.NET Core apache ASP.NET Core AWS CentOS Let's Encrypt

ASP.NET CoreをLinuxで公開してみた Apache編 SSL化

.NET Core

前回投稿をSSL化 Let’s Encrypt を導入してみた

設定手順

AWSに参考ページがありました。

インストールの準備

Extra Packages for Enterprise Linux (EPEL) 7 パッケージをダウンロード

これは、Certbot が必要とする依存関係を提供するために必要
ホームディレクトリ (/home/ec2-user) に移動し EPEL をダウンロード

[ec2-user@ip- ~]$ sudo wget -r --no-parent -A 'epel-release-*.rpm' http://dl.fedoraproject.org/pub/epel/7/x86_64/Packages/e/
終了しました --2020-01-26 13:32:20--
経過時間: 1.9s
ダウンロード完了: 10 ファイル、367K バイトを 0.3s で取得 (1.42 MB/s)

リポジトリパッケージをインストール

[ec2-user@ip- ~]$ sudo rpm -Uvh dl.fedoraproject.org/pub/epel/7/x86_64/Packages/e/epel-release-*.rpm
警告: dl.fedoraproject.org/pub/epel/7/x86_64/Packages/e/epel-release-7-12.noarch.rpm: ヘッダー V3 RSA/SHA256 Signature、鍵 ID xxx: NOKEY
準備しています... ################################# [100%]
更新中 / インストール中...
1:epel-release-7-12 ################################# [100%]

EPEL を有効にします

[ec2-user@ip- ~]$ sudo yum-config-manager --enable epel*

EPEL が有効であることを確認できます

[ec2-user@ip- ~]$ sudo yum repolist all

------
リポジトリー ID リポジトリー名 状態
amzn2-core/2/x86_64 Amazon Linux 2 core repository 有効: 18,284
amzn2-core-debuginfo/2/x86_64 Amazon Linux 2 core repository - debuginfo packages 無効
amzn2-core-source/2 Amazon Linux 2 core repository - source packages 無効
amzn2extra-docker/2/x86_64 Amazon Extras repo for docker 有効: 19
amzn2extra-docker-debuginfo/2/x86_64 Amazon Extras debuginfo repo for docker 無効
amzn2extra-docker-source/2 Amazon Extras source repo for docker 無効
epel/x86_64 Extra Packages for Enterprise Linux 7 - x86_64 有効: 13,329+188
epel-debuginfo/x86_64 Extra Packages for Enterprise Linux 7 - x86_64 - Debug 有効: 2,803
epel-source/x86_64 Extra Packages for Enterprise Linux 7 - x86_64 - Source 有効: 0
epel-testing/x86_64 Extra Packages for Enterprise Linux 7 - Testing - x86_64 有効: 607+4
epel-testing-debuginfo/x86_64 Extra Packages for Enterprise Linux 7 - Testing - x86_64 有効: 77
epel-testing-source/x86_64 Extra Packages for Enterprise Linux 7 - Testing - x86_64 有効: 0
packages-microsoft-com-prod packages-microsoft-com-prod 有効: 200+16
repolist: 35,319

参考ページでは /etc/httpd/conf/httpd.conf を編集 とあるが省略してみた

前回既に本アプリ用に /etc/httpd/conf.d/netcore-web.conf を作成済み。
http接続では接続できてるので /etc/httpd/conf/httpd.conf は編集せずデフォルトのまま進めてみる。
念のため Apache を再起動しておく。

[ec2-user@ip- ~]$ sudo systemctl restart httpd

Certbot のインストールと実行

Certbot パッケージと依存関係をインストール

[ec2-user@ip- ~]$ sudo yum install -y certbot python2-certbot-apache
------
完了しました!

Certbot を実行

[ec2-user@ip- ~]$ sudo certbot
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): xxx@mail-domain ↵

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
'https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf.' You must
agree in order to register with the ACME server at
'https://acme-v02.api.letsencrypt.org/directory'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A ↵

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: N ↵

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: xxx.domain ↵
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):↵
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for xxx.domain
Waiting for verification...
Cleaning up challenges
Created an SSL vhost at /etc/httpd/conf.d/netcore-web-le-ssl.conf
Deploying Certificate to VirtualHost /etc/httpd/conf.d/netcore-web-le-ssl.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2 ↵
Redirecting vhost in /etc/httpd/conf.d/netcore-web.conf to ssl vhost in /etc/httpd/conf.d/netcore-web-le-ssl.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://xxx.domain

You should test your configuration at:
'https://www.ssllabs.com/ssltest/analyze.html?d=xxx.domain'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/xxx.domain/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/xxx.domain/privkey.pem
Your cert will expire on 2020-04-25. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the "certonly" option. To non-interactively renew *all* of
your certificates, run "certbot renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

HTTPアクセスをHTTPSにリダイレクトするように「2」を選択した.
下の様に .conf ファイルが自動で編集されていた

[ec2-user@ip- conf.d]$ cat /etc/httpd/conf.d/netcore-web.conf
<VirtualHost *:*>
RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME}
</VirtualHost>

<VirtualHost *:80>
ProxyPreserveHost On
ProxyPass / http://127.0.0.1:5000/
ProxyPassReverse / http://127.0.0.1:5000/
ServerName xxx.domain
ServerAlias *.xxx.domain
ErrorLog /var/log/httpd/netcore-web-error.log
CustomLog /var/log/httpd/netcore-web-access.log common
RewriteEngine on
RewriteCond %{SERVER_NAME} =*.xxx.domain [OR]
RewriteCond %{SERVER_NAME} =xxx.domain
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

また /etc/httpd/conf.d/netcore-web-le-ssl.conf が追加されていた

[root@ip- conf.d]# cat netcore-web-le-ssl.conf
<IfModule mod_ssl.c>
<VirtualHost *:443>
ProxyPreserveHost On
ProxyPass / http://127.0.0.1:5000/
ProxyPassReverse / http://127.0.0.1:5000/
ServerName xxx.domain
ServerAlias *.xxx.domain
ErrorLog /var/log/httpd/netcore-web-error.log
CustomLog /var/log/httpd/netcore-web-access.log common
SSLCertificateFile /etc/letsencrypt/live/xxx.domain/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/xxx.domain/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>

https アクセスの確認

http://xxx.domain → 自動で https:xxx.domain になった

証明書の自動更新の設定

Certbot を自動化する
次の2種類でやってみて様子見中

ec2-user で crontab -e でクーロン作成

[ec2-user@ip- ~]$ crontab -l
30 0,12 * * * root certbot renew --no-self-upgrade
[ec2-user@ip- ~]$ sudo systemctl restart crond

root で /etc/crontab 設定

[root@ip- etc]# vi /etc/crontab
[root@ip- conf.d]# cat /etc/crontab
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root

# For details see man 4 crontabs

# Example of job definition:
# .---------------- minute (0 - 59)
# | .------------- hour (0 - 23)
# | | .---------- day of month (1 - 31)
# | | | .------- month (1 - 12) OR jan,feb,mar,apr ...
# | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# | | | | |
# * * * * * user-name command to be executed
30 0,12 * * * root /usr/bin/certbot renew --no-self-upgrade

まとめ

Let’s Encrypt のインストールも少し慣れつつあるかな。
証明書の自動更新がまだ正常にできてないので再検討の予定。
証明書が3か月で切れるとアクセスできなくなるので要注意。

コメント