CentOS 7.3にLet's Encryptの証明書を導入する

Wed May 3, 2017 in server using tags centos , Let's Encrypt

前提

  • OS
    • CentOS Linux release 7.3.1611 (Core)
  • Web Server
    • Apache 2.4.6
  • firewalld
    • enabled
  • SELinux
    • disabled

firewalldでhttpsを有効化

インターネットからhttpsアクセスを許可する。

$ sudo firewall-cmd --permanent --zone=public --add-service=https
success
$ sudo firewall-cmd --reload
success
$ sudo firewall-cmd --zone=public --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources: 
  services: http https
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  sourceports: 
  icmp-blocks: 
  rich rules: 

EPELリポジトリのインストール

EPELリポジトリをインストールする。

$ sudo yum install epel-release
[sudo] password for ryota:
読み込んだプラグイン:fastestmirror
Loading mirror speeds from cached hostfile
 * base: ftp.iij.ad.jp
 * extras: ftp.iij.ad.jp
 * updates: ftp.iij.ad.jp
依存性の解決をしています
--> トランザクションの確認を実行しています。
---> パッケージ epel-release.noarch 0:7-9 を インストール
--> 依存性解決を終了しました。

依存性を解決しました

================================================================================
 Package                アーキテクチャー バージョン      リポジトリー      容量
================================================================================
インストール中:
 epel-release           noarch           7-9             extras            14 k

トランザクションの要約
================================================================================
インストール  1 パッケージ

総ダウンロード容量: 14 k
インストール容量: 24 k
Is this ok [y/d/N]: y
Downloading packages:
epel-release-7-9.noarch.rpm                                |  14 kB   00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  インストール中          : epel-release-7-9.noarch                         1/1
  検証中                  : epel-release-7-9.noarch                         1/1

インストール:
  epel-release.noarch 0:7-9

完了しました!

通常時EPELリポジトリを無効化する。

$ sudo cp -p /etc/yum.repos.d/epel.repo{,.org}
$
$ ls -l /etc/yum.repos.d/epel.repo*
-rw-r--r--. 1 root root 957 12月 28 02:37 /etc/yum.repos.d/epel.repo
-rw-r--r--. 1 root root 957 12月 28 02:37 /etc/yum.repos.d/epel.repo.org
$
$ sudo sed -i -e "s/^enabled=1/enabled=0/g" /etc/yum.repos.d/epel.repo
$
$ diff /etc/yum.repos.d/epel.repo{.org,}
6c6
< enabled=1
---
> enabled=0
$
$ ls -l /etc/yum.repos.d/epel.repo*
-rw-r--r--. 1 root root 957  5月  3 16:17 /etc/yum.repos.d/epel.repo
-rw-r--r--. 1 root root 957 12月 28 02:37 /etc/yum.repos.d/epel.repo.org

Certbotのインストール

EPELリポジトリからCertbotをインストールする。

$ sudo yum --enablerepo=epel install certbot python-certbot-apache

Let’s Encryptで証明書を取得

以下のコマンドを実行してLet’s Encryptの証明書を取得する。

$ sudo certbot --apache
[sudo] password for ryota: 
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel):<メールアドレス>
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org

-------------------------------------------------------------------------------
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf. You must agree
in order to register with the ACME server at
https://acme-v01.api.letsencrypt.org/directory
-------------------------------------------------------------------------------
(A)gree/(C)ancel: A

-------------------------------------------------------------------------------
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about EFF and
our work to encrypt the web, protect its users and defend digital rights.
-------------------------------------------------------------------------------
(Y)es/(N)o: N
No names were found in your configuration files. Please enter in your domain
name(s) (comma and/or space separated)  (Enter 'c' to cancel):www.shinayoshi.net
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for www.shinayoshi.net

We were unable to find a vhost with a ServerName or Address of www.shinayoshi.net.
Which virtual host would you like to choose?
(note: conf files with multiple vhosts are not yet supported)
-------------------------------------------------------------------------------
1: ssl.conf                       |                       | HTTPS | Enabled
-------------------------------------------------------------------------------
Press 1 [enter] to confirm the selection (press 'c' to cancel): 1
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0000_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0000_csr-certbot.pem

We were unable to find a vhost with a ServerName or Address of www.shinayoshi.net.
Which virtual host would you like to choose?
(note: conf files with multiple vhosts are not yet supported)
-------------------------------------------------------------------------------
1: ssl.conf                       |                       | HTTPS | Enabled
-------------------------------------------------------------------------------
Press 1 [enter] to confirm the selection (press 'c' to cancel): 1
Deploying Certificate to VirtualHost /etc/httpd/conf.d/ssl.conf

Please choose whether HTTPS access is required or optional.
-------------------------------------------------------------------------------
1: Easy - Allow both HTTP and HTTPS access to these sites
2: Secure - Make all requests redirect to secure HTTPS access
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Created redirect file: le-redirect-www.shinayoshi.net.conf
Rollback checkpoint is empty (no changes made?)

-------------------------------------------------------------------------------
Congratulations! You have successfully enabled https://www.shinayoshi.net

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=www.shinayoshi.net
-------------------------------------------------------------------------------

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/www.shinayoshi.net/fullchain.pem. Your
   cert will expire on 2017-08-01. To obtain a new or tweaked version
   of this certificate in the future, simply run certbot again with
   the "certonly" option. To non-interactively renew *all* of your
   certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

$

Let’s Encryptの証明書確認

ブラウザから証明書を作成したWebサイトにアクセスし、Let’s Encryptの証明書が使用されていることを確認する。

systemdで証明書の自動更新

以下のコマンドを実行して自動更新が正常に完了することを確認する。

$ sudo certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/www.shinayoshi.net.conf
-------------------------------------------------------------------------------
Cert not due for renewal, but simulating renewal for dry run
Starting new HTTPS connection (1): acme-staging.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for www.shinayoshi.net
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0003_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0003_csr-certbot.pem

-------------------------------------------------------------------------------
new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/www.shinayoshi.net/fullchain.pem
-------------------------------------------------------------------------------
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/www.shinayoshi.net/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)

certbot renew --dry-runの実行結果に問題がないことを確認し、以下のコマンドを実行して自動更新を有効化する。

$ sudo systemctl enable certbot-renew.timer
Created symlink from /etc/systemd/system/timer.target.wants/certbot-renew.timer to /usr/lib/systemd/system/certbot-renew.timer.
$ sudo systemctl start certbot-renew.timer

参考

以上