前回投稿をSSL化 Let’s Encrypt を導入してみた
設定手順
AWSに参考ページがありました。
インストールの準備
Extra Packages for Enterprise Linux (EPEL) 7 パッケージをダウンロード
これは、Certbot が必要とする依存関係を提供するために必要
ホームディレクトリ (/home/ec2-user) に移動し EPEL をダウンロード
[ec2-user@ip- ~]$ sudo wget -r --no-parent -A 'epel-release-*.rpm' http://dl.fedoraproject.org/pub/epel/7/x86_64/Packages/e/ 終了しました --2020-01-26 13:32:20-- 経過時間: 1.9s ダウンロード完了: 10 ファイル、367K バイトを 0.3s で取得 (1.42 MB/s)
リポジトリパッケージをインストール
[ec2-user@ip- ~]$ sudo rpm -Uvh dl.fedoraproject.org/pub/epel/7/x86_64/Packages/e/epel-release-*.rpm 警告: dl.fedoraproject.org/pub/epel/7/x86_64/Packages/e/epel-release-7-12.noarch.rpm: ヘッダー V3 RSA/SHA256 Signature、鍵 ID xxx: NOKEY 準備しています... ################################# [100%] 更新中 / インストール中... 1:epel-release-7-12 ################################# [100%]
EPEL を有効にします
[ec2-user@ip- ~]$ sudo yum-config-manager --enable epel*
EPEL が有効であることを確認できます
[ec2-user@ip- ~]$ sudo yum repolist all ------ リポジトリー ID リポジトリー名 状態 amzn2-core/2/x86_64 Amazon Linux 2 core repository 有効: 18,284 amzn2-core-debuginfo/2/x86_64 Amazon Linux 2 core repository - debuginfo packages 無効 amzn2-core-source/2 Amazon Linux 2 core repository - source packages 無効 amzn2extra-docker/2/x86_64 Amazon Extras repo for docker 有効: 19 amzn2extra-docker-debuginfo/2/x86_64 Amazon Extras debuginfo repo for docker 無効 amzn2extra-docker-source/2 Amazon Extras source repo for docker 無効 epel/x86_64 Extra Packages for Enterprise Linux 7 - x86_64 有効: 13,329+188 epel-debuginfo/x86_64 Extra Packages for Enterprise Linux 7 - x86_64 - Debug 有効: 2,803 epel-source/x86_64 Extra Packages for Enterprise Linux 7 - x86_64 - Source 有効: 0 epel-testing/x86_64 Extra Packages for Enterprise Linux 7 - Testing - x86_64 有効: 607+4 epel-testing-debuginfo/x86_64 Extra Packages for Enterprise Linux 7 - Testing - x86_64 有効: 77 epel-testing-source/x86_64 Extra Packages for Enterprise Linux 7 - Testing - x86_64 有効: 0 packages-microsoft-com-prod packages-microsoft-com-prod 有効: 200+16 repolist: 35,319
参考ページでは /etc/httpd/conf/httpd.conf を編集 とあるが省略してみた
前回既に本アプリ用に /etc/httpd/conf.d/netcore-web.conf を作成済み。
http接続では接続できてるので /etc/httpd/conf/httpd.conf は編集せずデフォルトのまま進めてみる。
念のため Apache を再起動しておく。
[ec2-user@ip- ~]$ sudo systemctl restart httpd
Certbot のインストールと実行
Certbot パッケージと依存関係をインストール
[ec2-user@ip- ~]$ sudo yum install -y certbot python2-certbot-apache ------ 完了しました!
Certbot を実行
[ec2-user@ip- ~]$ sudo certbot Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator apache, Installer apache Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): xxx@mail-domain ↵ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please read the Terms of Service at 'https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf.' You must agree in order to register with the ACME server at 'https://acme-v02.api.letsencrypt.org/directory' - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (A)gree/(C)ancel: A ↵ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Would you be willing to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: N ↵ Which names would you like to activate HTTPS for? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: xxx.domain ↵ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate numbers separated by commas and/or spaces, or leave input blank to select all options shown (Enter 'c' to cancel):↵ Obtaining a new certificate Performing the following challenges: http-01 challenge for xxx.domain Waiting for verification... Cleaning up challenges Created an SSL vhost at /etc/httpd/conf.d/netcore-web-le-ssl.conf Deploying Certificate to VirtualHost /etc/httpd/conf.d/netcore-web-le-ssl.conf Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: No redirect - Make no further changes to the webserver configuration. 2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for new sites, or if you're confident your site works on HTTPS. You can undo this change by editing your web server's configuration. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2 ↵ Redirecting vhost in /etc/httpd/conf.d/netcore-web.conf to ssl vhost in /etc/httpd/conf.d/netcore-web-le-ssl.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Congratulations! You have successfully enabled https://xxx.domain You should test your configuration at: 'https://www.ssllabs.com/ssltest/analyze.html?d=xxx.domain' - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/xxx.domain/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/xxx.domain/privkey.pem Your cert will expire on 2020-04-25. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option. To non-interactively renew *all* of your certificates, run "certbot renew" - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
HTTPアクセスをHTTPSにリダイレクトするように「2」を選択した.
下の様に .conf ファイルが自動で編集されていた
[ec2-user@ip- conf.d]$ cat /etc/httpd/conf.d/netcore-web.conf
<VirtualHost *:*>
RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME}
</VirtualHost>
<VirtualHost *:80>
ProxyPreserveHost On
ProxyPass / http://127.0.0.1:5000/
ProxyPassReverse / http://127.0.0.1:5000/
ServerName xxx.domain
ServerAlias *.xxx.domain
ErrorLog /var/log/httpd/netcore-web-error.log
CustomLog /var/log/httpd/netcore-web-access.log common
RewriteEngine on
RewriteCond %{SERVER_NAME} =*.xxx.domain [OR]
RewriteCond %{SERVER_NAME} =xxx.domain
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
また /etc/httpd/conf.d/netcore-web-le-ssl.conf が追加されていた
[root@ip- conf.d]# cat netcore-web-le-ssl.conf <IfModule mod_ssl.c> <VirtualHost *:443> ProxyPreserveHost On ProxyPass / http://127.0.0.1:5000/ ProxyPassReverse / http://127.0.0.1:5000/ ServerName xxx.domain ServerAlias *.xxx.domain ErrorLog /var/log/httpd/netcore-web-error.log CustomLog /var/log/httpd/netcore-web-access.log common SSLCertificateFile /etc/letsencrypt/live/xxx.domain/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/xxx.domain/privkey.pem Include /etc/letsencrypt/options-ssl-apache.conf </VirtualHost> </IfModule>
https アクセスの確認
http://xxx.domain → 自動で https:xxx.domain になった
証明書の自動更新の設定
Certbot を自動化する
次の2種類でやってみて様子見中
ec2-user で crontab -e でクーロン作成
[ec2-user@ip- ~]$ crontab -l 30 0,12 * * * root certbot renew --no-self-upgrade [ec2-user@ip- ~]$ sudo systemctl restart crond
root で /etc/crontab 設定
[root@ip- etc]# vi /etc/crontab
[root@ip- conf.d]# cat /etc/crontab SHELL=/bin/bash PATH=/sbin:/bin:/usr/sbin:/usr/bin MAILTO=root # For details see man 4 crontabs # Example of job definition: # .---------------- minute (0 - 59) # | .------------- hour (0 - 23) # | | .---------- day of month (1 - 31) # | | | .------- month (1 - 12) OR jan,feb,mar,apr ... # | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat # | | | | | # * * * * * user-name command to be executed 30 0,12 * * * root /usr/bin/certbot renew --no-self-upgrade
まとめ
Let’s Encrypt のインストールも少し慣れつつあるかな。
証明書の自動更新がまだ正常にできてないので再検討の予定。
証明書が3か月で切れるとアクセスできなくなるので要注意。
コメント