Click here for "Safe Air Conditioner Repair and Proper Freon Recovery".

Ubuntu22.04 Server : Let's Encrypt , Apache SSL

1. Certificate Acquisition (Let's Encrypt)

1.1 advance preparation

①Enable mod_ssl

# a2enmod ssl

②Install client tool to obtain Let's Encrypt certificate

# apt -y install certbot

③Obtaining Certificates
It is assumed that a web server such as Apache httpd or Nginx is running.
If the Web server is not running on the server, perform step ④.
It is also assumed that the server on which the work is to be performed (the server with the FQDN from which the certificate is to be obtained) is accessible from the Internet at port 80.

# certbot certonly --webroot -w /var/www/html/hoge.com -d hoge.com

# Use the directory under the public directory of the running Web server as a temporary area for authentication by specifying [--webroot].
# -w [document root] -d [FQDN from which you want to obtain a certificate] # FQDN (Fully Qualified Domain Name) : Hostname. Domain name without abbreviation
#Document root is the one for the appropriate host definition if there are multiple host definitions for a virtual host
# Registration of e-mail address and agreement to terms of use are required for the first time only.
# Specify an email address to receive

aving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices)
(Enter 'c' to cancel):- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y
Account registered.
Requesting a certificate for hoge.comSuccessfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/hoge.com/fullchain.pem
Key is saved at: /etc/letsencrypt/live/hoge.com/privkey.pem
This certificate expires on 2022-08-20.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.
We were unable to subscribe you the EFF mailing list because your e-mail address appears to be invalid. You can try again later by visiting https://act.eff.org.- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
* Donating to EFF: https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

# [Successfully received certificate.]  success
#The following certificate is obtained under [/etc/letsencrypt/live/hoge.com/] as described in the message
# cert.pem ⇒ SSL server certificate (including public key)
# chain.pem ⇒ intermediate certificate
# fullchain.pem ⇒ File containing cert.pem and chain.pem combined
# privkey.pem ⇒ privkey

④Obtaining a Let's Encrypt certificate when the web server is not running
It is a prerequisite that access to port 80 of the server is available.

#Use the simple Web server function by specifying [--standalone].
# -d [FQDN from which you want to obtain a certificate] # FQDN (Fully Qualified Domain Name) : Hostname. Domain name without abbreviation
# If there are multiple FQDNs for which you want to obtain certificates, specify multiple -d [FQDNs for which you want to obtain certificates

# certbot certonly --standalone -d hoge.com
Enter email address (used for urgent notices and lost key recovery)

hoge@hoge.com

< OK > <Cancel>

Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf.
You must agree in order to register with the ACME server at
https://acme-v01.api.letsencrypt.org/directory

<Agree > <Cancel>

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/hoge.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/hoge.com/privkey.pem
Your cert will expire on 2019-10-23. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donat

⑤Renewing certificates already obtained
# Renew all certificates with an expiration date of less than 30 days
#If you want to renew regardless of the number of days remaining on the expiration date, specify [--force-renewal] as well

# certbot  [--force-renewal]  renew

2. SSL/TLS (Let's Encrypt) configuration for Apache2

①Edit Apache2 SSL-related configuration files

# cd /etc/apache2/sites-available/
# cp default-ssl.conf hoge.com-ssl.conf
# vi hoge.com-ssl.conf
# Line 3:Administrator address change
ServerAdmin <Administrator Email Address>
# Line 5:change
DocumentRoot /var/www/html/hoge.com/
# Line 13,14:change
ErrorLog ${APACHE_LOG_DIR}/hoge.com.error.log
CustomLog ${APACHE_LOG_DIR}/hoge.com.access.log combined
# Line 32,33:Change to the certificate obtained in [1].
SSLCertificateFile      /etc/letsencrypt/live/hoge.com/cert.pem
SSLCertificateKeyFile   /etc/letsencrypt/live/hoge.com/privkey.pem
# Line 42:Uncomment and change to the chain file obtained in [1].
SSLCertificateChainFile /etc/letsencrypt/live/hoge.com/chain.pem

②Reflecting and activating the configuration file

# a2ensite hoge.com-ssl.conf
Enabling site hoge.com-ssl.conf.
To activate the new configuration, you need to run:
systemctl reload apache2
# systemctl restart apache2
#  Default Disable
# a2dissite default-ssl.conf
# systemctl restart apache2

③http to https redirect

# a2enmod rewrite
One of the following methods

1. How to use ".htaccess" file
Create .htaccess in /var/www/html/hoge.com/ and fill in the following
RewriteEngine on
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

2.Fill in /vhost-yourdomain.conf
RewriteEngine on
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

④Reflection of settings and startup

# a2ensite vhost-yourdomain.conf
# a2enmod ssl
Restart Apache
# systemctl restart apache2
タイトルとURLをコピーしました