業務用エアコン関連の技術情報、エラーコード、環境問題対策に関する別サイト「エアコンの安全な修理・適切なフロン回収」

openSUSE Tumbleweed : Web Server SSL

1.Obtain an SSL Certificate (Let's Encrypt)

1.1 advance preparation

1.Enable mod_ssl

# a2enmod ssl

2.Package management system Snappy installation
Since the SSL certificate issuing tool "certbot" of Let's Encrypt is recommended to be installed using "snap" after 2021, install Snapd first.

Add snappy repository.:

# zypper addrepo --refresh https://download.opensuse.org/repositories/system:/snappy/openSUSE_Tumbleweed snappy

Import its GPG key:

# zypper --gpg-auto-import-keys refresh

Upgrade the package cache to include the new snappy repository:

# zypper dup --from snappy

Install snapd

# zypper -n install snapd

You will then need to reboot, logout/login, or run /etc/profile source to add /snap/bin to your PATH. In addition, enable and start both the snapd service and the snapd.apparmor service using the following command

# systemctl enable --now snapd
# systemctl enable --now snapd.apparmor

Enable Classic Snap Support

# ln -s /var/lib/snapd/snap /snap

Bring snapd version up to date

# snap install core

Update core package

# snap refresh core

Version Confirmation

# snap --version
snap                 2.75.2
snapd                2.75.2
series               16
opensuse-tumbleweed  20260619
kernel               7.0.12-1-default
architecture         amd64

1.2 Obtaining Certificates

Install the Certbot package and obtain a Let's Encrypt certificate.

# snap install certbot --classic
certbot 5.6.0 from Certbot Project (certbot-eff✓) installed

# certbot certonly --webroot -w /srv/www/htdocs/<FQDN> -d <FQDN>

# Registration of e-mail address and agreement to terms of use are required for the first time only.
# Specify an email address to receive

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address or hit Enter to skip.
 (Enter 'c' to cancel): [mail address]

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at:
https://letsencrypt.org/documents/LE-SA-v1.7-June-04-2026.pdf
You must agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y
Account registered.
Requesting a certificate for [FQDN]

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/ [FQDN]/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/ [FQDN]/privkey.pem
This certificate expires on 2026-09-21.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - L

Success if displayed"Successfully received certificate"
The following certificate is obtained under [/etc/letsencrypt/live//] as described in the message

# cert.pem ⇒ SSL server certificate (including public key)
# chain.pem ⇒ intermediate certificate
# fullchain.pem ⇒ File containing cert.pem and chain.pem combined
# privkey.pem ⇒ private key

2. Web server SSL conversion

2.1 SSL Configuration

# a2enmod -l
actions alias auth_basic authn_core authn_file authz_host authz_groupfile authz_core authz_user autoindex cgi dir env expires include log_config mime negotiation setenvif ssl socache_shmcb userdir reqtimeout cgid php8
# vi /etc/apache2/listen.conf

Line 17: Uncomment
Listen 443
# vi /etc/apache2/vhosts.d/default-ssl.conf

# Create a new entry and enter the following information
<VirtualHost *:443>
DocumentRoot "/srv/www/htdocs/[FQDN]"
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCertificateFile /etc/letsencrypt/live/[FQDN]/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/[FQDN]/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/[FQDN]/chain.pem
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/srv/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
</VirtualHost>

Restart Apache

# systemctl restart apache2

2.2 Redirect HTTP communications to HTTPS

To redirect HTTP traffic to HTTPS, add the following to the virtual host configuration file "vhost.conf":

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

# vi /etc/apache2/vhosts.d/vhost.conf

<VirtualHost *:80>
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

ServerName [FQDN]
ServerAdmin [Email address]
DocumentRoot /srv/www/htdocs/[FQDN]
ErrorLog /var/log/apache2/[FQDN].error.log
CustomLog /var/log/apache2/[FQDN].access.log combined
LogLevel warn
</VirtualHost>

Enable rewrite

# a2enmod rewrite

Restart Apache

# systemctl restart apache2

HTTPS service must be allowed if Firewalld is enabled; HTTPS uses 443/TCP.

# firewall-cmd --add-service=https --permanent
success
# firewall-cmd --reload
success