エンジニア日記

日々の開発あれこれ

Let’s EncryptのSSL証明書を取得し、Apacheに設定する

certbot-auto のセットアップ

(「certbot-auto」は Let’s Encrypt が提供しているツール)

1
2
3
4
5
6
7
8
9
# curl https://dl.eff.org/certbot-auto -o /usr/bin/certbot-auto
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 57175  100 57175    0     0   162k      0 --:--:-- --:--:-- --:--:--  163k

# chmod 700 /usr/bin/certbot-auto

# ls -l /usr/bin/certbot-auto
-rwx------. 1 root root 57175 Sep 23 06:27 /usr/bin/certbot-auto

certbot-auto コマンドを実行し、証明書を作成

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
# certbot-auto certonly
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?
-------------------------------------------------------------------------------
1: Apache Web Server plugin - Beta (apache)
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)
-------------------------------------------------------------------------------
Select the appropriate number [1-3] then [enter] (press 'c' to cancel): 3  # 既存のWEBサーバを使うモードを選択
Plugins selected: Authenticator webroot, Installer None
Please enter in your domain name(s) (comma and/or space separated)  (Enter 'c'
to cancel): 【your-domain.com】  # 取得したドメイン
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for 【your-domain.com】

Select the webroot for 【your-domain.com】:
-------------------------------------------------------------------------------
1: Enter a new webroot
-------------------------------------------------------------------------------
Press 1 [enter] to confirm the selection (press 'c' to cancel): 1   # 指示に従い1を押下する
Input the webroot for 【your-domain.com】: (Enter 'c' to cancel): 【/var/www/your-document-root】  # ドキュメントルート
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:

・・・・・

/etc/letsencrypt/live/【your-domain.com】配下に証明書が自動生成される

Apacheに設定

1
2
3
4
5
6
7
# vi /etc/httpd/conf.d/ssl.conf

以下の項目を設定する。

SSLCertificateFile /etc/letsencrypt/live/【your-domain.com】/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/【your-domain.com】/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/【your-domain.com】/chain.pem

Apacheを再起動すると、httpsで安全な接続が出来るようになりました