Contents
1.Obtain SSL Certificate ( Let's Encrypt )
Install the latest open ssl
|
1 |
# pacman -S openssl |
1.1 advance preparation
1.Package management system Snappy installation
Since the SSL certificate issuing tool "certbot" of Let's Encrypt is recommended to be installed using "snap" after 2021, install Snapd first.
|
1 2 3 |
$ git clone https://aur.archlinux.org/snapd.git $ cd snapd $ makepkg -si |
Enable systemd unit to manage the main snap communication socket
|
1 2 |
# systemctl enable --now snapd.socket Created symlink /etc/systemd/system/sockets.target.wants/snapd.socket → /usr/lib/systemd/system/snapd.socket. |
Enable Classics Snap support
|
1 |
# ln -s /var/lib/snapd/snap /snap |
Version Check
|
1 2 3 4 5 6 |
# snap --version snap 2.61-2 snapd 2.61-2 series 16 arch - kernel 6.6.7-arch1-1 |
Log out and log in again or reboot the system to ensure that the snap path is updated correctly
2.certbot package installation
|
1 2 |
# snap install --classic certbot certbot 2.8.0 from Certbot Project (certbot-eff?) installed |
Create symbolic link to /snap/bin/certbot
|
1 |
# ln -s /snap/bin/certbot /usr/bin/certbot |
Confirmation
|
1 2 3 4 5 |
# ls -la /usr/bin/certbot lrwxrwxrwx 1 root root 17 Dec 20 18:27 /usr/bin/certbot -> /snap/bin/certbot # ls -la /snap/bin/certbot lrwxrwxrwx 1 root root 13 Dec 20 18:27 /snap/bin/certbot -> /usr/bin/snap |
1.2 Obtaining Certificates
|
1 |
# certbot certonly --webroot -w /srv/[FQDN] -d [FQDN] |
Registration of e-mail address and agreement to terms of use required for the first time only
Specify an email address that you can receive
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 |
Saving debug log to /var/log/letsencrypt/letsencrypt.log Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): <mail address> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf. You must agree in order to register with the ACME server. Do you agree? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: y - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Would you be willing, once your first certificate is successfully issued, to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: y Account registered. Requesting a certificate for <FQDN> Successfully received certificate. Certificate is saved at: /etc/letsencrypt/live/<FQDN>/fullchain.pem Key is saved at: /etc/letsencrypt/live/<FQDN>/privkey.pem This certificate expires on 2024-03-19. These files will be updated when the certificate renews. Certbot has set up a scheduled task to automatically renew this certificate in the background. We were unable to subscribe you the EFF mailing list because your e-mail address appears to be invalid. You can try again later by visiting https://act.eff.org. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - If you like Certbot, please consider supporting our work by: * Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate * Donating to EFF: https://eff.org/donate-le - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
1.2 Automatic certificate renewal (Let's Encrypt)
①Pre-registration testing
First, test the automatic renewal using the following --dry-run option. With this option, the certificate is not renewed, but only the operation is tested, so there is no need to worry about being caught by the limit on the number of times a certificate can be obtained.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
# certbot renew --dry-run Saving debug log to /var/log/letsencrypt/letsencrypt.log - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Processing /etc/letsencrypt/renewal/[FQDN] - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Account registered. Simulating renewal of an existing certificate for [FQDN] - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Congratulations, all simulated renewals succeeded: /etc/letsencrypt/live/[FQDN]/fullchain.pem (success) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
②When you install the snap version of certbot, the automatic certificate renewal function is also installed.
|
1 2 3 4 5 6 7 8 9 |
# systemctl list-timers | less NEXT LEFT LAST PASSED UNIT ACTIVATES Wed 2023-12-27 00:00:00 JST 4h 10min Tue 2023-12-26 10:08:51 JST - shadow.timer shadow.service Wed 2023-12-27 07:54:00 JST 12h - - snap.certbot.renew.timer snap.certbot.renew.service Wed 2023-12-27 19:49:31 JST 23h Tue 2023-12-26 19:49:31 JST 14s ago systemd-tmpfiles-clean.timer systemd-tmpfiles-clean.service Sun 2024-01-07 05:16:29 JST 1 week 4 days Mon 2023-12-25 12:38:56 JST - archlinux-keyring-wkd-sync.timer archlinux-keyring-wkd-sync.service 4 timers listed. Pass --all to see loaded but inactive timers, too. |
snap.certbot.renew.timer is registered
Check the unit file snap.certbot.renew.timer
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
# vim /etc/systemd/system/snap.certbot.renew.timer [Unit] # Auto-generated, DO NOT EDIT Description=Timer renew for snap application certbot.renew Requires=var-lib-snapd-snap-certbot-3566.mount After=var-lib-snapd-snap-certbot-3566.mount X-Snappy=yes [Timer] Unit=snap.certbot.renew.service OnCalendar=*-*-* 05:54 OnCalendar=*-*-* 22:38 [Install] WantedBy=timers.target |
According to the above settings, it will attempt to update at 5:54 and 22:38 every day as specified in the OnCalender parameter (but the set time will change randomly for each update).
Check the unit file snap.certbot.renew.service
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
# vim /etc/systemd/system/snap.certbot.renew.service [Unit] # Auto-generated, DO NOT EDIT Description=Service for snap application certbot.renew Requires=var-lib-snapd-snap-certbot-3566.mount Wants=network.target After=var-lib-snapd-snap-certbot-3566.mount network.target snapd.apparmor.service X-Snappy=yes [Service] EnvironmentFile=-/etc/environment ExecStart=/usr/bin/snap run --timer="00:00~24:00/2" certbot.renew SyslogIdentifier=certbot.renew Restart=no WorkingDirectory=/var/snap/certbot/3566 TimeoutStopSec=30 Type=oneshot |
However, the web server that uses the certificate will not be restarted, so set up a script that will run automatically after the update
|
1 2 3 4 |
# vim /etc/letsencrypt/renewal-hooks/post/web_restart.sh #!/bin/bash systemctl reload httpd |
|
1 |
# chmod 755 /etc/letsencrypt/renewal-hooks/post/web_restart.sh |
2. Converting Apache to https
2.1 Edit ssl.conf file
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 |
# vim /etc/httpd/conf/extra/httpd-ssl.conf ●Line 124 : change DocumentRoot "/srv/<FQDN>" ●Line 125 : change ServerName <FQDN>:443 ●Line 126 : change ServerAdmin <Mail Address> ●Line 127 : change ErrorLog "/var/log/httpd/[FQDN]-error_log" ●Line 144 : Comment and add to line 147 # SSLCertificateFile "/etc/httpd/conf/server.crt" SSLCertificateFile "/etc/letsencrypt/live/<FQDN>/cert.pem" ●Line 154 : Comment and add to line 157 # SSLCertificateKeyFile "/etc/httpd/conf/server.key" SSLCertificateKeyFile "/etc/letsencrypt/live/<FQDN>/privkey.pem" ●Line 166 : add #SSLCertificateKeyFile "/etc/httpd/conf/server.key" SSLCertificateChainFile "/etc/letsencrypt/live/<FQDN>/chain.pem" ●Line 256-260 : add <Directory "/srv/[FQDN]"> Options FollowSymLinks AllowOverride All Require all granted </Directory> ●Comment out the last two lines and add them below CustomLog "/var/log/httpd/[FQDN]-access_log" common |
Edit httpd.conf
|
1 2 3 4 5 6 7 8 9 10 11 12 13 |
# vim /etc/httpd/conf/httpd.conf Line 93 : Uncomment LoadModule socache_shmcb_module modules/mod_socache_shmcb.so Line 155 : Uncomment LoadModule ssl_module modules/mod_ssl.so Line 191 : Uncomment LoadModule rewrite_module modules/mod_rewrite.so Line 533 : Uncomment Include conf/extra/httpd-ssl.conf |
Restart Apache.
|
1 |
# systemctl restart httpd |
UFWでhttpsを許可する
|
1 2 3 |
# ufw allow https # ufw reload |
2.2 Redirect HTTP communications to HTTPS
Create .htaccess under /srv/[FQDN]/.
Contents of .htaccess
|
1 2 3 |
RewriteEngine On RewriteCond %{HTTPS} off RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L] |