apache -d camel.example.local -m test@example.local \
> --server https://serval.example.local/acme/acme/directory
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: N
Account registered.
Requesting a certificate for camel.example.local

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/camel.example.local/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/camel.example.local/privkey.pem
This certificate expires on 2025-10-17.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

Deploying certificate
Successfully deployed certificate for camel.example.local to /etc/httpd/conf.d/vhost-le-ssl.conf
Congratulations! You have successfully enabled HTTPS on https://camel.example.local

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

上の翻訳

アカウントが登録されました。
camel.example.local の証明書をリクエストしています。

証明書を正常に受信しました。
証明書は次の場所に保存されています: /etc/letsencrypt/live/camel.example.local/fullchain.pem
鍵は次の場所に保存されています: /etc/letsencrypt/live/camel.example.local/privkey.pem
この証明書の有効期限は 2025 年 10 月 17 日です。
これらのファイルは、証明書の更新時に更新されます。
Certbot は、この証明書をバックグラウンドで自動的に更新するためのスケジュールタスクを設定しました。

証明書をデプロイしています。
camel.example.local の証明書を /etc/httpd/conf.d/vhost-le-ssl.conf に正常にデプロイしました。
おめでとうございます! https://camel.example.local で HTTPS を有効化しました。

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Certbot を気に入っていただけましたら、以下の方法で私たちの活動にご協力ください。
* ISRG / Let's Encrypt への寄付: https://letsencrypt.org/donate
* EFF への寄付: https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

dns-01 チャレンジ

console
# REQUESTS_CA_BUNDLE=/usr/share/pki/ca-trust-source/anchors/acme.crt \
certbot certonly --manual --dry-run \
--server https://serval.example.local/acme/acme/directory \
--preferred-challenges dns \
-d camel.example.local \
-m test@example.local
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Simulating renewal of an existing certificate for camel.example.local

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name:

_acme-challenge.camel.example.local.

with the following value:

OLXcT9sdhaE_bOHJV89V0_Zj5B9AJ9-RjJzbbWbKkv8

Before continuing, verify the TXT record has been deployed. Depending on the DNS
provider, this may take some time, from a few seconds to multiple minutes. You can
check if it has finished deploying with aid of online tools, such as the Google
Admin Toolbox: https://toolbox.googleapps.com/apps/dig/#TXT/_acme-challenge.camel.example.local.
Look for one or more bolded line(s) below the line ';ANSWER'. It should show the
value(s) you've just added.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
The dry run was successful.
0
0
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
Sign upLogin
0
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?