前提
Apacheがインストールされ、https通信が利用できるようになっていること。
http(80番ポート)が開いていること。
OSは、Red Hat Enterprise LinuxおよびRed Hat Enterprise Linuxと互換性のある無料Linuxディストリビューション(Rocky Linux, AlmaLinux OS, CentOS7)でも、同様の操作で発行できる。
Certbotのインストール
# yum install epel-release
# yum install certbot python-certbot-apacheTLSサーバー証明書発行申請
以下の3つのFQDNで使用できる証明書を発行申請し、取得する。
DNS Name=worldmotor.f5.si
DNS Name=www.worldmotor.f5.si
DNS Name=google.worldmotor.f5.si
RSA方式の場合
# certbot certonly --webroot -w /var/www/html/ -d worldmotor.f5.si -d www.worldmotor.f5.si -d google.worldmotor.f5.si
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Enter email address (used for urgent renewal and security notices)
(Enter 'c' to cancel): xxxx@gmail.com
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https: //letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf. You must
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y
Account registered.
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Requesting a certificate for worldmotor.f5.si and 2 more domains
Performing the following challenges:
http-01 challenge for google.worldmotor.f5.si
http-01 challenge for worldmotor.f5.si
http-01 challenge for www.worldmotor.f5.si
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Subscribe to the EFF mailing list (email: xxxx@gmail.com).
Starting new HTTPS connection (1): supporters.eff.org
We were unable to subscribe you the EFF mailing list because your e-mail address appears to be invalid. You can try again later by visiting https://act.eff.org.
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/worldmotor.f5.si/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/worldmotor.f5.si/privkey.pem
Your certificate will expire on 2024-01-14. To obtain a new or
tweaked version of this certificate in the future, simply run
certbot again. To non-interactively renew *all* of your
certificates, run "certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
# cd /etc/letsencrypt/live/worldmotor.f5.si
# ls -l
total 4
lrwxrwxrwx 1 root root 40 Oct 16 22:49 cert.pem -> ../../archive/worldmotor.f5.si/cert1.pem
lrwxrwxrwx 1 root root 41 Oct 16 22:49 chain.pem -> ../../archive/worldmotor.f5.si/chain1.pem
lrwxrwxrwx 1 root root 45 Oct 16 22:49 fullchain.pem -> ../../archive/worldmotor.f5.si/fullchain1.pem
lrwxrwxrwx 1 root root 43 Oct 16 22:49 privkey.pem -> ../../archive/worldmotor.f5.si/privkey1.pem
-rw-r--r-- 1 root root 692 Oct 16 22:49 READMEECC方式の場合
# certbot certonly --key-type ecdsa --webroot -w /var/www/html/ -d worldmotor.f5.si -d www.worldmotor.f5.si -d google.worldmotor.f5.siApache の設定
ACMEで発行された証明書の場所を設定する。
[/etc/httpd/conf.d/ssl.conf]
(省略)
SSLCertificateFile /etc/letsencrypt/live/worldmotor.f5.si/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/worldmotor.f5.si/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/worldmotor.f5.si/chain.pem
(省略)Apache再起動
Apacheを再起動する。OSを「reboot」しても証明書ファイルは再読み込みされる。
# systemctl start httpdCertbotで証明書更新
以下の場合、有効期間に余裕があるため、「更新をしない」という結果が表示されている。
90日有効な証明書のため、60日経過すると、更新が可能になる。
# certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/worldmotor.f5.si.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The following certificates are not due for renewal yet:
/etc/letsencrypt/live/worldmotor.f5.si/fullchain.pem expires on 2024-01-14 (skipped)
No renewals were attempted.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -更新するタイミングでECC方式に変更する場合
更新するタイミングでECCに切り替える場合は、更新する前に「/etc/letsencrypt/cli.ini」ファイルを編集する。
/etc/letsencrypt/cli.ini
secp256r1の場合
# Use ECC for the private key
key-type = ecdsa
elliptic-curve = secp256r1secp384r1の場合
# Use ECC for the private key
key-type = ecdsa
elliptic-curve = secp384r1参照
https://eff-certbot.readthedocs.io/en/latest/using.html#configuration-file
Cron設定
日次でCronを起動し、更新確認する。(発行後60日経過後に発行可。60日未満は何もしない)
# crontab -u root -e
以下を追記↓
0 7 * * 1-5 certbot renew --force-renew --webroot -w /var/www/html/>> /var/log/certbot-auto.log 2>&1
5 7 * * 1-5 systemctl restart httpd