本blogもSSL化することにした。個人blogだしVPSなのでお高い証明書を購入するまでもなく、近年活躍目覚ましい Let’s Encrypt で。
Let’s Encrypt って何よ?という向きは「Let’s Encrypt 総合ポータル」とか Wikipediaページ をご参照。
本blogが稼動しているVPSのOSとWebサーバーのバージョンは以下。
[root@www ~]# cat /etc/redhat-release CentOS Linux release 7.4.1708 (Core) [root@www ~]# httpd -v Server version: Apache/2.4.6 (CentOS) Server built: Oct 19 2017 20:39:16
証明書を自動発行したり自動更新したりするツールは、現時点での最新情報では certbot というツールを使うとのこと。
早速、gitを使ってインストール。
[root@www ~]# git clone https://github.com/certbot/certbot Cloning into 'certbot'... remote: Counting objects: 51720, done. remote: Compressing objects: 100% (94/94), done. remote: Total 51720 (delta 81), reused 72 (delta 40), pack-reused 51586 Receiving objects: 100% (51720/51720), 16.15 MiB | 3.96 MiB/s, done. Resolving deltas: 100% (37090/37090), done.
インストールしたcertbotをおもむろに実行する。必要なパッケージが自動で追加インストールされ、対話形式で証明書発行やApache設定ファイルの追加までやってくれる。良く出来てる親切仕様だね。
[root@www ~]# cd certbot [root@www certbot]# ./certbot-auto Bootstrapping dependencies for RedHat-based OSes... (you can skip this with --no-bootstrap) yum is /usr/bin/yum ・・・(省略)・・・ Installed: augeas-libs.x86_64 0:1.4.0-2.el7_4.2 gcc.x86_64 0:4.8.5-16.el7_4.1 libffi-devel.x86_64 0:3.0.13-18.el7 mod_ssl.x86_64 1:2.4.6-67.el7.centos.6 openssl-devel.x86_64 1:1.0.2k-8.el7 python-devel.x86_64 0:2.7.5-58.el7 python-tools.x86_64 0:2.7.5-58.el7 python-virtualenv.noarch 0:1.10.1-4.el7 python2-pip.noarch 0:8.1.2-5.el7 redhat-rpm-config.noarch 0:9.1.0-76.el7.centos Dependency Installed: cpp.x86_64 0:4.8.5-16.el7_4.1 dwz.x86_64 0:0.11-3.el7 glibc-devel.x86_64 0:2.17-196.el7_4.2 glibc-headers.x86_64 0:2.17-196.el7_4.2 kernel-headers.x86_64 0:3.10.0-693.11.1.el7 keyutils-libs-devel.x86_64 0:1.5.8-3.el7 krb5-devel.x86_64 0:1.15.1-8.el7 libXft.x86_64 0:2.3.2-2.el7 libXrender.x86_64 0:0.9.10-1.el7 libcom_err-devel.x86_64 0:1.42.9-10.el7 libkadm5.x86_64 0:1.15.1-8.el7 libmpc.x86_64 0:1.0.1-3.el7 libselinux-devel.x86_64 0:2.5-11.el7 libsepol-devel.x86_64 0:2.5-6.el7 libverto-devel.x86_64 0:0.2.5-4.el7 mpfr.x86_64 0:3.1.1-4.el7 pcre-devel.x86_64 0:8.32-17.el7 perl-srpm-macros.noarch 0:1-8.el7 python-backports.x86_64 0:1.0-8.el7 python-backports-ssl_match_hostname.noarch 0:3.4.0.2-4.el7 python-setuptools.noarch 0:0.9.8-7.el7 tcl.x86_64 1:8.5.13-8.el7 tix.x86_64 1:8.4.3-12.el7 tk.x86_64 1:8.5.13-6.el7 tkinter.x86_64 0:2.7.5-58.el7 zip.x86_64 0:3.0-11.el7 zlib-devel.x86_64 0:1.2.7-17.el7 Complete! Creating virtual environment... Installing Python packages... Installation succeeded. Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator apache, Installer apache Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): foo@bar.com ※通知を受け取りたいメールアドレスを入力 ------------------------------------------------------------------------------- Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must agree in order to register with the ACME server at https://acme-v01.api.letsencrypt.org/directory ------------------------------------------------------------------------------- (A)gree/(C)ancel: A ------------------------------------------------------------------------------- Would you be willing to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about EFF and our work to encrypt the web, protect its users and defend digital rights. ------------------------------------------------------------------------------- (Y)es/(N)o: Y Which names would you like to activate HTTPS for? ------------------------------------------------------------------------------- 1: www.ookawara.com 2: www.ookawara.net ------------------------------------------------------------------------------- Select the appropriate numbers separated by commas and/or spaces, or leave input blank to select all options shown (Enter 'c' to cancel): 1 Obtaining a new certificate Performing the following challenges: tls-sni-01 challenge for www.ookawara.com Waiting for verification... Cleaning up challenges Created an SSL vhost at /etc/httpd/conf.d/www.ookawara.com-le-ssl.conf Deploying Certificate for www.ookawara.com to VirtualHost /etc/httpd/conf.d/www.ookawara.com-le-ssl.conf Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access. ------------------------------------------------------------------------------- 1: No redirect - Make no further changes to the webserver configuration. 2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for new sites, or if you're confident your site works on HTTPS. You can undo this change by editing your web server's configuration. ------------------------------------------------------------------------------- Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2 Redirecting vhost in /etc/httpd/conf.d/www.ookawara.com.conf to ssl vhost in /etc/httpd/conf.d/www.ookawara.com-le-ssl.conf ------------------------------------------------------------------------------- Congratulations! You have successfully enabled https://www.ookawara.com You should test your configuration at: https://www.ssllabs.com/ssltest/analyze.html?d=www.ookawara.com ------------------------------------------------------------------------------- IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/www.ookawara.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/www.ookawara.com/privkey.pem Your cert will expire on 2018-04-03. To obtain a new or tweaked version of this certificate in the future, simply run certbot-auto again with the "certonly" option. To non-interactively renew *all* of your certificates, run "certbot-auto renew" - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
Let’s Encrypt で発行する証明書の有効期限は3ヶ月。なので定期的に更新が必要となるのだが、これも certbot コマンドを cron で自動実行しておけばメンテフリーとなる。
[root@www certbot]# crontab -e 0 1 1 * * /root/certbot/certbot-auto renew --post-hook "systemctl reload httpd" >/tmp/certbot-update.log 2>&1
便利だねー。