やさしいLet’s EncryptでSSL証明書を発行する方法
Contents
概要
- 今回はテストのため、Let’s Encryptで無料のSSL証明書を入手して、EC2の Apacheに証明書を配置したいと思います。手順をまとめます。
- AWS では、ACM(AWS Certificate Manager)で証明書を発行する構成が多いですが、開発用途等でLoad Balancer を使用しない構成や、Load Balancer を使用するがバックエンド側でSSL終端するといった構成もあり得ます。また、自己署名証明書では利用できないサービスなどもあるため、テスト目的であれば Let’s Encryptを使いたいシチュエーションも多々あるかと思います。
Let’s Encryptによる証明書の発行手順
Let’s Encrypt の概要と注意事項
- Let’s Encrypt はSSL/TLS 証明書を提供する認証局です。Let’s Encryptでは、ドメイン検証 (Domain Validation; DV) 型の証明書を発行します。Let’s Encryptでは、Organization Validation (OV) や Extended Validation (EV) 型の証明書は提供しません。(証明書発行を自動化できないため)
- Let’s Encrypt は非営利団体のため、証明書の発行に費用はかかりません。
- Let’s Encrypt が発行した証明書は、多くのブラウザで信頼されています。証明書の互換性については、こちらのリストを参照。
- Let’s Encrypt が発行した証明書の有効期限は、90日間です。有効期限の理由は、こちらのドキュメントを参照。
- Let’s Encrypt による証明書の発行・更新のために、80,443ポートを開放する必要があります。
- その他の詳細は、Let’s Encrypt のドキュメントを参照。
https://letsencrypt.org/ja/docs/
証明書を発行する前に
- SSL/TLS 証明書に使用するFQDNのドメイン名が取得済みであること。
- 証明書を発行するEC2 のインバウンドに80,443ポートが許可されていること。
- 証明書の発行時に入力するメールアドレスが準備できていること。
Let’s Encrypt のCertbot クライアントをインストール
- epel-release リポジトリをインストールします。
[ec2-user@ip-XX-XX-XX-XX ~]$ sudo amazon-linux-extras install epel
Installing epel-release
Loaded plugins: extras_suggestions, langpacks, priorities, update-motd
Cleaning repos: amzn2-core amzn2extra-docker amzn2extra-epel
12 metadata files removed
4 sqlite files removed
0 metadata files removed
Loaded plugins: extras_suggestions, langpacks, priorities, update-motd
amzn2-core | 3.7 kB 00:00
amzn2extra-docker | 3.0 kB 00:00
amzn2extra-epel | 3.0 kB 00:00
(1/7): amzn2-core/2/x86_64/group_gz | 2.5 kB 00:00
(2/7): amzn2-core/2/x86_64/updateinfo | 257 kB 00:00
(3/7): amzn2extra-epel/2/x86_64/primary_db | 1.8 kB 00:00
(4/7): amzn2extra-docker/2/x86_64/updateinfo | 76 B 00:00
(5/7): amzn2extra-epel/2/x86_64/updateinfo | 76 B 00:00
(6/7): amzn2extra-docker/2/x86_64/primary_db | 68 kB 00:00
(7/7): amzn2-core/2/x86_64/primary_db | 44 MB 00:00
Resolving Dependencies
--> Running transaction check
---> Package epel-release.noarch 0:7-11 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
================================================================================
Package Arch Version Repository Size
================================================================================
Installing:
epel-release noarch 7-11 amzn2extra-epel 15 k
Transaction Summary
================================================================================
Install 1 Package
Total download size: 15 k
Installed size: 24 k
Is this ok [y/d/N]: y
Downloading packages:
epel-release-7-11.noarch.rpm | 15 kB 00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : epel-release-7-11.noarch 1/1
Verifying : epel-release-7-11.noarch 1/1
Installed:
epel-release.noarch 0:7-11
Complete!
0 ansible2 available \
[ =2.4.2 =2.4.6 =2.8 =stable ]
2 httpd_modules available [ =1.0 =stable ]
3 memcached1.5 available \
[ =1.5.1 =1.5.16 =1.5.17 ]
5 postgresql9.6 available \
[ =9.6.6 =9.6.8 =stable ]
6 postgresql10 available [ =10 =stable ]
8 redis4.0 available \
[ =4.0.5 =4.0.10 =stable ]
9 R3.4 available [ =3.4.3 =stable ]
10 rust1 available \
[ =1.22.1 =1.26.0 =1.26.1 =1.27.2 =1.31.0 =1.38.0
=stable ]
11 vim available [ =8.0 =stable ]
15 php7.2 available \
[ =7.2.0 =7.2.4 =7.2.5 =7.2.8 =7.2.11 =7.2.13 =7.2.14
=7.2.16 =7.2.17 =7.2.19 =7.2.21 =7.2.22 =7.2.23
=7.2.24 =7.2.26 =stable ]
17 lamp-mariadb10.2-php7.2 available \
[ =10.2.10_7.2.0 =10.2.10_7.2.4 =10.2.10_7.2.5
=10.2.10_7.2.8 =10.2.10_7.2.11 =10.2.10_7.2.13
=10.2.10_7.2.14 =10.2.10_7.2.16 =10.2.10_7.2.17
=10.2.10_7.2.19 =10.2.10_7.2.22 =10.2.10_7.2.23
=10.2.10_7.2.24 =stable ]
18 libreoffice available \
[ =5.0.6.2_15 =5.3.6.1 =stable ]
19 gimp available [ =2.8.22 ]
20 docker=latest enabled \
[ =17.12.1 =18.03.1 =18.06.1 =18.09.9 =stable ]
21 mate-desktop1.x available \
[ =1.19.0 =1.20.0 =stable ]
22 GraphicsMagick1.3 available \
[ =1.3.29 =1.3.32 =1.3.34 =stable ]
23 tomcat8.5 available \
[ =8.5.31 =8.5.32 =8.5.38 =8.5.40 =8.5.42 =8.5.50
=stable ]
24 epel=latest enabled [ =7.11 =stable ]
25 testing available [ =1.0 =stable ]
26 ecs available [ =stable ]
27 corretto8 available \
[ =1.8.0_192 =1.8.0_202 =1.8.0_212 =1.8.0_222 =1.8.0_232
=1.8.0_242 =stable ]
28 firecracker available [ =0.11 =stable ]
29 golang1.11 available \
[ =1.11.3 =1.11.11 =1.11.13 =stable ]
30 squid4 available [ =4 =stable ]
31 php7.3 available \
[ =7.3.2 =7.3.3 =7.3.4 =7.3.6 =7.3.8 =7.3.9 =7.3.10
=7.3.11 =7.3.13 =stable ]
32 lustre2.10 available \
[ =2.10.5 =2.10.8 =stable ]
33 java-openjdk11 available [ =11 =stable ]
34 lynis available [ =stable ]
35 kernel-ng available [ =stable ]
36 BCC available [ =0.x =stable ]
37 mono available [ =5.x =stable ]
38 nginx1 available [ =stable ]
39 ruby2.6 available [ =2.6 =stable ]
40 mock available [ =stable ]
41 postgresql11 available [ =11 =stable ]
42 php7.4 available [ =stable ]
43 livepatch available [ =stable ]
44 python3.8 available [ =stable ]
45 haproxy2 available [ =stable ]
- 次に、certbot、python-certbot-apache のパッケージをインストールします。
[ec2-user@ip-XX-XX-XX-XX ~]$ sudo yum install certbot python-certbot-apache
Loaded plugins: extras_suggestions, langpacks, priorities, update-motd
195 packages excluded due to repository priority protections
Resolving Dependencies
--> Running transaction check
---> Package certbot.noarch 0:1.7.0-1.el7 will be installed
--> Processing Dependency: python2-certbot = 1.7.0-1.el7 for package: certbot-1.7.0-1.el7.noarch
--> Processing Dependency: /usr/sbin/semanage for package: certbot-1.7.0-1.el7.noarch
---> Package python2-certbot-apache.noarch 0:1.7.0-1.el7 will be installed
--> Processing Dependency: python2-acme >= 0.29.0 for package: python2-certbot-apache-1.7.0-1.el7.noarch
--> Processing Dependency: python-augeas for package: python2-certbot-apache-1.7.0-1.el7.noarch
--> Running transaction check
---> Package policycoreutils-python.x86_64 0:2.5-22.amzn2 will be installed
--> Processing Dependency: setools-libs >= 3.3.8-2 for package: policycoreutils-python-2.5-22.amzn2.x86_64
--> Processing Dependency: libsemanage-python >= 2.5-9 for package: policycoreutils-python-2.5-22.amzn2.x86_64
--> Processing Dependency: audit-libs-python >= 2.1.3-4 for package: policycoreutils-python-2.5-22.amzn2.x86_64
--> Processing Dependency: python-IPy for package: policycoreutils-python-2.5-22.amzn2.x86_64
--> Processing Dependency: libselinux-python for package: policycoreutils-python-2.5-22.amzn2.x86_64
--> Processing Dependency: libqpol.so.1(VERS_1.4)(64bit) for package: policycoreutils-python-2.5-22.amzn2.x86_64
--> Processing Dependency: libqpol.so.1(VERS_1.2)(64bit) for package: policycoreutils-python-2.5-22.amzn2.x86_64
--> Processing Dependency: libcgroup for package: policycoreutils-python-2.5-22.amzn2.x86_64
--> Processing Dependency: libapol.so.4(VERS_4.0)(64bit) for package: policycoreutils-python-2.5-22.amzn2.x86_64
--> Processing Dependency: checkpolicy for package: policycoreutils-python-2.5-22.amzn2.x86_64
--> Processing Dependency: libqpol.so.1()(64bit) for package: policycoreutils-python-2.5-22.amzn2.x86_64
--> Processing Dependency: libapol.so.4()(64bit) for package: policycoreutils-python-2.5-22.amzn2.x86_64
---> Package python-augeas.noarch 0:0.5.0-2.amzn2 will be installed
--> Processing Dependency: augeas-libs for package: python-augeas-0.5.0-2.amzn2.noarch
---> Package python2-acme.noarch 0:1.7.0-1.el7 will be installed
--> Processing Dependency: pyOpenSSL >= 0.13.1 for package: python2-acme-1.7.0-1.el7.noarch
--> Processing Dependency: python2-josepy >= 1.1.0 for package: python2-acme-1.7.0-1.el7.noarch
--> Processing Dependency: python-ndg_httpsclient for package: python2-acme-1.7.0-1.el7.noarch
--> Processing Dependency: python-requests-toolbelt for package: python2-acme-1.7.0-1.el7.noarch
--> Processing Dependency: python2-pyrfc3339 for package: python2-acme-1.7.0-1.el7.noarch
--> Processing Dependency: python2-six for package: python2-acme-1.7.0-1.el7.noarch
--> Processing Dependency: pytz for package: python2-acme-1.7.0-1.el7.noarch
---> Package python2-certbot.noarch 0:1.7.0-1.el7 will be installed
--> Processing Dependency: python-parsedatetime >= 1.3 for package: python2-certbot-1.7.0-1.el7.noarch
--> Processing Dependency: python2-configargparse >= 0.9.3 for package: python2-certbot-1.7.0-1.el7.noarch
--> Processing Dependency: python2-distro >= 1.0.1 for package: python2-certbot-1.7.0-1.el7.noarch
--> Processing Dependency: python-zope-component for package: python2-certbot-1.7.0-1.el7.noarch
--> Processing Dependency: python-zope-interface for package: python2-certbot-1.7.0-1.el7.noarch
--> Processing Dependency: python2-mock for package: python2-certbot-1.7.0-1.el7.noarch
--> Running transaction check
---> Package audit-libs-python.x86_64 0:2.8.1-3.amzn2.1 will be installed
---> Package augeas-libs.x86_64 0:1.4.0-9.amzn2 will be installed
---> Package checkpolicy.x86_64 0:2.5-6.amzn2 will be installed
---> Package libcgroup.x86_64 0:0.41-21.amzn2 will be installed
---> Package libselinux-python.x86_64 0:2.5-12.amzn2.0.2 will be installed
---> Package libsemanage-python.x86_64 0:2.5-11.amzn2 will be installed
---> Package pyOpenSSL.x86_64 0:0.13.1-3.amzn2.0.2 will be installed
---> Package python-IPy.noarch 0:0.75-6.amzn2.0.1 will be installed
---> Package python-ndg_httpsclient.noarch 0:0.3.2-1.el7 will be installed
---> Package python-requests-toolbelt.noarch 0:0.8.0-3.el7 will be installed
---> Package python-zope-component.noarch 1:4.1.0-5.el7 will be installed
--> Processing Dependency: python-zope-event for package: 1:python-zope-component-4.1.0-5.el7.noarch
---> Package python-zope-interface.x86_64 0:4.0.5-4.amzn2.0.2 will be installed
---> Package python2-configargparse.noarch 0:0.11.0-2.el7 will be installed
---> Package python2-distro.noarch 0:1.2.0-3.el7 will be installed
---> Package python2-josepy.noarch 0:1.3.0-2.el7 will be installed
---> Package python2-mock.noarch 0:1.0.1-10.el7 will be installed
---> Package python2-parsedatetime.noarch 0:2.4-6.el7 will be installed
--> Processing Dependency: python2-future for package: python2-parsedatetime-2.4-6.el7.noarch
---> Package python2-pyrfc3339.noarch 0:1.1-3.el7 will be installed
---> Package python2-six.noarch 0:1.9.0-0.el7 will be installed
---> Package pytz.noarch 0:2016.10-2.amzn2.0.1 will be installed
---> Package setools-libs.x86_64 0:3.3.8-2.amzn2.0.2 will be installed
--> Running transaction check
---> Package python-zope-event.noarch 0:4.0.3-2.el7 will be installed
---> Package python2-future.noarch 0:0.18.2-2.el7 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
================================================================================
Package Arch Version Repository Size
================================================================================
Installing:
certbot noarch 1.7.0-1.el7 epel 45 k
python2-certbot-apache noarch 1.7.0-1.el7 epel 139 k
Installing for dependencies:
audit-libs-python x86_64 2.8.1-3.amzn2.1 amzn2-core 79 k
augeas-libs x86_64 1.4.0-9.amzn2 amzn2-core 351 k
checkpolicy x86_64 2.5-6.amzn2 amzn2-core 294 k
libcgroup x86_64 0.41-21.amzn2 amzn2-core 66 k
libselinux-python x86_64 2.5-12.amzn2.0.2 amzn2-core 237 k
libsemanage-python x86_64 2.5-11.amzn2 amzn2-core 115 k
policycoreutils-python x86_64 2.5-22.amzn2 amzn2-core 454 k
pyOpenSSL x86_64 0.13.1-3.amzn2.0.2 amzn2-core 133 k
python-IPy noarch 0.75-6.amzn2.0.1 amzn2-core 32 k
python-augeas noarch 0.5.0-2.amzn2 amzn2-core 25 k
python-ndg_httpsclient noarch 0.3.2-1.el7 epel 43 k
python-requests-toolbelt noarch 0.8.0-3.el7 epel 78 k
python-zope-component noarch 1:4.1.0-5.el7 epel 228 k
python-zope-event noarch 4.0.3-2.el7 epel 79 k
python-zope-interface x86_64 4.0.5-4.amzn2.0.2 amzn2-core 138 k
python2-acme noarch 1.7.0-1.el7 epel 82 k
python2-certbot noarch 1.7.0-1.el7 epel 376 k
python2-configargparse noarch 0.11.0-2.el7 epel 31 k
python2-distro noarch 1.2.0-3.el7 epel 29 k
python2-future noarch 0.18.2-2.el7 epel 806 k
python2-josepy noarch 1.3.0-2.el7 epel 89 k
python2-mock noarch 1.0.1-10.el7 epel 92 k
python2-parsedatetime noarch 2.4-6.el7 epel 78 k
python2-pyrfc3339 noarch 1.1-3.el7 epel 16 k
python2-six noarch 1.9.0-0.el7 epel 2.9 k
pytz noarch 2016.10-2.amzn2.0.1 amzn2-core 46 k
setools-libs x86_64 3.3.8-2.amzn2.0.2 amzn2-core 618 k
Transaction Summary
================================================================================
Install 2 Packages (+27 Dependent packages)
Total download size: 4.7 M
Installed size: 18 M
Is this ok [y/d/N]: y
Downloading packages:
(1/29): audit-libs-python-2.8.1-3.amzn2.1.x86_64.rpm | 79 kB 00:00
warning: /var/cache/yum/x86_64/2/epel/packages/certbot-1.7.0-1.el7.noarch.rpm: Header V4 RSA/SHA256 Signature, key ID 352c64e5: NOKEY
Public key for certbot-1.7.0-1.el7.noarch.rpm is not installed
(2/29): certbot-1.7.0-1.el7.noarch.rpm | 45 kB 00:00
(3/29): augeas-libs-1.4.0-9.amzn2.x86_64.rpm | 351 kB 00:00
(4/29): libcgroup-0.41-21.amzn2.x86_64.rpm | 66 kB 00:00
(5/29): checkpolicy-2.5-6.amzn2.x86_64.rpm | 294 kB 00:00
(6/29): libselinux-python-2.5-12.amzn2.0.2.x86_64.rpm | 237 kB 00:00
(7/29): libsemanage-python-2.5-11.amzn2.x86_64.rpm | 115 kB 00:00
(8/29): policycoreutils-python-2.5-22.amzn2.x86_64.rpm | 454 kB 00:00
(9/29): pyOpenSSL-0.13.1-3.amzn2.0.2.x86_64.rpm | 133 kB 00:00
(10/29): python-IPy-0.75-6.amzn2.0.1.noarch.rpm | 32 kB 00:00
(11/29): python-ndg_httpsclient-0.3.2-1.el7.noarch.rpm | 43 kB 00:00
(12/29): python-requests-toolbelt-0.8.0-3.el7.noarch.rpm | 78 kB 00:00
(13/29): python-zope-component-4.1.0-5.el7.noarch.rpm | 228 kB 00:00
(14/29): python-zope-event-4.0.3-2.el7.noarch.rpm | 79 kB 00:00
(15/29): python2-acme-1.7.0-1.el7.noarch.rpm | 82 kB 00:00
(16/29): python2-certbot-1.7.0-1.el7.noarch.rpm | 376 kB 00:00
(17/29): python-augeas-0.5.0-2.amzn2.noarch.rpm | 25 kB 00:00
(18/29): python-zope-interface-4.0.5-4.amzn2.0.2.x86_64.rp | 138 kB 00:00
(19/29): python2-certbot-apache-1.7.0-1.el7.noarch.rpm | 139 kB 00:00
(20/29): python2-configargparse-0.11.0-2.el7.noarch.rpm | 31 kB 00:00
(21/29): python2-distro-1.2.0-3.el7.noarch.rpm | 29 kB 00:00
(22/29): python2-future-0.18.2-2.el7.noarch.rpm | 806 kB 00:00
(23/29): python2-josepy-1.3.0-2.el7.noarch.rpm | 89 kB 00:00
(24/29): python2-mock-1.0.1-10.el7.noarch.rpm | 92 kB 00:00
(25/29): python2-parsedatetime-2.4-6.el7.noarch.rpm | 78 kB 00:00
(26/29): python2-pyrfc3339-1.1-3.el7.noarch.rpm | 16 kB 00:00
(27/29): python2-six-1.9.0-0.el7.noarch.rpm | 2.9 kB 00:00
(28/29): pytz-2016.10-2.amzn2.0.1.noarch.rpm | 46 kB 00:00
(29/29): setools-libs-3.3.8-2.amzn2.0.2.x86_64.rpm | 618 kB 00:00
--------------------------------------------------------------------------------
Total 3.6 MB/s | 4.7 MB 00:01
Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
Importing GPG key 0x352C64E5:
Userid : "Fedora EPEL (7) <epel@fedoraproject.org>"
Fingerprint: 91e9 7d7c 4a5e 96f1 7f3e 888f 6a2f aea2 352c 64e5
Package : epel-release-7-11.noarch (@amzn2extra-epel)
From : /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
Is this ok [y/N]: y
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : pyOpenSSL-0.13.1-3.amzn2.0.2.x86_64 1/29
Installing : python2-pyrfc3339-1.1-3.el7.noarch 2/29
Installing : python-zope-interface-4.0.5-4.amzn2.0.2.x86_64 3/29
Installing : pytz-2016.10-2.amzn2.0.1.noarch 4/29
Installing : python2-six-1.9.0-0.el7.noarch 5/29
Installing : python2-josepy-1.3.0-2.el7.noarch 6/29
Installing : python-ndg_httpsclient-0.3.2-1.el7.noarch 7/29
Installing : python2-distro-1.2.0-3.el7.noarch 8/29
Installing : python-zope-event-4.0.3-2.el7.noarch 9/29
Installing : 1:python-zope-component-4.1.0-5.el7.noarch 10/29
Installing : python2-mock-1.0.1-10.el7.noarch 11/29
Installing : checkpolicy-2.5-6.amzn2.x86_64 12/29
Installing : libcgroup-0.41-21.amzn2.x86_64 13/29
Installing : libsemanage-python-2.5-11.amzn2.x86_64 14/29
Installing : setools-libs-3.3.8-2.amzn2.0.2.x86_64 15/29
Installing : python2-future-0.18.2-2.el7.noarch 16/29
Installing : python2-parsedatetime-2.4-6.el7.noarch 17/29
Installing : python2-configargparse-0.11.0-2.el7.noarch 18/29
Installing : python-requests-toolbelt-0.8.0-3.el7.noarch 19/29
Installing : python2-acme-1.7.0-1.el7.noarch 20/29
Installing : python2-certbot-1.7.0-1.el7.noarch 21/29
Installing : augeas-libs-1.4.0-9.amzn2.x86_64 22/29
Installing : python-augeas-0.5.0-2.amzn2.noarch 23/29
Installing : audit-libs-python-2.8.1-3.amzn2.1.x86_64 24/29
Installing : libselinux-python-2.5-12.amzn2.0.2.x86_64 25/29
Installing : python-IPy-0.75-6.amzn2.0.1.noarch 26/29
Installing : policycoreutils-python-2.5-22.amzn2.x86_64 27/29
Installing : certbot-1.7.0-1.el7.noarch 28/29
Installing : python2-certbot-apache-1.7.0-1.el7.noarch 29/29
Verifying : python-IPy-0.75-6.amzn2.0.1.noarch 1/29
Verifying : libselinux-python-2.5-12.amzn2.0.2.x86_64 2/29
Verifying : python-ndg_httpsclient-0.3.2-1.el7.noarch 3/29
Verifying : python-augeas-0.5.0-2.amzn2.noarch 4/29
Verifying : audit-libs-python-2.8.1-3.amzn2.1.x86_64 5/29
Verifying : augeas-libs-1.4.0-9.amzn2.x86_64 6/29
Verifying : 1:python-zope-component-4.1.0-5.el7.noarch 7/29
Verifying : pyOpenSSL-0.13.1-3.amzn2.0.2.x86_64 8/29
Verifying : python-requests-toolbelt-0.8.0-3.el7.noarch 9/29
Verifying : python2-configargparse-0.11.0-2.el7.noarch 10/29
Verifying : python2-future-0.18.2-2.el7.noarch 11/29
Verifying : python2-six-1.9.0-0.el7.noarch 12/29
Verifying : policycoreutils-python-2.5-22.amzn2.x86_64 13/29
Verifying : setools-libs-3.3.8-2.amzn2.0.2.x86_64 14/29
Verifying : libsemanage-python-2.5-11.amzn2.x86_64 15/29
Verifying : libcgroup-0.41-21.amzn2.x86_64 16/29
Verifying : python2-josepy-1.3.0-2.el7.noarch 17/29
Verifying : checkpolicy-2.5-6.amzn2.x86_64 18/29
Verifying : certbot-1.7.0-1.el7.noarch 19/29
Verifying : pytz-2016.10-2.amzn2.0.1.noarch 20/29
Verifying : python2-certbot-1.7.0-1.el7.noarch 21/29
Verifying : python2-mock-1.0.1-10.el7.noarch 22/29
Verifying : python2-acme-1.7.0-1.el7.noarch 23/29
Verifying : python-zope-interface-4.0.5-4.amzn2.0.2.x86_64 24/29
Verifying : python-zope-event-4.0.3-2.el7.noarch 25/29
Verifying : python2-distro-1.2.0-3.el7.noarch 26/29
Verifying : python2-pyrfc3339-1.1-3.el7.noarch 27/29
Verifying : python2-certbot-apache-1.7.0-1.el7.noarch 28/29
Verifying : python2-parsedatetime-2.4-6.el7.noarch 29/29
Installed:
certbot.noarch 0:1.7.0-1.el7 python2-certbot-apache.noarch 0:1.7.0-1.el7
Dependency Installed:
audit-libs-python.x86_64 0:2.8.1-3.amzn2.1
augeas-libs.x86_64 0:1.4.0-9.amzn2
checkpolicy.x86_64 0:2.5-6.amzn2
libcgroup.x86_64 0:0.41-21.amzn2
libselinux-python.x86_64 0:2.5-12.amzn2.0.2
libsemanage-python.x86_64 0:2.5-11.amzn2
policycoreutils-python.x86_64 0:2.5-22.amzn2
pyOpenSSL.x86_64 0:0.13.1-3.amzn2.0.2
python-IPy.noarch 0:0.75-6.amzn2.0.1
python-augeas.noarch 0:0.5.0-2.amzn2
python-ndg_httpsclient.noarch 0:0.3.2-1.el7
python-requests-toolbelt.noarch 0:0.8.0-3.el7
python-zope-component.noarch 1:4.1.0-5.el7
python-zope-event.noarch 0:4.0.3-2.el7
python-zope-interface.x86_64 0:4.0.5-4.amzn2.0.2
python2-acme.noarch 0:1.7.0-1.el7
python2-certbot.noarch 0:1.7.0-1.el7
python2-configargparse.noarch 0:0.11.0-2.el7
python2-distro.noarch 0:1.2.0-3.el7
python2-future.noarch 0:0.18.2-2.el7
python2-josepy.noarch 0:1.3.0-2.el7
python2-mock.noarch 0:1.0.1-10.el7
python2-parsedatetime.noarch 0:2.4-6.el7
python2-pyrfc3339.noarch 0:1.1-3.el7
python2-six.noarch 0:1.9.0-0.el7
pytz.noarch 0:2016.10-2.amzn2.0.1
setools-libs.x86_64 0:3.3.8-2.amzn2.0.2
Complete!
certbotコマンドによるサーバー証明書の取得
- certbot certonlyコマンドで証明書を取得します。"certonly" は証明書の取得だけ行い、Webサーバーへの配置は手動で行うコマンドとなります。
- -wでルートディレクトリを指定し、-dでドメイン名を指定します。
[ec2-user@ip-XX-XX-XX-XX ~]$ sudo certbot certonly --webroot -w /var/www/html/ -d niikawa-test-http.oji-cloud.net
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Enter email address (used for urgent renewal and security notices)
(Enter 'c' to cancel): niikawa@example.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: N
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for niikawa-test-http.oji-cloud.net
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/niikawa-test-http.oji-cloud.net/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/niikawa-test-http.oji-cloud.net/privkey.pem
Your cert will expire on 2020-12-24. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
- もしEC2 のインバウンドに80,443ポートが許可されていない場合、下記のエラーが出力されます。
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for niikawa-test-http.oji-cloud.net
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification...
Challenge failed for domain niikawa-test-http.oji-cloud.net
http-01 challenge for niikawa-test-http.oji-cloud.net
Cleaning up challenges
Some challenges have failed.
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: niikawa-test-http.oji-cloud.net
Type: connection
Detail: Fetching
http://niikawa-test-http.oji-cloud.net/.well-known/acme-challenge/pmo56q55FgkKKcrgxOun7TNxg3xcbruaz5O8lecyxm0:
Timeout during connect (likely firewall problem)
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- /etc/letsencrypt/live/配下に証明書、秘密鍵が格納されました。
[ec2-user@ip-XX-XX-XX-XX ~]$ sudo ls -l /etc/letsencrypt/live/niikawa-test-http.oji-cloud.net
total 4
lrwxrwxrwx 1 root root 56 Sep 25 07:50 cert.pem -> ../../archive/niikawa-test-http.oji-cloud.net/cert1.pem
lrwxrwxrwx 1 root root 57 Sep 25 07:50 chain.pem -> ../../archive/niikawa-test-http.oji-cloud.net/chain1.pem
lrwxrwxrwx 1 root root 61 Sep 25 07:50 fullchain.pem -> ../../archive/niikawa-test-http.oji-cloud.net/fullchain1.pem
lrwxrwxrwx 1 root root 59 Sep 25 07:50 privkey.pem -> ../../archive/niikawa-test-http.oji-cloud.net/privkey1.pem
-rw-r--r-- 1 root root 692 Sep 25 07:50 README
Apacheに証明書と秘密鍵を配置
- /etc/httpd/conf.d/ssl.conf に証明書および秘密鍵を指定します。vhost を作成している場合は、vhostのconf を編集します。
- 以下では、ssl.conf にサーバー証明書、秘密鍵、証明書チェーン(中間証明書)を指定しています。
[ec2-user@ip-XX-XX-XX-XX ~]$ cd /etc/httpd/conf.d
[ec2-user@ip-XX-XX-XX-XX conf.d]$ sudo vi ssl.conf
# Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
# pass phrase. Note that a kill -HUP will prompt again. A new
# certificate can be generated using the genkey(1) command.
SSLCertificateFile /etc/letsencrypt/live/niikawa-test-http.oji-cloud.net/cert.pem
# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you've both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile /etc/letsencrypt/live/niikawa-test-http.oji-cloud.net/privkey.pem
# Server Certificate Chain:
# Point SSLCertificateChainFile at a file containing the
# concatenation of PEM encoded CA certificates which form the
# certificate chain for the server certificate. Alternatively
# the referenced file can be the same as SSLCertificateFile
# when the CA certificates are directly appended to the server
# certificate for convinience.
#SSLCertificateChainFile /etc/letsencrypt/live/niikawa-test-http.oji-cloud.net/chain.pem
[ec2-user@ip-XX-XX-XX-XX conf.d]$ sudo httpd -t
Syntax OK
- httpdを再起動します。
[ec2-user@ip-XX-XX-XX-XX conf.d]$ sudo systemctl restart httpd.service
[ec2-user@ip-XX-XX-XX-XX conf.d]$ sudo systemctl status httpd.service
curl疎通確認
- クライアントからcurl を実行し、Let’s Encrypt の証明書が使われ、SSL通信が成功していることを確認します。
niikawa@niikawa1:~$ curl -vv https://niikawa-test-http.oji-cloud.net
* Rebuilt URL to: https://niikawa-test-http.oji-cloud.net/
* Trying XX.XX.XX.XX...
* TCP_NODELAY set
* Connected to niikawa-test-http.oji-cloud.net (XX.XX.XX.XX) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
* subject: CN=niikawa-test-http.oji-cloud.net
* start date: Sep 25 06:50:45 2020 GMT
* expire date: Dec 24 06:50:45 2020 GMT
* subjectAltName: host "niikawa-test-http.oji-cloud.net" matched cert's "niikawa-test-http.oji-cloud.net"
* issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
* SSL certificate verify ok.
> GET / HTTP/1.1
> Host: niikawa-test-http.oji-cloud.net
> User-Agent: curl/7.58.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Fri, 25 Sep 2020 08:07:07 GMT
< Server: Apache/2.4.46 () OpenSSL/1.0.2k-fips
< Upgrade: h2,h2c
< Connection: Upgrade
< Last-Modified: Thu, 24 Sep 2020 07:29:39 GMT
< ETag: "d-5b00a29b46f92"
< Accept-Ranges: bytes
< Content-Length: 13
< Content-Type: text/html; charset=UTF-8
<
niikawa-test
* Connection #0 to host niikawa-test-http.oji-cloud.net left intact
証明書の更新
- 証明書の有効期限が30日未満になれば、
certbot-auto renewを実行することで証明書が更新されます。 - cronなどを利用して、更新作業の自動化が可能です。
参考資料
https://certbot.open-code.club/