本blogもSSL化することにした。個人blogだしVPSなのでお高い証明書を購入するまでもなく、近年活躍目覚ましい Let’s Encrypt で。
Let’s Encrypt って何よ?という向きは「Let’s Encrypt 総合ポータル」とか Wikipediaページ をご参照。

本blogが稼動しているVPSのOSとWebサーバーのバージョンは以下。

[root@www ~]# cat /etc/redhat-release
CentOS Linux release 7.4.1708 (Core)
[root@www ~]# httpd -v
Server version: Apache/2.4.6 (CentOS)
Server built:   Oct 19 2017 20:39:16

証明書を自動発行したり自動更新したりするツールは、現時点での最新情報では certbot というツールを使うとのこと。
早速、gitを使ってインストール。

[root@www ~]# git clone https://github.com/certbot/certbot
Cloning into 'certbot'...
remote: Counting objects: 51720, done.
remote: Compressing objects: 100% (94/94), done.
remote: Total 51720 (delta 81), reused 72 (delta 40), pack-reused 51586
Receiving objects: 100% (51720/51720), 16.15 MiB | 3.96 MiB/s, done.
Resolving deltas: 100% (37090/37090), done.

インストールしたcertbotをおもむろに実行する。必要なパッケージが自動で追加インストールされ、対話形式で証明書発行やApache設定ファイルの追加までやってくれる。良く出来てる親切仕様だね。

[root@www ~]# cd certbot
[root@www certbot]# ./certbot-auto
Bootstrapping dependencies for RedHat-based OSes... (you can skip this with --no-bootstrap)
yum is /usr/bin/yum
・・・(省略)・・・
Installed:
  augeas-libs.x86_64 0:1.4.0-2.el7_4.2                    gcc.x86_64 0:4.8.5-16.el7_4.1                    libffi-devel.x86_64 0:3.0.13-18.el7         
  mod_ssl.x86_64 1:2.4.6-67.el7.centos.6                  openssl-devel.x86_64 1:1.0.2k-8.el7              python-devel.x86_64 0:2.7.5-58.el7          
  python-tools.x86_64 0:2.7.5-58.el7                      python-virtualenv.noarch 0:1.10.1-4.el7          python2-pip.noarch 0:8.1.2-5.el7            
  redhat-rpm-config.noarch 0:9.1.0-76.el7.centos         

Dependency Installed:
  cpp.x86_64 0:4.8.5-16.el7_4.1               dwz.x86_64 0:0.11-3.el7                                        glibc-devel.x86_64 0:2.17-196.el7_4.2       
  glibc-headers.x86_64 0:2.17-196.el7_4.2     kernel-headers.x86_64 0:3.10.0-693.11.1.el7                    keyutils-libs-devel.x86_64 0:1.5.8-3.el7    
  krb5-devel.x86_64 0:1.15.1-8.el7            libXft.x86_64 0:2.3.2-2.el7                                    libXrender.x86_64 0:0.9.10-1.el7            
  libcom_err-devel.x86_64 0:1.42.9-10.el7     libkadm5.x86_64 0:1.15.1-8.el7                                 libmpc.x86_64 0:1.0.1-3.el7                 
  libselinux-devel.x86_64 0:2.5-11.el7        libsepol-devel.x86_64 0:2.5-6.el7                              libverto-devel.x86_64 0:0.2.5-4.el7         
  mpfr.x86_64 0:3.1.1-4.el7                   pcre-devel.x86_64 0:8.32-17.el7                                perl-srpm-macros.noarch 0:1-8.el7           
  python-backports.x86_64 0:1.0-8.el7         python-backports-ssl_match_hostname.noarch 0:3.4.0.2-4.el7     python-setuptools.noarch 0:0.9.8-7.el7      
  tcl.x86_64 1:8.5.13-8.el7                   tix.x86_64 1:8.4.3-12.el7                                      tk.x86_64 1:8.5.13-6.el7                    
  tkinter.x86_64 0:2.7.5-58.el7               zip.x86_64 0:3.0-11.el7                                        zlib-devel.x86_64 0:1.2.7-17.el7            

Complete!
Creating virtual environment...
Installing Python packages...
Installation succeeded.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): foo@bar.com ※通知を受け取りたいメールアドレスを入力

-------------------------------------------------------------------------------
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v01.api.letsencrypt.org/directory
-------------------------------------------------------------------------------
(A)gree/(C)ancel: A

-------------------------------------------------------------------------------
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about EFF and
our work to encrypt the web, protect its users and defend digital rights.
-------------------------------------------------------------------------------
(Y)es/(N)o: Y

Which names would you like to activate HTTPS for?
-------------------------------------------------------------------------------
1: www.ookawara.com
2: www.ookawara.net
-------------------------------------------------------------------------------
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for www.ookawara.com
Waiting for verification...
Cleaning up challenges
Created an SSL vhost at /etc/httpd/conf.d/www.ookawara.com-le-ssl.conf
Deploying Certificate for www.ookawara.com to VirtualHost /etc/httpd/conf.d/www.ookawara.com-le-ssl.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
-------------------------------------------------------------------------------
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Redirecting vhost in /etc/httpd/conf.d/www.ookawara.com.conf to ssl vhost in /etc/httpd/conf.d/www.ookawara.com-le-ssl.conf

-------------------------------------------------------------------------------
Congratulations! You have successfully enabled https://www.ookawara.com

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=www.ookawara.com
-------------------------------------------------------------------------------

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/www.ookawara.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/www.ookawara.com/privkey.pem
   Your cert will expire on 2018-04-03. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again with the "certonly" option. To non-interactively renew *all*
   of your certificates, run "certbot-auto renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Let’s Encrypt で発行する証明書の有効期限は3ヶ月。なので定期的に更新が必要となるのだが、これも certbot コマンドを cron で自動実行しておけばメンテフリーとなる。

[root@www certbot]# crontab -e
0 1 1 * * /root/certbot/certbot-auto renew --post-hook "systemctl reload httpd" >/tmp/certbot-update.log 2>&1

便利だねー。