Let's Encrypt(無料のSSL証明書)のインストール(Ubuntsu18.04LTS) †更新日 2020-09-08 (火) 09:21:04
Ubuntsu18.04LTSにLet's Encrypt(無料のSSL証明書)の証明書を取得してインストールする。 クライアントツール(certbot)をインストール †# apt -y install certbot (略) Created symlink /etc/systemd/system/timers.target.wants/certbot.timer → /lib/systemd/system/certbot.timer. Processing triggers for man-db (2.8.3-2ubuntu0.1) ... Processing triggers for mime-support (3.60ubuntu1) ... インストール後/etc/letsencryptが作成される 証明書を取得 †[--webroot] 指定で稼働中 Web サーバーの公開ディレクトリ配下を認証用の一時領域に使用 証明書を取得したいFQDNが複数ある場合は、-d [証明書を取得したいFQDN] を複数指定 -d meeting.hoge-c.com -d aaa.hoge-c.com 証明書を取得 # certbot certonly --webroot -w /var/www/html -d meeting.hoge-c.com Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator webroot, Installer None Enter email address (used for urgent renewal and security notices) (Enter 'c' tocancel): okada@hoge-c.com - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must agree in order to register with the ACME server at https://acme-v02.api.letsencrypt.org/directory - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (A)gree/(C)ancel: A - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Would you be willing to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: N Obtaining a new certificate Performing the following challenges: http-01 challenge for meeting.hoge-c.com Using the webroot path /var/www/html for all unmatched domains. Waiting for verification... Cleaning up challenges IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/meeting.hoge-c.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/meeting.hoge-c.com/privkey.pem Your cert will expire on 2020-07-12. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le /etc/letsencrypt/live/meeting.hoge-c.com/ # ls -l total 4 lrwxrwxrwx 1 root root 47 Apr 13 13:48 cert.pem -> ../../archive/meeting.hoge-c.com/cert1.pem lrwxrwxrwx 1 root root 48 Apr 13 13:48 chain.pem -> ../../archive/meeting.hoge-c.com/chain1.pem lrwxrwxrwx 1 root root 52 Apr 13 13:48 fullchain.pem -> ../../archive/meeting.hoge-c.com/fullchain1.pem lrwxrwxrwx 1 root root 50 Apr 13 13:48 privkey.pem -> ../../archive/meeting.hoge-c.com/privkey1.pem -rw-r--r-- 1 root root 682 Apr 13 13:48 README
参考 Apacheのバージョン確認 $ dpkg-query -l (略) ii apache2 2.4.29-1ubun amd64 Apache HTTP Server (略) Apache 2.4.8以降 Apache 2.4.8 から中間CA証明書を指定するSSLCertificateChainFile ディレクティブが廃止。中間CA証明書、およびクロスルート証明書(オプション)はサーバ証明書と一つの証明書ファイルとしてまとめて、SSLCertificateFileディレクティブに指定する。 Apacheのバージョンが2.4.29で2.4.8以降なのでサーバ証明書+中間CA証明書を結合したものを使用する /etc/ssl/private # ln -s /etc/letsencrypt/live/meeting.hoge-c.com/privkey.pem server.key /etc/ssl/certs # ln -s /etc/letsencrypt/live/meeting.hoge-c.com/cert.pem server.crt 'Apache再起動'' # systemctl start apache2 証明書の更新設定 †更新シェル /etc/letsencrypt/letsencrypt-renew.sh #!/bin/sh certbot renew -q --no-self-upgrade --post-hook "systemctl restat httpd.service" # chmod 0700 /etc/letsencrypt/letsencrypt-renew.sh # crontab -e 0 3 * * * /etc/letsencrypt/letsencrypt-renew.sh 勝手に更新? 上記設定は不要? 証明書の有効期限が近づいてきた時に勝手に判断して更新してくれるようです。 /etc/cron.weekly/letsencrypt-renewというシェルがある。 logが/var/log/le-renew.logにあるようだ 2020年9月4日に有効期限10月の証明書が28日前くらいに勝手に自動更新した。cronの設定はしていない。 細かい動作は未確認 参考 †証明書の拡張子について †
|