![[PukiWiki]](image/../localimages/Atom.gif "[PukiWiki]")
Let's Encrypt(無料のSSL証明書)のインストール(Ubuntsu18.04LTS) †更新日 2020-04-27 (月) 11:51:15
Ubuntsu18.04LTSにLet's Encrypt(無料のSSL証明書)の証明書を取得してインストールする。 クライアントツール(certbot)をインストール †# apt -y install certbot (略) Created symlink /etc/systemd/system/timers.target.wants/certbot.timer → /lib/systemd/system/certbot.timer. Processing triggers for man-db (2.8.3-2ubuntu0.1) ... Processing triggers for mime-support (3.60ubuntu1) ... インストール後/etc/letsencryptが作成される 証明書を取得 †[--webroot] 指定で稼働中 Web サーバーの公開ディレクトリ配下を認証用の一時領域に使用 証明書を取得したいFQDNが複数ある場合は、-d [証明書を取得したいFQDN] を複数指定 -d meeting.hoge-c.com -d aaa.hoge-c.com 証明書を取得 # certbot certonly --webroot -w /var/www/html -d meeting.hoge-c.com Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator webroot, Installer None Enter email address (used for urgent renewal and security notices) (Enter 'c' tocancel): okada@hoge-c.com - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must agree in order to register with the ACME server at https://acme-v02.api.letsencrypt.org/directory - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (A)gree/(C)ancel: A - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Would you be willing to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: N Obtaining a new certificate Performing the following challenges: http-01 challenge for meeting.hoge-c.com Using the webroot path /var/www/html for all unmatched domains. Waiting for verification... Cleaning up challenges IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/meeting.hoge-c.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/meeting.hoge-c.com/privkey.pem Your cert will expire on 2020-07-12. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le /etc/letsencrypt/live/meeting.hoge-c.com/ # ls -l total 4 lrwxrwxrwx 1 root root 47 Apr 13 13:48 cert.pem -> ../../archive/meeting.hoge-c.com/cert1.pem lrwxrwxrwx 1 root root 48 Apr 13 13:48 chain.pem -> ../../archive/meeting.hoge-c.com/chain1.pem lrwxrwxrwx 1 root root 52 Apr 13 13:48 fullchain.pem -> ../../archive/meeting.hoge-c.com/fullchain1.pem lrwxrwxrwx 1 root root 50 Apr 13 13:48 privkey.pem -> ../../archive/meeting.hoge-c.com/privkey1.pem -rw-r--r-- 1 root root 682 Apr 13 13:48 README
参考 Apacheのバージョン確認 $ dpkg-query -l (略) ii apache2 2.4.29-1ubun amd64 Apache HTTP Server (略) Apache 2.4.8以降 Apache 2.4.8 から中間CA証明書を指定するSSLCertificateChainFile ディレクティブが廃止。中間CA証明書、およびクロスルート証明書(オプション)はサーバ証明書と一つの証明書ファイルとしてまとめて、SSLCertificateFileディレクティブに指定する。 Apacheのバージョンが2.4.29で2.4.8以降なのでサーバ証明書+中間CA証明書を結合したものを使用する /etc/ssl/private # ln -s /etc/letsencrypt/live/meeting.hoge-c.com/privkey.pem server.key /etc/ssl/certs # ln -s /etc/letsencrypt/live/meeting.hoge-c.com/cert.pem server.crt 'Apache再起動'' # systemctl start apache2 証明書の更新設定 †更新シェル /etc/letsencrypt/letsencrypt-renew.sh #!/bin/sh certbot renew -q --no-self-upgrade --post-hook "systemctl restat httpd.service" # chmod 0700 /etc/letsencrypt/letsencrypt-renew.sh # crontab -e 0 3 * * * /etc/letsencrypt/letsencrypt-renew.sh 参考 †証明書の拡張子について †
|
