技術者になりたい何か

技術者になりたい何かの覚書的な何かです

Let's Encrypt でSSL(CentOS6 + Nginx)

今更な環境ですが、VPSのCentOS6とNginxで動いてるとあるサイトをLet's EncryptでSSL化してみました。

ssl.sakura.ad.jp

■対象の環境

# cat /etc/redhat-release
CentOS release 6.8 (Final)
# nginx -v
nginx version: nginx/1.10.1

■準備

epel リポジトリインストール(入ってた)

 

# yum install epel-release

 

Certbotwgetで取ってくる

# wget https://dl.eff.org/certbot-auto
--2020-08-12 09:32:48-- https://dl.eff.org/certbot-auto
dl.eff.org をDNSに問いあわせています... 2a04:4e42:36::201, 151.101.108.20#
dl.eff.org|2a04:4e42:36::201|:443 に接続しています... 接続しました。
HTTP による接続要求を送信しました、応答を待っています... 200 O#
長さ: 79656 (78K) [application/octet-stream]
`certbot-auto' に保存中

100%[============================================================================================================>] 79,656 --.-K/s 時間 0.006s

2020-08-12 09:32:48 (11.8 MB/s) - `certbot-auto' へ保存完了 [79656/79656]

 ■certbot 実行でSSL証明書インストール&Nginxの設定

## アクセス権追加→実行

# chmod a+x certbot-auto
#
# ./certbot-auto

## 最初は必要パッケージをインストール

 

 Requesting to rerun ./certbot-auto with root privileges...
Bootstrapping dependencies for Legacy RedHat-based OSes that will use Python3... (you can skip this with --no-bootstrap)
yum is hashed (/usr/bin/yum)
To use Certbot on this operating system, packages from the SCL repository need to be installed.
読み込んだプラグイン:fastestmirror, security
インストール処理の設定をしています
Loading mirror speeds from cached hostfile
* base: ftp.iij.ad.jp
* epel: nrt.edge.kernel.org
* extras: ftp.iij.ad.jp
* updates: ftp.iij.ad.jp
パッケージ は利用できません。
パッケージ は利用できません。
依存性の解決をしています
--> トランザクションの確認を実行しています。
---> Package centos-release-scl.noarch 10:7-4.el6.centos will be インストール
--> 依存性の処理をしています: centos-release-scl-rh のパッケージ: 10:centos-release-scl-7-4.el6.centos.noarch
--> トランザクションの確認を実行しています。
---> Package centos-release-scl-rh.noarch 0:2-4.el6.centos will be インストール
--> 依存性解決を終了しました。

(中略)

インストール:
libffi-devel.x86_64 0:3.0.5-3.2.el6 mod_ssl.x86_64 1:2.2.15-69.el6.centos rh-python36-python.x86_64 0:3.6.9-2.el6
rh-python36-python-devel.x86_64 0:3.6.9-2.el6 rh-python36-python-virtualenv.noarch 0:15.1.0-2.el6

依存性関連をインストールしました:
iso-codes.noarch 0:3.16-2.el6 rh-python36-python-libs.x86_64 0:3.6.9-2.el6 rh-python36-python-pip.noarch 0:9.0.1-2.el6
rh-python36-python-setuptools.noarch 0:36.5.0-1.el6 rh-python36-runtime.x86_64 0:2.0-1.el6 scl-utils-build.x86_64 0:20120927-29.el6_9
xml-common.noarch 0:0.6.3-33.el6

更新:
ca-certificates.noarch 0:2019.2.32-65.1.el6_10

依存性を更新しました:
httpd.x86_64 0:2.2.15-69.el6.centos httpd-tools.x86_64 0:2.2.15-69.el6.centos

完了しました!

Creating virtual environment...
Installing Python packages...
Installation succeeded.
Saving debug log to /var/log/letsencrypt/letsencrypt.log

 

## Apache or Nginx 選択
How would you like to authenticate and install certificates?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Apache Web Server plugin (apache)
2: Nginx Web Server plugin (nginx)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Plugins selected: Authenticator nginx, Installer nginx

## メールアドレス

Enter email address (used for urgent renewal and security notices)
(Enter 'c' to cancel): hogehoge@gmail.com

## 利用規約同意

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: a

## 登録したアドレスにニュースとか送るよ?的な

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization tha#
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y

## ドメインリスト。どれに適用するか選択。

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: AAAAA.com
2: BBBBB.com
3: CCCCC.com
4: DDDDD.com
5: EEEEE.com
6: FFFFF.com
7: GGGGG.com
8: HHHHH.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 7
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for obata-tatami.co#
Waiting for verification...
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/XXXXXX
Redirecting all traffic on port 80 to ssl in /etc/nginx/sites-enabled/XXXXXXX

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://XXXXX.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Subscribe to the EFF mailing list (email: hogehoge@gmail.com).

 

 ## Congratulations!がでればおk

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/XXXXXX.com/fullchain.pe#
Your key file has been saved at:
/etc/letsencrypt/live/XXXXXX.com/privkey.pe#
Your cert will expire on 2020-11-09. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again with the "certonly" option. To non-interactively renew *all*
of your certificates, run "certbot-auto renew"
- Your account credentials have been saved in your Certbo#
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

 

■作られたファイル確認


## /etc/letsencrypt

# ls -lR /etc/letsencrypt/
/etc/letsencrypt/:
合計 40
drwx------ 3 root root 4096 8月 12 09:34 2020 accounts
drwx------ 3 root root 4096 8月 12 09:35 2020 archive
drwxr-xr-x 2 root root 4096 8月 12 09:35 2020 csr
drwx------ 2 root root 4096 8月 12 09:35 2020 keys
drwx------ 3 root root 4096 8月 12 09:35 2020 live
-rw-r--r-- 1 root root 924 8月 12 09:34 2020 options-ssl-apache.conf
-rw-r--r-- 1 root root 688 8月 12 09:34 2020 options-ssl-nginx.conf
drwxr-xr-x 2 root root 4096 8月 12 09:35 2020 renewal
drwxr-xr-x 5 root root 4096 8月 12 09:34 2020 renewal-hooks
-rw-r--r-- 1 root root 424 8月 12 09:34 2020 ssl-dhparams.pem

/etc/letsencrypt/accounts:
合計 4
drwx------ 3 root root 4096 8月 12 09:34 2020 acme-v02.api.letsencrypt.org

/etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org:
合計 4
drwx------ 3 root root 4096 8月 12 09:35 2020 directory

/etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory:
合計 4
drwx------ 2 root root 4096 8月 12 09:35 2020 6fd0c2802a41ad01d7f61cbaa6062af0

/etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory/6fd0c2802a41ad01d7f61cbaa6062af0:
合計 12
-rw-r--r-- 1 root root 89 8月 12 09:35 2020 meta.json
-r-------- 1 root root 1632 8月 12 09:35 2020 private_key.json
-rw-r--r-- 1 root root 78 8月 12 09:35 2020 regr.json

/etc/letsencrypt/archive:
合計 4
drwxr-xr-x 2 root root 4096 8月 12 09:35 2020 XXXXXX.com

/etc/letsencrypt/archive/XXXXXX.com:
合計 16
-rw-r--r-- 1 root root 1915 8月 12 09:35 2020 cert1.pem
-rw-r--r-- 1 root root 1647 8月 12 09:35 2020 chain1.pem
-rw-r--r-- 1 root root 3562 8月 12 09:35 2020 fullchain1.pem
-rw------- 1 root root 1704 8月 12 09:35 2020 privkey1.pem

/etc/letsencrypt/csr:
合計 4
-rw-r--r-- 1 root root 928 8月 12 09:35 2020 0000_csr-certbot.pem

/etc/letsencrypt/keys:
合計 4
-rw------- 1 root root 1704 8月 12 09:35 2020 0000_key-certbot.pem

/etc/letsencrypt/live:
合計 8
-rw-r--r-- 1 root root 740 8月 12 09:35 2020 README
drwxr-xr-x 2 root root 4096 8月 12 09:35 2020 XXXXXX.com

/etc/letsencrypt/live/XXXXXX.com:
合計 4
-rw-r--r-- 1 root root 692 8月 12 09:35 2020 README
lrwxrwxrwx 1 root root 40 8月 12 09:35 2020 cert.pem -> ../../archive/XXXXXX.com/cert1.pem
lrwxrwxrwx 1 root root 41 8月 12 09:35 2020 chain.pem -> ../../archive/XXXXXX.com/chain1.pem
lrwxrwxrwx 1 root root 45 8月 12 09:35 2020 fullchain.pem -> ../../archive/XXXXXX.com/fullchain1.pem
lrwxrwxrwx 1 root root 43 8月 12 09:35 2020 privkey.pem -> ../../archive/XXXXXX.com/privkey1.pem

/etc/letsencrypt/renewal:
合計 4
-rw-r--r-- 1 root root 536 8月 12 09:35 2020 XXXXXX.com.conf

/etc/letsencrypt/renewal-hooks:
合計 12
drwxr-xr-x 2 root root 4096 8月 12 09:34 2020 deploy
drwxr-xr-x 2 root root 4096 8月 12 09:34 2020 post
drwxr-xr-x 2 root root 4096 8月 12 09:34 2020 pre

/etc/letsencrypt/renewal-hooks/deploy:
合計 0

/etc/letsencrypt/renewal-hooks/post:
合計 0

/etc/letsencrypt/renewal-hooks/pre:
合計 0

 ## Nginxの設定ファイル

# managed by Certbotってコメントされているのが自動で追記されたところ

server {
server_name XXXXXX.com;

access_log /var/log/nginx/XXXXXX.com/access.log;
error_log /var/log/nginx/XXXXXX.com/error.log;

root /var/www/XXXXXX.com;
index index.php index.html index.htm;

error_page 404 = /error/404.php;
error_page 403 = /error/403.php;
error_page 500 = /error/500.php;
error_page 503 = /error/503.html;

location ~\.php$ {
try_files $uri =404;
fastcgi_pass 127.0.0.1:9001;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /var/www/XXXXXX.com$fastcgi_script_name;
include fastcgi_params;
}

listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/XXXXXX.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/XXXXXX.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}
server {
if ($host = XXXXXX.com) {
return 301 https://$host$request_uri;
} # managed by Certbot


listen 80;
server_name XXXXXX.com obata-tatami.production.piyoria.com;
return 404; # managed by Certbot


}

 

■Nginx reload

# service nginx reload
Reloading nginx: [ OK ]

 OKが出たら実際にhttpsで対象のサイトにアクセスして動作確認。

 

■自動更新

Let's Encryptの証明書は90日で有効期限が来てしまうので、更新忘れ防止のためにも自動更新しておいたほうが吉。

## 動作確認

dry-runをつけることでテスト動作

# ./certbot-auto certonly --webroot -w /var/www/XXXXXX.com/ -d XXXXXX.com --dry-

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Cert not due for renewal, but simulating renewal for dry run
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for XXXXXX.com
Using the webroot path /var/www/XXXXXX.com for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Running post-hook command: /sbin/service nginx reload
Output from post-hook command service:
Reloading nginx: [ OK ]


IMPORTANT NOTES:
- The dry run was successful.

 The dry run was successful.がでたらOKなので、cronで月イチで動かす。

# crontab -l
no crontab for root
#
# crontab -e
no crontab for root - using an empty one
crontab: installing new crontab
#
# crontab -l
30 5 1 * * /home/tmin/certbot-auto certonly --webroot -w /var/www/XXXXXX.com/ -d XXXXXX.com --force-renew --post-hook "/sbin/service nginx reload"

 

上の場合は毎月1日の5:30に更新かけて、Nginx のreloadを実行する。

Special Thanks

qiita.com

Sponsored Link