2020 - orangebox

2020年9月22日 0

CentOS7.3 Let’s Encrypt ワイルドカード証明書の手動更新

次のコマンドを実行
# certbot certonly --manual -d *.ドメイン名

Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator manual, Installer None Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org Cert is due for renewal, auto-renewing... Renewing an existing certificate Performing the following challenges: dns-01 challenge for ドメイン名

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you’re running certbot in manual mode on a machine that is not
your server, please ensure you’re okay with that.

Are you OK with your IP being logged?
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
(Y)es/(N)o: Y

IPアドレスを公にしていいか？と聞かれるので、Yを入力する。

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please deploy a DNS TXT record under the name _acme-challenge.ドメイン名 with the following value:

認証コード

Before continuing, verify the record is deployed.
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
Press Enter to Continue

DNSレコードに上記の認証コードを追加する。

スタードメインの場合は、

Waiting for verification... Cleaning up challenges

IMPORTANT NOTES:
– Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/ドメイン名/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/ドメイン名/privkey.pem
Your cert will expire on 2020-12-21. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
“certbot renew”
– If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

これで証明書が更新された。

Apache等のWEBサーバを再起動して、証明書が更新されたことを確認する。

管理者

CentOS7.3

2020年3月11日 0

CentOS7.3 ApacheにSSL証明書を導入

必要なパッケージのインストール

# yum -y install httpd openssl mod_ssl # yum -y install git

Let’s Encrypt Client のインストール

# git clone https://github.com/letsencrypt/letsencrypt # cd letsencrypt # ./letsencrypt-auto --help
これで必要なパッケージが自動でインストールされる。

SSL証明書の作成

Apacheを停止する。
# systemctl stop httpd.service

対象のドメイン名を「www.example.com」の場合は以下のようにコマンドを実行する。
# ./letsencrypt-auto certonly --standalone -d www.example.com

./letsencrypt-auto has insecure permissions! To learn how to fix them, visit https://community.letsencrypt.org/t/certbot-auto-deployment-best-practices/91979/ Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator standalone, Installer None Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel):owner@example.com
上記のようにメールアドレスを求められるので、
メールアドレスを入力する。

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must agree in order to register with the ACME server at https://acme-v02.api.letsencrypt.org/directory - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (A)gree/(C)ancel: A
利用規約の同意が求められるので、「A」を入力する。

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Would you be willing to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: Y
「Y」を入力する。

Obtaining a new certificate Performing the following challenges: http-01 challenge for www.example.com Waiting for verification... Cleaning up challenges


IMPORTANT NOTES:

 - Congratulations! Your certificate and chain have been saved at:

   /etc/letsencrypt/live/www.example.com/fullchain.pem

   Your key file has been saved at:

   /etc/letsencrypt/live/www.example.com/privkey.pem

   Your cert will expire on 2020-06-09. To obtain a new or tweaked

   version of this certificate in the future, simply run

   letsencrypt-auto again. To non-interactively renew *all* of your

   certificates, run "letsencrypt-auto renew"

 - Your account credentials have been saved in your Certbot

   configuration directory at /etc/letsencrypt. You should make a

   secure backup of this folder now. This configuration directory will

   also contain certificates and private keys obtained by Certbot so

   making regular backups of this folder is ideal.

 - If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le

以上で、SSL証明書が作成された。

作成されたファイルを確認する。
# cd /etc/letsencrypt/live/www.example.com # ls cert.pem ←サーバ証明書 chain.pem ←中間証明書 fullchain.pem ←サーバ証明書+中間証明書 privkey.pem ←サーバ秘密鍵

ssl.confを以下のように変更する。
#/etc/httpd/conf.d/ssl.conf SSLCertificateFile /etc/letsencrypt/live/www.example.com/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/www.example.com/privkey.pem SSLCertificateChainFile /etc/letsencrypt/live/www.example.com/chain.pem

httpd.confを以下のように変更する。
#/etc/httpd/conf/httpd.conf NameVirtualHost *:80 NameVirtualHost *:443




    ServerAdmin root@www.example.com

    DocumentRoot /var/www/html

    ServerName www.example.com





    SSLEngine on

    SSLCertificateFile /etc/letsencrypt/live/www.example.com/cert.pem

    SSLCertificateKeyFile /etc/letsencrypt/live/www.example.com/privkey.pem

    SSLCertificateChainFile /etc/letsencrypt/live/www.example.com/chain.pem

ServerAdmin root@www.example.com DocumentRoot /var/www/html ServerName www.example.com

Apacheを起動する。

# systemctl start httpd.service

Apacheがうまく起動しない場合は、記述が間違っていることが考えられる。
その場合は、
# service httpd configtest
でエラーが無いか、確認する。

ブラウザでサイトにアクセスした時に、自動でhttpsにリダイレクトする設定

httpd.conf（VirtualHostの場合はconf.d/*.conf）に以下を追記する。
RewriteEngine On RewriteCond %{HTTPS} off RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

管理者

CentOS7.3