忘備録 > サイトSSL化
Linuxによるサーバー構築メモ サイトSSL化 |
Ubuntu 20.04LTS で構築した WwbサーバーをLet's Encryptのサーバ証明書を利用して SSL化する。
Ubuntu 20.04 LTSのサーバー版インストールイメージ、「ライブインストーラー版」
モジュール名:ubuntu-20.04.2-live-server-amd64.iso
$ sudo apt update : $ sudo apt install certbot Reading package lists... Done : Setting up certbot (0.40.0-1ubuntu0.1) ... Created symlink /etc/systemd/system/timers.target.wants/certbot.timer → /lib/systemd/system/certbot.timer. Processing triggers for man-db (2.9.1-1) ...
$ sudo certbot certonly --webroot -w /var/www/html -d izutsu.aa0.netvolante.jp
$ sudo certbot certonly --webroot -w /var/www/html -d izutsu.aa0.netvolante.jp Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator webroot, Installer None Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): izutsum@venus.dti.ne.jp - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must agree in order to register with the ACME server at https://acme-v02.api.letsencrypt.org/directory - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (A)gree/(C)ancel: a - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Would you be willing to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: y Obtaining a new certificate Performing the following challenges: http-01 challenge for izutsu.aa0.netvolante.jp Using the webroot path /var/www/html for all unmatched domains. Waiting for verification... Cleaning up challenges IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/izutsu.aa0.netvolante.jp/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/izutsu.aa0.netvolante.jp/privkey.pem Your cert will expire on 2021-09-04. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le・ 途中で使用可能なメールアドレスの入力と利用条件への同意をする。
・cert.pem…公開鍵を含むSSLサーバ証明書 ・chain.pem…中間証明書 ・fullchain.pem…cert.pemとchain.pemが結合されたファイル ・privkey.pem…公開鍵に対応する秘密鍵
$ sudo ls -l -s /etc/letsencrypt/live/izutsu.aa0.netvolante.jp total 4 0 lrwxrwxrwx 1 root root 48 Jun 6 05:00 cert.pem -> ../../archive/izutsu.aa0.netvolante.jp/cert1.pem 0 lrwxrwxrwx 1 root root 49 Jun 6 05:00 chain.pem -> ../../archive/izutsu.aa0.netvolante.jp/chain1.pem 0 lrwxrwxrwx 1 root root 53 Jun 6 05:00 fullchain.pem -> ../../archive/izutsu.aa0.netvolante.jp/fullchain1.pem 0 lrwxrwxrwx 1 root root 51 Jun 6 05:00 privkey.pem -> ../../archive/izutsu.aa0.netvolante.jp/privkey1.pem 4 -rw-r--r-- 1 root root 692 Jun 6 05:00 README
$ sudo cp -r /etc/letsencrypt/ /etc/letsencrypt_cp/
$ sudo certbot renew --dry-run Saving debug log to /var/log/letsencrypt/letsencrypt.log - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Processing /etc/letsencrypt/renewal/izutsu.aa0.netvolante.jp.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Cert not due for renewal, but simulating renewal for dry run Plugins selected: Authenticator webroot, Installer None Renewing an existing certificate Performing the following challenges: http-01 challenge for izutsu.aa0.netvolante.jp Using the webroot path /var/www/html for all unmatched domains. Waiting for verification... Cleaning up challenges - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - new certificate deployed without reload, fullchain is /etc/letsencrypt/live/izutsu.aa0.netvolante.jp/fullchain.pem - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ** DRY RUN: simulating 'certbot renew' close to cert expiry ** (The test certificates below have not been saved.) Congratulations, all renewals succeeded. The following certs have been renewed: /etc/letsencrypt/live/izutsu.aa0.netvolante.jp/fullchain.pem (success) ** DRY RUN: simulating 'certbot renew' close to cert expiry ** (The test certificates above have not been saved.) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - IMPORTANT NOTES: - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal.
$ sudo crontab -e no crontab for root - using an empty one Select an editor. To change later, run 'select-editor'. 1. /bin/nano <---- easiest 2. /usr/bin/vim.basic 3. /usr/bin/vim.tiny 4. /bin/ed Choose 1-4 [1]: 2 エディタを選んで最下行に下記1行追加 0 0 * * * certbot renew :wq で書き込み終了 crontab: installing new crontab $ sudo service cron restart $ sudo ls -l /var/spool/cron/crontabs total 4 -rw------- 1 root crontab 1114 Jun 6 06:00 root
$ sudo ls -ltr /var/log/letsencrypt total 92 -rw-r--r-- 1 root root 88423 Jun 6 05:56 letsencrypt.log $ sudo cat /var/log/letsencrypt/letsencrypt.log : : -----END CERTIFICATE----- 2021-06-06 05:56:28,589:DEBUG:acme.client:Storing nonce: 00032l2Sk6PPE37AKxLX5LgNs2Cil9rOm2m5frrWUxBoAOY 2021-06-06 05:56:28,591:DEBUG:certbot.renewal:Dry run: skipping updating lineage at /etc/letsencrypt/live/izutsu.aa0.netvolante.jp 2021-06-06 05:56:28,595:DEBUG:certbot.updater:Skipping updaters in dry-run mode. 2021-06-06 05:56:28,596:DEBUG:certbot.renewal:no renewal failures 2021-06-06 13:38:00,597:DEBUG:certbot.main:certbot version: 0.40.0 2021-06-06 13:38:00,598:DEBUG:certbot.main:Arguments: ['-q'] 2021-06-06 13:38:00,598:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot) 2021-06-06 13:38:00,614:DEBUG:certbot.log:Root logging level set at 30 2021-06-06 13:38:00,614:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log 2021-06-06 13:38:00,628:DEBUG:certbot.plugins.selection:Requested authenticator <certbot.cli._Default object at 0x7fcc04921d00> and installer <certbot.cli._Default object at 0x7fcc04921d00> 2021-06-06 13:38:00,642:INFO:certbot.renewal:Cert not yet due for renewal 2021-06-06 13:38:00,643:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None 2021-06-06 13:38:00,643:DEBUG:certbot.renewal:no renewal failures
$ sudo a2enmod ssl
$ sudo vi /etc/apache2/sites-available/default-ssl.conf (管理者のメールアドレスへ修正) ServerAdmin = izutsum@venus.dti.ne.jp (ルートディレクトリとして公開するディレクトリのパスへ修正) DocumentRoot = /var/www/html (取得したサーバ証明書と公開鍵のパスに変更) SSLCertificateFile /etc/letsencrypt/live/izutsu.aa0.netvolante.jp/cert.pem (取得した秘密鍵のパスに変更) SSLCertificateKeyFile /etc/letsencrypt/live/izutsu.aa0.netvolante.jp/privkey.pem (コメント解除して取得した中間証明書のパスに変更) SSLCertificateChainFile /etc/letsencrypt/live/izutsu.aa0.netvolante.jp/chain.pem
$ sudo a2ensite default-ssl
$ sudo systemctl restart apache2
$ sudo ls /etc/apache2/mods-enabled access_compat.load authn_file.load autoindex.load env.load mpm_prefork.load reqtimeout.conf ssl.conf alias.conf authz_core.load deflate.conf filter.load negotiation.conf reqtimeout.load ssl.load alias.load authz_host.load deflate.load mime.conf negotiation.load setenvif.conf status.conf auth_basic.load authz_user.load dir.conf mime.load php7.4.conf setenvif.load status.load authn_core.load autoindex.conf dir.load mpm_prefork.conf php7.4.load socache_shmcb.load● mod_rewrite を有効にする
$ sudo a2enmod rewrite Enabling module rewrite. To activate the new configuration, you need to run: systemctl restart apache2● Apache2の再起動
$ sudo systemctl restart apache2● 有効化を確認する
$ sudo ls /etc/apache2/mods-enabled access_compat.load authn_file.load autoindex.load env.load mpm_prefork.load reqtimeout.conf socache_shmcb.load alias.conf authz_core.load deflate.conf filter.load negotiation.conf reqtimeout.load ssl.conf alias.load authz_host.load deflate.load mime.conf negotiation.load rewrite.load ssl.load auth_basic.load authz_user.load dir.conf mime.load php7.4.conf setenvif.conf status.conf authn_core.load autoindex.conf dir.load mpm_prefork.conf php7.4.load setenvif.load status.load
$ sudo vi /etc/apache2/sites-available/000-default.conf <VirtualHost *:80> : : RewriteEngine On RewriteCond %{HTTPS} off RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L] </VirtualHost>
$ sudo systemctl restart apache2