1. Let’s Encrypt
1.1. 証明書取得
systemctl stop httpd
git clone https://github.com/certbot/certbot /usr/local/certbot
/usr/local/certbot/certbot-auto certonly -n --standalone --agree-tos -d [証明書を取得するドメイン] -m [管理者メルアド] --server https://acme-v02.api.letsencrypt.org/directory
Creating virtual environment...
Installing Python packages...
Installation succeeded.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for virtual.hogehoge.com
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/virtual.hogehoge.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/virtual.hogehoge.com/privkey.pem
Your cert will expire on 2021-02-21. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again. To non-interactively renew *all* of your certificates, run
"certbot-auto renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le1.2. 証明書更新をcronに登録
vi /etc/cron.d/certbot-auto
0 4 5,15,25 * * root /usr/local/certbot/certbot-auto renew --pre-hook 'systemctl stop httpd' --post-hook 'systemctl reload postfix dovecot; systemctl start httpd'2. Apache のSSL化設定
2.1. ssl.conf の設定
vi /etc/httpd/conf.d/ssl.conf#SSLCertificateFile /etc/pki/tls/certs/localhost.crt ### 元の記述をコメントアウト
SSLCertificateFile /etc/letsencrypt/live/test.hogehoge.com/fullchain.pem ### この行追加
#SSLCertificateKeyFile /etc/pki/tls/private/localhost.key ### 元の記述をコメントアウト
SSLCertificateKeyFile /etc/letsencrypt/live/test.hogehoge.com/privkey.pem ### この行追加
SSLCertificateChainFile /etc/letsencrypt/live/virtual.office-iwakiri.com/chain.pem ### この行追加
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 ### この行追加
2.2. welcome.conf の設定
vi /etc/httpd/conf.d/welcome.conf<locationmatch "^/+$">
# Options -Indexes
# ErrorDocument 403 /noindex/index.html
</locationmatch>2.3. httpd.conf の設定
vi /etc/httpd/conf/httpd.conf### ドキュメントルートのDirectoryディレクティブ
<directory "/var/www/html/">
Options Indexes FollowSymLinks
↓
Options FollowSymLinks ## 変更
</directory>
### ファイルの末尾に追加
ServerTokens ProductOnly
ServerSignature Off
2.4. rewrite.conf の作成
vi /etc/httpd/conf/rewrite.conf<ifmodule mod_rewrite.c="">
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R,L]
</ifmodule>これでhttpd再起動したら、phpinfo のページがちゃんと https で表示された。
やれやれ。
タグ:
#Let's Encrypt