info†
- lets enclypt でお手軽に入れる方法。真面目にやる場合は後述
centos7†
sudo yum install epel-release
sudo yum install certbot python-certbot-apache
centos8†
rm /usr/local/bin/certbot-auto
dnf install epel-release
dnf upgrade
dnf install snapd
systemctl enable --now snapd.socket
ln -s /var/lib/snapd/snap /snap
snap install core
snap refresh core
snap install --classic certbot
ln -s /snap/bin/certbot /usr/bin/certbot
certbot --apache
/usr/local/bin/certbot-auto certonly --webroot -w /var/www/html/ -d 【example.com】 --agree-tos -n --email=xxx@xxx.xxx
次に ssl モジュール†
dnf install mod_ssl
cd /etc/httpd/conf.d
grep -v '^#' ssl.conf > ssl.conf.bak
とりあえずここだけ変えて確認
ssl.conf
SSLCertificateFile /etc/letsencrypt/live/【example.com】/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/【example.com】/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/【example.com】/chain.pem
httpd.conf
<VirtualHost *:80>
RewriteEngine on
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R,L]
</VirtualHost>
service httpd restart
apache†
yum -y install mod_ssl
ubuntu18†
sudo apt install apache2
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install certbot python-certbot-apache
SSL 設定†
cd /etc/httpd/conf
mkdir ssl.key -m 700
cd ssl.key
openssl genrsa 2048 > server.key
chmod 400 server.key
cd /etc/httpd/conf
openssl req -new -key ssl.key/server.key > server.csr
JP
Tokyo
Shinagawa-Ku
Exsample Company.
R&D
hostname.net
mailaddress
cd /etc/httpd/conf
mkdir ssl.crt
cd ssl.crt
本物の場合はここで、認証局に csr を送って crt を返してもらう
オレオレ証明の場合は自分で署名する
cd ssl.crt
openssl x509 -in ../server.csr -days 365 -req -signkey ../ssl.key/server.key > server.crt
/etc/httpd/conf.d/ssl.conf
SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
service httpd restart
ssl の設定†
/etc/httpd/conf.d/ssl.conf
<VirtualHost *:443>
ServerName ssl.example.com:443
SSLProtocol -ALL +TLSv1 +TLSv1.1 +TLSv1.2
SSLHonorCipherOrder on
# SSLCipherSuite EECDH+HIGH:EDH+HIGH:HIGH:MEDIUM:+3DES:!ADH:!RC4:!MD5:!aNULL:!eNULL:!SSLv2:!LOW:!EXP:!PSK:!SRP:!DSS:!KRB5
SSLCipherSuite !DSS:EDH+AESGCM:ECDSA+AESGCM:EECDH+AESGCM:-AES128
SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
# 中間証明書をダウンロードしてくる
SSLCertificateChainFile /etc/httpd/conf/ssl.crt/【取得した中間証明書】.cer
:
</VirtualHost>
http => https にリダイレクトする†
/etc/httpd/conf/httpd.conf
<VirtualHost *:80>
RewriteEngine on
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R,L]
</VirtualHost>
Let's encrypt†
aws cli と相性が悪いので注意
install†
yum --enablerepo=epel install certbot python-certbot-apache
pip install --upgrade pip
# pip install requests --ignore-installed
# pip install --upgrade --force-reinstall 'requests==2.6.0'
pip install -U pip
pip install cryptography --upgrade
pip install --upgrade pip
pip install requests --ignore-installed
pip install --upgrade --force-reinstall 'requests==2.6.0'
certbot certonly --webroot -w /var/www/【documentroot】/ -d 【example.com】 --agree-tos -n --email=xxx@xxx.xxx
上記を実行すると
/var/www/html/.well-known/ が作成され、
http://example.com/.well-known/xxxxx
にアクセスがあり、そのドメイン(正確にはURL)を確かに所有していることが証明される。
ので、上記URLをアクセス可能にしておく必要がある。
※ 例えば、apache から他のシステムに丸ごと reverse proxy 等している場合は virtual host 内に下記を追加する必要がある
ProxyPass /.well-known/ !
ProxyPass / http://localhost:8080/
ProxyPassReverse / http://localhost:8080/
/etc/httpd/conf.d/ssl.conf
SSLCertificateFile /etc/letsencrypt/live/【example.com】/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/【example.com】/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/【example.com】/chain.pem
# basic 認証サイトでは下記を記載しておかないと自動更新されなくなる
<LocationMatch /.well-known*>
Satisfy any
order allow,deny
allow from all
</LocationMatch>
server httpd restart
ubuntu18†
sudo apt ssl
sudo a2enmod ssl
sudo a2enmod rewrite
sudo a2enmod proxy
sudo a2enmod proxy_http
sudo a2enmod headers
/etc/apache2/sites-available/000-default.conf
cron update†
10日に一回更新チェックを行う
/etc/crontab
0 4 2 * * root /bin/certbot renew --post-hook "systemctl restart httpd" >> /var/tmp/cert.log
0 4 12 * * root /bin/certbot renew --post-hook "systemctl restart httpd" >> /var/tmp/cert.log
0 4 22 * * root /bin/certbot renew --post-hook "systemctl restart httpd" >> /var/tmp/cert.log
ubuntu†
0 4 2 * * root /bin/certbot renew --post-hook "systemctl restart apache2" >> /var/tmp/cert.log
0 4 12 * * root /bin/certbot renew --post-hook "systemctl restart apache2" >> /var/tmp/cert.log
0 4 22 * * root /bin/certbot renew --post-hook "systemctl restart apache2" >> /var/tmp/cert.log
ubuntu20†
snap install core
snap refresh core
snap install --classic certbot
apt-get install apache2
a2ensite default-ssl
apt-get install libapache2-mod-auth-openidc
a2enmod auth_openidc
a2enmod include
apt install php libapache2-mod-php