やさしいLet’s EncryptでSSL証明書を発行する方法

AmazonLinux_CentOS,apache,EC2,セキュリティ関連

概要

  • 今回はテストのため、Let’s Encryptで無料のSSL証明書を入手して、EC2の Apacheに証明書を配置したいと思います。手順をまとめます。
  • AWS では、ACM(AWS Certificate Manager)で証明書を発行する構成が多いですが、開発用途等でLoad Balancer を使用しない構成や、Load Balancer を使用するがバックエンド側でSSL終端するといった構成もあり得ます。また、自己署名証明書では利用できないサービスなどもあるため、テスト目的であれば Let’s Encryptを使いたいシチュエーションも多々あるかと思います。

 

 

Let’s Encryptによる証明書の発行手順

Let’s Encrypt の概要と注意事項

  • Let’s Encrypt はSSL/TLS 証明書を提供する認証局です。Let’s Encryptでは、ドメイン検証 (Domain Validation; DV) 型の証明書を発行します。Let’s Encryptでは、Organization Validation (OV) や Extended Validation (EV) 型の証明書は提供しません。(証明書発行を自動化できないため)
  • Let’s Encrypt は非営利団体のため、証明書の発行に費用はかかりません。
  • Let’s Encrypt が発行した証明書は、多くのブラウザで信頼されています。証明書の互換性については、こちらのリストを参照。
  • Let’s Encrypt が発行した証明書の有効期限は、90日間です。有効期限の理由は、こちらのドキュメントを参照。
  • Let’s Encrypt による証明書の発行・更新のために、80,443ポートを開放する必要があります。
  • その他の詳細は、Let’s Encrypt のドキュメントを参照。

 

証明書を発行する前に

  • SSL/TLS 証明書に使用するFQDNのドメイン名が取得済みであること。
  • 証明書を発行するEC2 のインバウンドに80,443ポートが許可されていること。
  • 証明書の発行時に入力するメールアドレスが準備できていること。

 

Let’s Encrypt のCertbot クライアントをインストール

  • epel-release リポジトリをインストールします。
[ec2-user@ip-XX-XX-XX-XX ~]$ sudo amazon-linux-extras install epel
Installing epel-release
Loaded plugins: extras_suggestions, langpacks, priorities, update-motd
Cleaning repos: amzn2-core amzn2extra-docker amzn2extra-epel
12 metadata files removed
4 sqlite files removed
0 metadata files removed
Loaded plugins: extras_suggestions, langpacks, priorities, update-motd
amzn2-core                                               | 3.7 kB     00:00
amzn2extra-docker                                        | 3.0 kB     00:00
amzn2extra-epel                                          | 3.0 kB     00:00
(1/7): amzn2-core/2/x86_64/group_gz                        | 2.5 kB   00:00
(2/7): amzn2-core/2/x86_64/updateinfo                      | 257 kB   00:00
(3/7): amzn2extra-epel/2/x86_64/primary_db                 | 1.8 kB   00:00
(4/7): amzn2extra-docker/2/x86_64/updateinfo               |   76 B   00:00
(5/7): amzn2extra-epel/2/x86_64/updateinfo                 |   76 B   00:00
(6/7): amzn2extra-docker/2/x86_64/primary_db               |  68 kB   00:00
(7/7): amzn2-core/2/x86_64/primary_db                      |  44 MB   00:00
Resolving Dependencies
--> Running transaction check
---> Package epel-release.noarch 0:7-11 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
 Package              Arch           Version      Repository               Size
================================================================================
Installing:
 epel-release         noarch         7-11         amzn2extra-epel          15 k

Transaction Summary
================================================================================
Install  1 Package

Total download size: 15 k
Installed size: 24 k
Is this ok [y/d/N]: y
Downloading packages:
epel-release-7-11.noarch.rpm                               |  15 kB   00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : epel-release-7-11.noarch                                     1/1
  Verifying  : epel-release-7-11.noarch                                     1/1

Installed:
  epel-release.noarch 0:7-11

Complete!
  0  ansible2                 available    \
        [ =2.4.2  =2.4.6  =2.8  =stable ]
  2  httpd_modules            available    [ =1.0  =stable ]
  3  memcached1.5             available    \
        [ =1.5.1  =1.5.16  =1.5.17 ]
  5  postgresql9.6            available    \
        [ =9.6.6  =9.6.8  =stable ]
  6  postgresql10             available    [ =10  =stable ]
  8  redis4.0                 available    \
        [ =4.0.5  =4.0.10  =stable ]
  9  R3.4                     available    [ =3.4.3  =stable ]
 10  rust1                    available    \
        [ =1.22.1  =1.26.0  =1.26.1  =1.27.2  =1.31.0  =1.38.0
          =stable ]
 11  vim                      available    [ =8.0  =stable ]
 15  php7.2                   available    \
        [ =7.2.0  =7.2.4  =7.2.5  =7.2.8  =7.2.11  =7.2.13  =7.2.14
          =7.2.16  =7.2.17  =7.2.19  =7.2.21  =7.2.22  =7.2.23
          =7.2.24  =7.2.26  =stable ]
 17  lamp-mariadb10.2-php7.2  available    \
        [ =10.2.10_7.2.0  =10.2.10_7.2.4  =10.2.10_7.2.5
          =10.2.10_7.2.8  =10.2.10_7.2.11  =10.2.10_7.2.13
          =10.2.10_7.2.14  =10.2.10_7.2.16  =10.2.10_7.2.17
          =10.2.10_7.2.19  =10.2.10_7.2.22  =10.2.10_7.2.23
          =10.2.10_7.2.24  =stable ]
 18  libreoffice              available    \
        [ =5.0.6.2_15  =5.3.6.1  =stable ]
 19  gimp                     available    [ =2.8.22 ]
 20  docker=latest            enabled      \
        [ =17.12.1  =18.03.1  =18.06.1  =18.09.9  =stable ]
 21  mate-desktop1.x          available    \
        [ =1.19.0  =1.20.0  =stable ]
 22  GraphicsMagick1.3        available    \
        [ =1.3.29  =1.3.32  =1.3.34  =stable ]
 23  tomcat8.5                available    \
        [ =8.5.31  =8.5.32  =8.5.38  =8.5.40  =8.5.42  =8.5.50
          =stable ]
 24  epel=latest              enabled      [ =7.11  =stable ]
 25  testing                  available    [ =1.0  =stable ]
 26  ecs                      available    [ =stable ]
 27  corretto8                available    \
        [ =1.8.0_192  =1.8.0_202  =1.8.0_212  =1.8.0_222  =1.8.0_232
          =1.8.0_242  =stable ]
 28  firecracker              available    [ =0.11  =stable ]
 29  golang1.11               available    \
        [ =1.11.3  =1.11.11  =1.11.13  =stable ]
 30  squid4                   available    [ =4  =stable ]
 31  php7.3                   available    \
        [ =7.3.2  =7.3.3  =7.3.4  =7.3.6  =7.3.8  =7.3.9  =7.3.10
          =7.3.11  =7.3.13  =stable ]
 32  lustre2.10               available    \
        [ =2.10.5  =2.10.8  =stable ]
 33  java-openjdk11           available    [ =11  =stable ]
 34  lynis                    available    [ =stable ]
 35  kernel-ng                available    [ =stable ]
 36  BCC                      available    [ =0.x  =stable ]
 37  mono                     available    [ =5.x  =stable ]
 38  nginx1                   available    [ =stable ]
 39  ruby2.6                  available    [ =2.6  =stable ]
 40  mock                     available    [ =stable ]
 41  postgresql11             available    [ =11  =stable ]
 42  php7.4                   available    [ =stable ]
 43  livepatch                available    [ =stable ]
 44  python3.8                available    [ =stable ]
 45  haproxy2                 available    [ =stable ]

 

  • 次に、certbot、python-certbot-apache のパッケージをインストールします。
[ec2-user@ip-XX-XX-XX-XX ~]$ sudo yum install certbot python-certbot-apache
Loaded plugins: extras_suggestions, langpacks, priorities, update-motd
195 packages excluded due to repository priority protections
Resolving Dependencies
--> Running transaction check
---> Package certbot.noarch 0:1.7.0-1.el7 will be installed
--> Processing Dependency: python2-certbot = 1.7.0-1.el7 for package: certbot-1.7.0-1.el7.noarch
--> Processing Dependency: /usr/sbin/semanage for package: certbot-1.7.0-1.el7.noarch
---> Package python2-certbot-apache.noarch 0:1.7.0-1.el7 will be installed
--> Processing Dependency: python2-acme >= 0.29.0 for package: python2-certbot-apache-1.7.0-1.el7.noarch
--> Processing Dependency: python-augeas for package: python2-certbot-apache-1.7.0-1.el7.noarch
--> Running transaction check
---> Package policycoreutils-python.x86_64 0:2.5-22.amzn2 will be installed
--> Processing Dependency: setools-libs >= 3.3.8-2 for package: policycoreutils-python-2.5-22.amzn2.x86_64
--> Processing Dependency: libsemanage-python >= 2.5-9 for package: policycoreutils-python-2.5-22.amzn2.x86_64
--> Processing Dependency: audit-libs-python >= 2.1.3-4 for package: policycoreutils-python-2.5-22.amzn2.x86_64
--> Processing Dependency: python-IPy for package: policycoreutils-python-2.5-22.amzn2.x86_64
--> Processing Dependency: libselinux-python for package: policycoreutils-python-2.5-22.amzn2.x86_64
--> Processing Dependency: libqpol.so.1(VERS_1.4)(64bit) for package: policycoreutils-python-2.5-22.amzn2.x86_64
--> Processing Dependency: libqpol.so.1(VERS_1.2)(64bit) for package: policycoreutils-python-2.5-22.amzn2.x86_64
--> Processing Dependency: libcgroup for package: policycoreutils-python-2.5-22.amzn2.x86_64
--> Processing Dependency: libapol.so.4(VERS_4.0)(64bit) for package: policycoreutils-python-2.5-22.amzn2.x86_64
--> Processing Dependency: checkpolicy for package: policycoreutils-python-2.5-22.amzn2.x86_64
--> Processing Dependency: libqpol.so.1()(64bit) for package: policycoreutils-python-2.5-22.amzn2.x86_64
--> Processing Dependency: libapol.so.4()(64bit) for package: policycoreutils-python-2.5-22.amzn2.x86_64
---> Package python-augeas.noarch 0:0.5.0-2.amzn2 will be installed
--> Processing Dependency: augeas-libs for package: python-augeas-0.5.0-2.amzn2.noarch
---> Package python2-acme.noarch 0:1.7.0-1.el7 will be installed
--> Processing Dependency: pyOpenSSL >= 0.13.1 for package: python2-acme-1.7.0-1.el7.noarch
--> Processing Dependency: python2-josepy >= 1.1.0 for package: python2-acme-1.7.0-1.el7.noarch
--> Processing Dependency: python-ndg_httpsclient for package: python2-acme-1.7.0-1.el7.noarch
--> Processing Dependency: python-requests-toolbelt for package: python2-acme-1.7.0-1.el7.noarch
--> Processing Dependency: python2-pyrfc3339 for package: python2-acme-1.7.0-1.el7.noarch
--> Processing Dependency: python2-six for package: python2-acme-1.7.0-1.el7.noarch
--> Processing Dependency: pytz for package: python2-acme-1.7.0-1.el7.noarch
---> Package python2-certbot.noarch 0:1.7.0-1.el7 will be installed
--> Processing Dependency: python-parsedatetime >= 1.3 for package: python2-certbot-1.7.0-1.el7.noarch
--> Processing Dependency: python2-configargparse >= 0.9.3 for package: python2-certbot-1.7.0-1.el7.noarch
--> Processing Dependency: python2-distro >= 1.0.1 for package: python2-certbot-1.7.0-1.el7.noarch
--> Processing Dependency: python-zope-component for package: python2-certbot-1.7.0-1.el7.noarch
--> Processing Dependency: python-zope-interface for package: python2-certbot-1.7.0-1.el7.noarch
--> Processing Dependency: python2-mock for package: python2-certbot-1.7.0-1.el7.noarch
--> Running transaction check
---> Package audit-libs-python.x86_64 0:2.8.1-3.amzn2.1 will be installed
---> Package augeas-libs.x86_64 0:1.4.0-9.amzn2 will be installed
---> Package checkpolicy.x86_64 0:2.5-6.amzn2 will be installed
---> Package libcgroup.x86_64 0:0.41-21.amzn2 will be installed
---> Package libselinux-python.x86_64 0:2.5-12.amzn2.0.2 will be installed
---> Package libsemanage-python.x86_64 0:2.5-11.amzn2 will be installed
---> Package pyOpenSSL.x86_64 0:0.13.1-3.amzn2.0.2 will be installed
---> Package python-IPy.noarch 0:0.75-6.amzn2.0.1 will be installed
---> Package python-ndg_httpsclient.noarch 0:0.3.2-1.el7 will be installed
---> Package python-requests-toolbelt.noarch 0:0.8.0-3.el7 will be installed
---> Package python-zope-component.noarch 1:4.1.0-5.el7 will be installed
--> Processing Dependency: python-zope-event for package: 1:python-zope-component-4.1.0-5.el7.noarch
---> Package python-zope-interface.x86_64 0:4.0.5-4.amzn2.0.2 will be installed
---> Package python2-configargparse.noarch 0:0.11.0-2.el7 will be installed
---> Package python2-distro.noarch 0:1.2.0-3.el7 will be installed
---> Package python2-josepy.noarch 0:1.3.0-2.el7 will be installed
---> Package python2-mock.noarch 0:1.0.1-10.el7 will be installed
---> Package python2-parsedatetime.noarch 0:2.4-6.el7 will be installed
--> Processing Dependency: python2-future for package: python2-parsedatetime-2.4-6.el7.noarch
---> Package python2-pyrfc3339.noarch 0:1.1-3.el7 will be installed
---> Package python2-six.noarch 0:1.9.0-0.el7 will be installed
---> Package pytz.noarch 0:2016.10-2.amzn2.0.1 will be installed
---> Package setools-libs.x86_64 0:3.3.8-2.amzn2.0.2 will be installed
--> Running transaction check
---> Package python-zope-event.noarch 0:4.0.3-2.el7 will be installed
---> Package python2-future.noarch 0:0.18.2-2.el7 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
 Package                    Arch     Version                 Repository    Size
================================================================================
Installing:
 certbot                    noarch   1.7.0-1.el7             epel          45 k
 python2-certbot-apache     noarch   1.7.0-1.el7             epel         139 k
Installing for dependencies:
 audit-libs-python          x86_64   2.8.1-3.amzn2.1         amzn2-core    79 k
 augeas-libs                x86_64   1.4.0-9.amzn2           amzn2-core   351 k
 checkpolicy                x86_64   2.5-6.amzn2             amzn2-core   294 k
 libcgroup                  x86_64   0.41-21.amzn2           amzn2-core    66 k
 libselinux-python          x86_64   2.5-12.amzn2.0.2        amzn2-core   237 k
 libsemanage-python         x86_64   2.5-11.amzn2            amzn2-core   115 k
 policycoreutils-python     x86_64   2.5-22.amzn2            amzn2-core   454 k
 pyOpenSSL                  x86_64   0.13.1-3.amzn2.0.2      amzn2-core   133 k
 python-IPy                 noarch   0.75-6.amzn2.0.1        amzn2-core    32 k
 python-augeas              noarch   0.5.0-2.amzn2           amzn2-core    25 k
 python-ndg_httpsclient     noarch   0.3.2-1.el7             epel          43 k
 python-requests-toolbelt   noarch   0.8.0-3.el7             epel          78 k
 python-zope-component      noarch   1:4.1.0-5.el7           epel         228 k
 python-zope-event          noarch   4.0.3-2.el7             epel          79 k
 python-zope-interface      x86_64   4.0.5-4.amzn2.0.2       amzn2-core   138 k
 python2-acme               noarch   1.7.0-1.el7             epel          82 k
 python2-certbot            noarch   1.7.0-1.el7             epel         376 k
 python2-configargparse     noarch   0.11.0-2.el7            epel          31 k
 python2-distro             noarch   1.2.0-3.el7             epel          29 k
 python2-future             noarch   0.18.2-2.el7            epel         806 k
 python2-josepy             noarch   1.3.0-2.el7             epel          89 k
 python2-mock               noarch   1.0.1-10.el7            epel          92 k
 python2-parsedatetime      noarch   2.4-6.el7               epel          78 k
 python2-pyrfc3339          noarch   1.1-3.el7               epel          16 k
 python2-six                noarch   1.9.0-0.el7             epel         2.9 k
 pytz                       noarch   2016.10-2.amzn2.0.1     amzn2-core    46 k
 setools-libs               x86_64   3.3.8-2.amzn2.0.2       amzn2-core   618 k

Transaction Summary
================================================================================
Install  2 Packages (+27 Dependent packages)

Total download size: 4.7 M
Installed size: 18 M
Is this ok [y/d/N]: y
Downloading packages:
(1/29): audit-libs-python-2.8.1-3.amzn2.1.x86_64.rpm       |  79 kB   00:00
warning: /var/cache/yum/x86_64/2/epel/packages/certbot-1.7.0-1.el7.noarch.rpm: Header V4 RSA/SHA256 Signature, key ID 352c64e5: NOKEY
Public key for certbot-1.7.0-1.el7.noarch.rpm is not installed
(2/29): certbot-1.7.0-1.el7.noarch.rpm                     |  45 kB   00:00
(3/29): augeas-libs-1.4.0-9.amzn2.x86_64.rpm               | 351 kB   00:00
(4/29): libcgroup-0.41-21.amzn2.x86_64.rpm                 |  66 kB   00:00
(5/29): checkpolicy-2.5-6.amzn2.x86_64.rpm                 | 294 kB   00:00
(6/29): libselinux-python-2.5-12.amzn2.0.2.x86_64.rpm      | 237 kB   00:00
(7/29): libsemanage-python-2.5-11.amzn2.x86_64.rpm         | 115 kB   00:00
(8/29): policycoreutils-python-2.5-22.amzn2.x86_64.rpm     | 454 kB   00:00
(9/29): pyOpenSSL-0.13.1-3.amzn2.0.2.x86_64.rpm            | 133 kB   00:00
(10/29): python-IPy-0.75-6.amzn2.0.1.noarch.rpm            |  32 kB   00:00
(11/29): python-ndg_httpsclient-0.3.2-1.el7.noarch.rpm     |  43 kB   00:00
(12/29): python-requests-toolbelt-0.8.0-3.el7.noarch.rpm   |  78 kB   00:00
(13/29): python-zope-component-4.1.0-5.el7.noarch.rpm      | 228 kB   00:00
(14/29): python-zope-event-4.0.3-2.el7.noarch.rpm          |  79 kB   00:00
(15/29): python2-acme-1.7.0-1.el7.noarch.rpm               |  82 kB   00:00
(16/29): python2-certbot-1.7.0-1.el7.noarch.rpm            | 376 kB   00:00
(17/29): python-augeas-0.5.0-2.amzn2.noarch.rpm            |  25 kB   00:00
(18/29): python-zope-interface-4.0.5-4.amzn2.0.2.x86_64.rp | 138 kB   00:00
(19/29): python2-certbot-apache-1.7.0-1.el7.noarch.rpm     | 139 kB   00:00
(20/29): python2-configargparse-0.11.0-2.el7.noarch.rpm    |  31 kB   00:00
(21/29): python2-distro-1.2.0-3.el7.noarch.rpm             |  29 kB   00:00
(22/29): python2-future-0.18.2-2.el7.noarch.rpm            | 806 kB   00:00
(23/29): python2-josepy-1.3.0-2.el7.noarch.rpm             |  89 kB   00:00
(24/29): python2-mock-1.0.1-10.el7.noarch.rpm              |  92 kB   00:00
(25/29): python2-parsedatetime-2.4-6.el7.noarch.rpm        |  78 kB   00:00
(26/29): python2-pyrfc3339-1.1-3.el7.noarch.rpm            |  16 kB   00:00
(27/29): python2-six-1.9.0-0.el7.noarch.rpm                | 2.9 kB   00:00
(28/29): pytz-2016.10-2.amzn2.0.1.noarch.rpm               |  46 kB   00:00
(29/29): setools-libs-3.3.8-2.amzn2.0.2.x86_64.rpm         | 618 kB   00:00
--------------------------------------------------------------------------------
Total                                              3.6 MB/s | 4.7 MB  00:01
Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
Importing GPG key 0x352C64E5:
 Userid     : "Fedora EPEL (7) <epel@fedoraproject.org>"
 Fingerprint: 91e9 7d7c 4a5e 96f1 7f3e 888f 6a2f aea2 352c 64e5
 Package    : epel-release-7-11.noarch (@amzn2extra-epel)
 From       : /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
Is this ok [y/N]: y
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : pyOpenSSL-0.13.1-3.amzn2.0.2.x86_64                         1/29
  Installing : python2-pyrfc3339-1.1-3.el7.noarch                          2/29
  Installing : python-zope-interface-4.0.5-4.amzn2.0.2.x86_64              3/29
  Installing : pytz-2016.10-2.amzn2.0.1.noarch                             4/29
  Installing : python2-six-1.9.0-0.el7.noarch                              5/29
  Installing : python2-josepy-1.3.0-2.el7.noarch                           6/29
  Installing : python-ndg_httpsclient-0.3.2-1.el7.noarch                   7/29
  Installing : python2-distro-1.2.0-3.el7.noarch                           8/29
  Installing : python-zope-event-4.0.3-2.el7.noarch                        9/29
  Installing : 1:python-zope-component-4.1.0-5.el7.noarch                 10/29
  Installing : python2-mock-1.0.1-10.el7.noarch                           11/29
  Installing : checkpolicy-2.5-6.amzn2.x86_64                             12/29
  Installing : libcgroup-0.41-21.amzn2.x86_64                             13/29
  Installing : libsemanage-python-2.5-11.amzn2.x86_64                     14/29
  Installing : setools-libs-3.3.8-2.amzn2.0.2.x86_64                      15/29
  Installing : python2-future-0.18.2-2.el7.noarch                         16/29
  Installing : python2-parsedatetime-2.4-6.el7.noarch                     17/29
  Installing : python2-configargparse-0.11.0-2.el7.noarch                 18/29
  Installing : python-requests-toolbelt-0.8.0-3.el7.noarch                19/29
  Installing : python2-acme-1.7.0-1.el7.noarch                            20/29
  Installing : python2-certbot-1.7.0-1.el7.noarch                         21/29
  Installing : augeas-libs-1.4.0-9.amzn2.x86_64                           22/29
  Installing : python-augeas-0.5.0-2.amzn2.noarch                         23/29
  Installing : audit-libs-python-2.8.1-3.amzn2.1.x86_64                   24/29
  Installing : libselinux-python-2.5-12.amzn2.0.2.x86_64                  25/29
  Installing : python-IPy-0.75-6.amzn2.0.1.noarch                         26/29
  Installing : policycoreutils-python-2.5-22.amzn2.x86_64                 27/29
  Installing : certbot-1.7.0-1.el7.noarch                                 28/29
  Installing : python2-certbot-apache-1.7.0-1.el7.noarch                  29/29
  Verifying  : python-IPy-0.75-6.amzn2.0.1.noarch                          1/29
  Verifying  : libselinux-python-2.5-12.amzn2.0.2.x86_64                   2/29
  Verifying  : python-ndg_httpsclient-0.3.2-1.el7.noarch                   3/29
  Verifying  : python-augeas-0.5.0-2.amzn2.noarch                          4/29
  Verifying  : audit-libs-python-2.8.1-3.amzn2.1.x86_64                    5/29
  Verifying  : augeas-libs-1.4.0-9.amzn2.x86_64                            6/29
  Verifying  : 1:python-zope-component-4.1.0-5.el7.noarch                  7/29
  Verifying  : pyOpenSSL-0.13.1-3.amzn2.0.2.x86_64                         8/29
  Verifying  : python-requests-toolbelt-0.8.0-3.el7.noarch                 9/29
  Verifying  : python2-configargparse-0.11.0-2.el7.noarch                 10/29
  Verifying  : python2-future-0.18.2-2.el7.noarch                         11/29
  Verifying  : python2-six-1.9.0-0.el7.noarch                             12/29
  Verifying  : policycoreutils-python-2.5-22.amzn2.x86_64                 13/29
  Verifying  : setools-libs-3.3.8-2.amzn2.0.2.x86_64                      14/29
  Verifying  : libsemanage-python-2.5-11.amzn2.x86_64                     15/29
  Verifying  : libcgroup-0.41-21.amzn2.x86_64                             16/29
  Verifying  : python2-josepy-1.3.0-2.el7.noarch                          17/29
  Verifying  : checkpolicy-2.5-6.amzn2.x86_64                             18/29
  Verifying  : certbot-1.7.0-1.el7.noarch                                 19/29
  Verifying  : pytz-2016.10-2.amzn2.0.1.noarch                            20/29
  Verifying  : python2-certbot-1.7.0-1.el7.noarch                         21/29
  Verifying  : python2-mock-1.0.1-10.el7.noarch                           22/29
  Verifying  : python2-acme-1.7.0-1.el7.noarch                            23/29
  Verifying  : python-zope-interface-4.0.5-4.amzn2.0.2.x86_64             24/29
  Verifying  : python-zope-event-4.0.3-2.el7.noarch                       25/29
  Verifying  : python2-distro-1.2.0-3.el7.noarch                          26/29
  Verifying  : python2-pyrfc3339-1.1-3.el7.noarch                         27/29
  Verifying  : python2-certbot-apache-1.7.0-1.el7.noarch                  28/29
  Verifying  : python2-parsedatetime-2.4-6.el7.noarch                     29/29

Installed:
  certbot.noarch 0:1.7.0-1.el7    python2-certbot-apache.noarch 0:1.7.0-1.el7

Dependency Installed:
  audit-libs-python.x86_64 0:2.8.1-3.amzn2.1
  augeas-libs.x86_64 0:1.4.0-9.amzn2
  checkpolicy.x86_64 0:2.5-6.amzn2
  libcgroup.x86_64 0:0.41-21.amzn2
  libselinux-python.x86_64 0:2.5-12.amzn2.0.2
  libsemanage-python.x86_64 0:2.5-11.amzn2
  policycoreutils-python.x86_64 0:2.5-22.amzn2
  pyOpenSSL.x86_64 0:0.13.1-3.amzn2.0.2
  python-IPy.noarch 0:0.75-6.amzn2.0.1
  python-augeas.noarch 0:0.5.0-2.amzn2
  python-ndg_httpsclient.noarch 0:0.3.2-1.el7
  python-requests-toolbelt.noarch 0:0.8.0-3.el7
  python-zope-component.noarch 1:4.1.0-5.el7
  python-zope-event.noarch 0:4.0.3-2.el7
  python-zope-interface.x86_64 0:4.0.5-4.amzn2.0.2
  python2-acme.noarch 0:1.7.0-1.el7
  python2-certbot.noarch 0:1.7.0-1.el7
  python2-configargparse.noarch 0:0.11.0-2.el7
  python2-distro.noarch 0:1.2.0-3.el7
  python2-future.noarch 0:0.18.2-2.el7
  python2-josepy.noarch 0:1.3.0-2.el7
  python2-mock.noarch 0:1.0.1-10.el7
  python2-parsedatetime.noarch 0:2.4-6.el7
  python2-pyrfc3339.noarch 0:1.1-3.el7
  python2-six.noarch 0:1.9.0-0.el7
  pytz.noarch 0:2016.10-2.amzn2.0.1
  setools-libs.x86_64 0:3.3.8-2.amzn2.0.2

Complete!

 

certbotコマンドによるサーバー証明書の取得

  • certbot certonlyコマンドで証明書を取得します。"certonly" は証明書の取得だけ行い、Webサーバーへの配置は手動で行うコマンドとなります。
  • -wでルートディレクトリを指定し、-dでドメイン名を指定します。
[ec2-user@ip-XX-XX-XX-XX ~]$ sudo certbot certonly --webroot -w /var/www/html/ -d niikawa-test-http.oji-cloud.net
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Enter email address (used for urgent renewal and security notices)
 (Enter 'c' to cancel): niikawa@example.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: N
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for niikawa-test-http.oji-cloud.net
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/niikawa-test-http.oji-cloud.net/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/niikawa-test-http.oji-cloud.net/privkey.pem
   Your cert will expire on 2020-12-24. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

 

  • もしEC2 のインバウンドに80,443ポートが許可されていない場合、下記のエラーが出力されます。
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for niikawa-test-http.oji-cloud.net
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification...
Challenge failed for domain niikawa-test-http.oji-cloud.net
http-01 challenge for niikawa-test-http.oji-cloud.net
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: niikawa-test-http.oji-cloud.net
   Type:   connection
   Detail: Fetching
   http://niikawa-test-http.oji-cloud.net/.well-known/acme-challenge/pmo56q55FgkKKcrgxOun7TNxg3xcbruaz5O8lecyxm0:
   Timeout during connect (likely firewall problem)

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.

 

  • /etc/letsencrypt/live/配下に証明書、秘密鍵が格納されました。
[ec2-user@ip-XX-XX-XX-XX ~]$ sudo ls -l /etc/letsencrypt/live/niikawa-test-http.oji-cloud.net
total 4
lrwxrwxrwx 1 root root  56 Sep 25 07:50 cert.pem -> ../../archive/niikawa-test-http.oji-cloud.net/cert1.pem
lrwxrwxrwx 1 root root  57 Sep 25 07:50 chain.pem -> ../../archive/niikawa-test-http.oji-cloud.net/chain1.pem
lrwxrwxrwx 1 root root  61 Sep 25 07:50 fullchain.pem -> ../../archive/niikawa-test-http.oji-cloud.net/fullchain1.pem
lrwxrwxrwx 1 root root  59 Sep 25 07:50 privkey.pem -> ../../archive/niikawa-test-http.oji-cloud.net/privkey1.pem
-rw-r--r-- 1 root root 692 Sep 25 07:50 README

 

Apacheに証明書と秘密鍵を配置

  • /etc/httpd/conf.d/ssl.conf に証明書および秘密鍵を指定します。vhost を作成している場合は、vhostのconf を編集します。
  • 以下では、ssl.conf にサーバー証明書、秘密鍵、証明書チェーン(中間証明書)を指定しています。
[ec2-user@ip-XX-XX-XX-XX ~]$ cd /etc/httpd/conf.d
[ec2-user@ip-XX-XX-XX-XX conf.d]$ sudo vi ssl.conf

#   Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate.  If
# the certificate is encrypted, then you will be prompted for a
# pass phrase.  Note that a kill -HUP will prompt again.  A new
# certificate can be generated using the genkey(1) command.
SSLCertificateFile /etc/letsencrypt/live/niikawa-test-http.oji-cloud.net/cert.pem

#   Server Private Key:
#   If the key is not combined with the certificate, use this
#   directive to point at the key file.  Keep in mind that if
#   you've both a RSA and a DSA private key you can configure
#   both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile /etc/letsencrypt/live/niikawa-test-http.oji-cloud.net/privkey.pem

#   Server Certificate Chain:
#   Point SSLCertificateChainFile at a file containing the
#   concatenation of PEM encoded CA certificates which form the
#   certificate chain for the server certificate. Alternatively
#   the referenced file can be the same as SSLCertificateFile
#   when the CA certificates are directly appended to the server
#   certificate for convinience.
#SSLCertificateChainFile /etc/letsencrypt/live/niikawa-test-http.oji-cloud.net/chain.pem

[ec2-user@ip-XX-XX-XX-XX conf.d]$ sudo httpd -t
Syntax OK

 

  • httpdを再起動します。
[ec2-user@ip-XX-XX-XX-XX conf.d]$ sudo systemctl restart httpd.service
[ec2-user@ip-XX-XX-XX-XX conf.d]$ sudo systemctl status httpd.service

 

curl疎通確認

  • クライアントからcurl を実行し、Let’s Encrypt の証明書が使われ、SSL通信が成功していることを確認します。
niikawa@niikawa1:~$ curl -vv https://niikawa-test-http.oji-cloud.net
* Rebuilt URL to: https://niikawa-test-http.oji-cloud.net/
*   Trying XX.XX.XX.XX...
* TCP_NODELAY set
* Connected to niikawa-test-http.oji-cloud.net (XX.XX.XX.XX) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: CN=niikawa-test-http.oji-cloud.net
*  start date: Sep 25 06:50:45 2020 GMT
*  expire date: Dec 24 06:50:45 2020 GMT
*  subjectAltName: host "niikawa-test-http.oji-cloud.net" matched cert's "niikawa-test-http.oji-cloud.net"
*  issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
*  SSL certificate verify ok.
> GET / HTTP/1.1
> Host: niikawa-test-http.oji-cloud.net
> User-Agent: curl/7.58.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Fri, 25 Sep 2020 08:07:07 GMT
< Server: Apache/2.4.46 () OpenSSL/1.0.2k-fips
< Upgrade: h2,h2c
< Connection: Upgrade
< Last-Modified: Thu, 24 Sep 2020 07:29:39 GMT
< ETag: "d-5b00a29b46f92"
< Accept-Ranges: bytes
< Content-Length: 13
< Content-Type: text/html; charset=UTF-8
<
niikawa-test
* Connection #0 to host niikawa-test-http.oji-cloud.net left intact

 

証明書の更新

  • 証明書の有効期限が30日未満になれば、certbot-auto renewを実行することで証明書が更新されます。
  • cronなどを利用して、更新作業の自動化が可能です。

 

 

参考資料