nginx centos6.xで無料のSSL通信をする方法
Certbot クライアントの必要なパッケージの追加
sudo yum install epel-release
Certbot クライアントをダウンロード・インストールする
wget https://dl.eff.org/certbot-auto chmod a+x certbot-auto ./certbot-auto
Certbot のインストール
一通り必要なPackageのインストール
私の環境では下記のPackageのインストールが必要となり
yesの入力
============================================================================================================================================================================================================================================================================================================================ Package Arch Version Repository Size ============================================================================================================================================================================================================================================================================================================================ Installing: libffi-devel x86_64 3.0.5-3.2.el6 base 18 k mod_ssl x86_64 1:2.2.15-60.el6.centos.6 updates 99 k openssl-devel x86_64 1.0.1e-57.el6 base 1.2 M python34 x86_64 3.4.5-4.el6 epel 50 k python34-devel x86_64 3.4.5-4.el6 epel 186 k python34-tools x86_64 3.4.5-4.el6 epel 425 k Updating: ca-certificates noarch 2017.2.14-65.0.1.el6_9 updates 1.3 M gcc x86_64 4.4.7-18.el6_9.2 updates 10 M openssl x86_64 1.0.1e-57.el6 base 1.5 M redhat-rpm-config noarch 9.0.3-51.el6.centos base 60 k Installing for dependencies: keyutils-libs-devel x86_64 1.4-5.el6 base 29 k krb5-devel x86_64 1.10.3-65.el6 base 504 k libcom_err-devel x86_64 1.41.12-23.el6 base 33 k libkadm5 x86_64 1.10.3-65.el6 base 143 k libselinux-devel x86_64 2.0.94-7.el6 base 137 k libsepol-devel x86_64 2.0.41-4.el6 base 64 k python-rpm-macros noarch 3-11.el6 epel 5.4 k python-srpm-macros noarch 3-11.el6 epel 4.8 k python3-rpm-macros noarch 3-11.el6 epel 4.9 k python34-libs x86_64 3.4.5-4.el6 epel 8.3 M python34-tkinter x86_64 3.4.5-4.el6 epel 336 k tcl x86_64 1:8.5.7-6.el6 base 1.9 M tk x86_64 1:8.5.7-5.el6 base 1.4 M zlib-devel x86_64 1.2.3-29.el6 base 44 k Updating for dependencies: cpp x86_64 4.4.7-18.el6_9.2 updates 3.7 M e2fsprogs x86_64 1.41.12-23.el6 base 554 k e2fsprogs-libs x86_64 1.41.12-23.el6 base 121 k gcc-c++ x86_64 4.4.7-18.el6_9.2 updates 4.7 M gcc-gfortran x86_64 4.4.7-18.el6_9.2 updates 4.7 M httpd x86_64 2.2.15-60.el6.centos.6 updates 836 k httpd-tools x86_64 2.2.15-60.el6.centos.6 updates 80 k krb5-libs x86_64 1.10.3-65.el6 base 675 k libcom_err x86_64 1.41.12-23.el6 base 38 k libgcc x86_64 4.4.7-18.el6_9.2 updates 103 k libgfortran x86_64 4.4.7-18.el6_9.2 updates 268 k libgomp x86_64 4.4.7-18.el6_9.2 updates 134 k libselinux x86_64 2.0.94-7.el6 base 109 k libselinux-utils x86_64 2.0.94-7.el6 base 82 k libss x86_64 1.41.12-23.el6 base 42 k libstdc++ x86_64 4.4.7-18.el6_9.2 updates 296 k libstdc++-devel x86_64 4.4.7-18.el6_9.2 updates 1.6 M Transaction Summary ============================================================================================================================================================================================================================================================================================================================ Install 20 Package(s) Upgrade 21 Package(s) Total download size: 46 M Is this ok [y/N]: y
Certbot のインストールの成功
『Complete!』の確認とエラー時は
ログの確認
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Installed: libffi-devel.x86_64 0:3.0.5-3.2.el6 mod_ssl.x86_64 1:2.2.15-60.el6.centos.6 openssl-devel.x86_64 0:1.0.1e-57.el6 python34.x86_64 0:3.4.5-4.el6 python34-devel.x86_64 0:3.4.5-4.el6 python34-tools.x86_64 0:3.4.5-4.el6 Dependency Installed: keyutils-libs-devel.x86_64 0:1.4-5.el6 krb5-devel.x86_64 0:1.10.3-65.el6 libcom_err-devel.x86_64 0:1.41.12-23.el6 libkadm5.x86_64 0:1.10.3-65.el6 libselinux-devel.x86_64 0:2.0.94-7.el6 libsepol-devel.x86_64 0:2.0.41-4.el6 python-rpm-macros.noarch 0:3-11.el6 python-srpm-macros.noarch 0:3-11.el6 python3-rpm-macros.noarch 0:3-11.el6 python34-libs.x86_64 0:3.4.5-4.el6 python34-tkinter.x86_64 0:3.4.5-4.el6 tcl.x86_64 1:8.5.7-6.el6 tk.x86_64 1:8.5.7-5.el6 zlib-devel.x86_64 0:1.2.3-29.el6 Updated: ca-certificates.noarch 0:2017.2.14-65.0.1.el6_9 gcc.x86_64 0:4.4.7-18.el6_9.2 openssl.x86_64 0:1.0.1e-57.el6 redhat-rpm-config.noarch 0:9.0.3-51.el6.centos Dependency Updated: cpp.x86_64 0:4.4.7-18.el6_9.2 e2fsprogs.x86_64 0:1.41.12-23.el6 e2fsprogs-libs.x86_64 0:1.41.12-23.el6 gcc-c++.x86_64 0:4.4.7-18.el6_9.2 gcc-gfortran.x86_64 0:4.4.7-18.el6_9.2 httpd.x86_64 0:2.2.15-60.el6.centos.6 httpd-tools.x86_64 0:2.2.15-60.el6.centos.6 krb5-libs.x86_64 0:1.10.3-65.el6 libcom_err.x86_64 0:1.41.12-23.el6 libgcc.x86_64 0:4.4.7-18.el6_9.2 libgfortran.x86_64 0:4.4.7-18.el6_9.2 libgomp.x86_64 0:4.4.7-18.el6_9.2 libselinux.x86_64 0:2.0.94-7.el6 libselinux-utils.x86_64 0:2.0.94-7.el6 libss.x86_64 0:1.41.12-23.el6 libstdc++.x86_64 0:4.4.7-18.el6_9.2 libstdc++-devel.x86_64 0:4.4.7-18.el6_9.2 Complete! Creating virtual environment... Installing Python packages... Installation succeeded. Saving debug log to /var/log/letsencrypt/letsencrypt.log
Certbot 対話式でSSL化
Webサーバの種類を選択
Nginxなので2を入力してエンター
How would you like to authenticate and install certificates? ------------------------------------------------------------------------------- 1: Apache Web Server plugin - Beta (apache) 2: Nginx Web Server plugin - Alpha (nginx) ------------------------------------------------------------------------------- Select the appropriate number [1-2] then [enter] (press 'c' to cancel):2
メールアドレスの入力
Plugins selected: Authenticator nginx, Installer nginx Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel):sample@gmail.com
注意事項の確認をして納得すれば
Aを入力してエンター
------------------------------------------------------------------------------- Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must agree in order to register with the ACME server at https://acme-v01.api.letsencrypt.org/directory ------------------------------------------------------------------------------- (A)gree/(C)ancel:A
上記のメールアドレスをメーリングリストに追加していいかの確認
Nを入力してエンター
------------------------------------------------------------------------------- Would you be willing to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about EFF and our work to encrypt the web, protect its users and defend digital rights. ------------------------------------------------------------------------------- (Y)es/(N)o:N
SSL化するサイトを選択
sample.comをSSLかするので
1を入力してエンター
Which names would you like to activate HTTPS for? ------------------------------------------------------------------------------- 1: sample.com 2: exsample.com 3: test.com ------------------------------------------------------------------------------- Select the appropriate numbers separated by commas and/or spaces, or leave input blank to select all options shown (Enter 'c' to cancel):1
HTTPからのアクセスをどのように処理するか選択
HTTPSへとリダイレクトしたいので
2を入力してエンター
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access. ------------------------------------------------------------------------------- 1: No redirect - Make no further changes to the webserver configuration. 2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for new sites, or if you're confident your site works on HTTPS. You can undo this change by editing your web server's configuration. ------------------------------------------------------------------------------- Select the appropriate number [1-2] then [enter] (press 'c' to cancel):2
終了メッセージの確認
------------------------------------------------------------------------------- Congratulations! You have successfully enabled https://sample.com You should test your configuration at: https://www.ssllabs.com/ssltest/analyze.html?d=sample.com ------------------------------------------------------------------------------- IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/sample.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/sample.com/privkey.pem Your cert will expire on 2018-08-17. To obtain a new or tweaked version of this certificate in the future, simply run certbot-auto again with the "certonly" option. To non-interactively renew *all* of your certificates, run "certbot-auto renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
選択肢に存在しない場合の確認点
nginxのサーバネーム時にドットを先頭につける記法だと
certbot-autoにて認識しない為
一度、ドットなしの記載を行う
下記では認識してくれないので
server_name .sample.com;
このように書き下す必要あり
server_name sample.com www.sample.com;