1.SSL証明書を取得する (Let's Encrypt)
事前作業
mod_sslを有効にする
mod_sslが有効になっていない場合には、有効化しておきます
1 |
# a2enmod ssl |
1.1 証明書の取得
1 2 |
# zypper -n install certbot # certbot certonly --webroot -w /srv/www/htdocs/ -d <FQDN> |
# 初回のみメールアドレスの登録と利用条件への同意が必要
# 受信可能なメールアドレスを指定
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 |
Saving debug log to /var/log/letsencrypt/letsencrypt.log Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): E-mail address - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf. You must agree in order to register with the ACME server. Do you agree? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: y - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Would you be willing, once your first certificate is successfully issued, to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: y Account registered. Requesting a certificate for [FQDN] Successfully received certificate. Certificate is saved at: /etc/letsencrypt/live/[FQDN]/fullchain.pem Key is saved at: /etc/letsencrypt/live/[FQDN]/privkey.pem This certificate expires on 2023-09-11. These files will be updated when the certificate renews. NEXT STEPS: - The certificate will need to be renewed before it expires. Certbot can automatically renew the certificate in the background, but you may need to take steps to enable that functionality. See https://certbot.org/renewal-setup for instructions. We were unable to subscribe you the EFF mailing list because your e-mail address appears to be invalid. You can try again later by visiting https://act.eff.org. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - If you like Certbot, please consider supporting our work by: * Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate * Donating to EFF: https://eff.org/donate-le - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
「Successfully received certificate.」と表示されれば成功
# メッセージ中に記載の通り [/etc/letsencrypt/live/<FQDN>/] 配下に次の証明書が取得されている
# cert.pem ⇒ SSLサーバー証明書(公開鍵含む)
# chain.pem ⇒ 中間証明書
# fullchain.pem ⇒ cert.pem と chain.pem が結合されたファイル
# privkey.pem ⇒ 公開鍵に対する秘密鍵
2. WebサーバーSSL化
2.1 SSLの設定
1 2 3 |
# a2enmod ssl # a2enmod -l actions alias auth_basic authn_core authn_file authz_host authz_groupfile authz_core authz_user autoindex cgi dir env expires include log_config mime negotiation setenvif ssl socache_shmcb userdir reqtimeout cgid php7 version |
1 2 3 |
# vi /etc/apache2/listen.conf ● 17行目:コメント解除 Listen 443 |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
# vi /etc/apache2/vhosts.d/default-ssl.conf # 新規作成 <VirtualHost *:443> DocumentRoot "/srv/www/htdocs/" SSLEngine on SSLProtocol all -SSLv2 -SSLv3 SSLCertificateFile /etc/letsencrypt/live/<FQDN>/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/<FQDN>/privkey.pem SSLCertificateChainFile /etc/letsencrypt/live/<FQDN>/chain.pem <FilesMatch "\.(cgi|shtml|phtml|php)$"> SSLOptions +StdEnvVars </FilesMatch> <Directory "/srv/www/cgi-bin"> SSLOptions +StdEnvVars </Directory> </VirtualHost> |
1 |
# systemctl restart apache2 |
2.2 HTTP 通信を HTTPS へリダイレクト
HTTP 通信も全て HTTPS へリダイレクトする場合は下記のようにvirtual_host_ssl.confを新規作成
1 2 3 4 5 6 7 8 9 10 11 12 13 |
# vi /etc/apache2/vhosts.d/virtual_host_ssl.conf <VirtualHost *:80> ServerName <FQDN> ServerAdmin <Email address> DocumentRoot /srv/www/htdocs/ ErrorLog /var/log/apache2/error.log CustomLog /var/log/apache2/access.log combined LogLevel warn RewriteEngine On RewriteCond %{HTTPS} off RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L] </VirtualHost> |
1 2 3 |
# a2enmod rewrite # a2enmod -l actions alias auth_basic authn_core authn_file authz_host authz_groupfile authz_core authz_user autoindex cgi dir env expires include log_config mime negotiation setenvif ssl socache_shmcb userdir reqtimeout cgid php7 version rewrite |
1 |
# systemctl restart apache2 |
Firewalld を有効にしている場合は HTTPS サービスの許可が必要。HTTPS は 443/TCP を使用します。
1 2 3 4 |
# firewall-cmd --add-service=https --permanent success # firewall-cmd --reload success |