root@sakura:~# iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT root@sakura:~# iptables -L Chain INPUT (policy DROP) target prot opt source destination : : : ACCEPT tcp -- anywhere anywhere tcp dpt:https : : : root@sakura:~# /etc/init.d/netfilter-persistent save [....] Saving netfilter rules...run-parts: executing /usr/share/netfilter-persistent/plugins.d/15-ip4tables save run-parts: executing /usr/share/netfilter-persistent/plugins.d/25-ip6tables save done. root@sakura:~#
root@sakura:~# a2enmod ssl Considering dependency setenvif for ssl: Module setenvif already enabled Considering dependency mime for ssl: Module mime already enabled Considering dependency socache_shmcb for ssl: Enabling module socache_shmcb. Enabling module ssl. See /usr/share/doc/apache2/README.Debian.gz on how to configure SSL and create self-signed certificates. To activate the new configuration, you need to run: systemctl restart apache2 root@sakura:~# systemctl restart apache2.service root@sakura:~#Certbot クライアントの準備
Certbot クライアントのインストールのページには、まだ Debian 9の記述がないが、
Debian 9だと、backports から入手せずとも普通にインストールできるとのこと。root@sakura:~# apt-get install certbot python-certbot-apache パッケージリストを読み込んでいます... 完了 依存関係ツリーを作成しています 状態情報を読み取っています... 完了 以下の追加パッケージがインストールされます: augeas-lenses libaugeas0 python-acme python-augeas python-certbot python-cffi-backend python-chardet python-configargparse python-configobj python-cryptography python-enum34 python-funcsigs python-idna python-ipaddress python-mock python-openssl python-parsedatetime python-pbr python-pkg-resources python-pyasn1 python-requests python-rfc3339 python-setuptools python-six python-tz python-urllib3 python-zope.component python-zope.event python-zope.hookable python-zope.interface 提案パッケージ: augeas-doc python-certbot-doc augeas-tools python-acme-doc python-certbot-apache-doc python-configobj-doc python-cryptography-doc python-cryptography-vectors python-enum34-doc python-funcsigs-doc python-mock-doc python-openssl-doc python-openssl-dbg doc-base python-socks python-setuptools-doc python-ntlm 推奨パッケージ: python-dnspython python-psutil python-pyicu 以下のパッケージが新たにインストールされます: augeas-lenses certbot libaugeas0 python-acme python-augeas python-certbot python-certbot-apache python-cffi-backend python-chardet python-configargparse python-configobj python-cryptography python-enum34 python-funcsigs python-idna python-ipaddress python-mock python-openssl python-parsedatetime python-pbr python-pkg-resources python-pyasn1 python-requests python-rfc3339 python-setuptools python-six python-tz python-urllib3 python-zope.component python-zope.event python-zope.hookable python-zope.interface アップグレード: 0 個、新規インストール: 32 個、削除: 0 個、保留: 1 個。 2,611 kB のアーカイブを取得する必要があります。 この操作後に追加で 12.1 MB のディスク容量が消費されます。 続行しますか? [Y/n] y : : : root@sakura:~# dpkg -l certbot 要望=(U)不明/(I)インストール/(R)削除/(P)完全削除/(H)保持 | 状態=(N)無/(I)インストール済/(C)設定/(U)展開/(F)設定失敗/(H)半インストール/(W)トリガ待ち/(T)トリガ保留 |/ エラー?=(空欄)無/(R)要再インストール (状態,エラーの大文字=異常) ||/ 名前 バージョン アーキテクチ 説明 +++-=================-=============-=============-======================================== ii certbot 0.10.2-1 all automatically configure HTTPS using Let' root@sakura:~#バージョンは、0.10 ということで、ワイルドカード証明書には対応していない模様。テスト実行してみる
root@sakura:~# certbot Saving debug log to /var/log/letsencrypt/letsencrypt.log No names were found in your configuration files. Please enter in your domain name(s) (comma and/or space separated) (Enter 'c' to cancel):TUI画面にならないが、、、まぁ動いている。証明書の取得
そのまま続行する。まずは、ドメインの入力。
root@sakura:~# certbot Saving debug log to /var/log/letsencrypt/letsencrypt.log No names were found in your configuration files. Please enter in your domain name(s) (comma and/or space separated) (Enter 'c' to cancel):yamasita.jp www.yamasita.jp osmjp.yamasita.jp osmcs.yamasita.jp sakura.yamasita.jp Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel):続いてメールアドレスの入力Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel):内緒@yamasita.jp ------------------------------------------------------------------------------- Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must agree in order to register with the ACME server at https://acme-v01.api.letsencrypt.org/directory ------------------------------------------------------------------------------- (A)gree/(C)ancel:利用規約への同意(A)gree/(C)ancel: a Obtaining a new certificate Performing the following challenges: Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. IMPORTANT NOTES: - If you lose your account credentials, you can recover through e-mails sent to yasunari@yamasita.jp. - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. root@sakura:~#エラー。ググったら、皆さん、引っかかっている模様。
apache を停止、オプションを付けてやり直し
root@sakura:~# systemctl stop apache2.service root@sakura:~# certbot --authenticator standalone --installer apache Saving debug log to /var/log/letsencrypt/letsencrypt.log No names were found in your configuration files. Please enter in your domain name(s) (comma and/or space separated) (Enter 'c' to cancel):yamasita.jp www.yamasita.jp osmjp.yamasita.jp osmcs.yamasita.jp sakura.yamasita.jp Obtaining a new certificate Performing the following challenges: http-01 challenge for yamasita.jp http-01 challenge for www.yamasita.jp http-01 challenge for osmjp.yamasita.jp http-01 challenge for osmcs.yamasita.jp http-01 challenge for sakura.yamasita.jp Waiting for verification... Cleaning up challenges Generating key (2048 bits): /etc/letsencrypt/keys/0000_key-certbot.pem Creating CSR: /etc/letsencrypt/csr/0000_csr-certbot.pem Created an SSL vhost at /etc/apache2/sites-available/000-default-le-ssl.conf Deploying Certificate to VirtualHost /etc/apache2/sites-available/000-default-le-ssl.conf Enabling available site: /etc/apache2/sites-available/000-default-le-ssl.conf We were unable to find a vhost with a ServerName or Address of www.yamasita.jp. Which virtual host would you like to choose? (note: conf files with multiple vhosts are not yet supported) ------------------------------------------------------------------------------- 1: 000-default.conf | | | Enabled 2: default-ssl.conf | | HTTPS | 3: 000-default-le-ssl.conf | yamasita.jp | HTTPS | Enabled ------------------------------------------------------------------------------- Select the appropriate number [1-3] then [enter] (press 'c' to cancel): 3 Deploying Certificate to VirtualHost /etc/apache2/sites-available/000-default-le-ssl.conf We were unable to find a vhost with a ServerName or Address of osmjp.yamasita.jp. Which virtual host would you like to choose? (note: conf files with multiple vhosts are not yet supported) ------------------------------------------------------------------------------- 1: 000-default.conf | | | Enabled 2: default-ssl.conf | | HTTPS | 3: 000-default-le-ssl.conf | Multiple Names | HTTPS | Enabled ------------------------------------------------------------------------------- Select the appropriate number [1-3] then [enter] (press 'c' to cancel): 3 Deploying Certificate to VirtualHost /etc/apache2/sites-available/000-default-le-ssl.conf We were unable to find a vhost with a ServerName or Address of osmcs.yamasita.jp. Which virtual host would you like to choose? (note: conf files with multiple vhosts are not yet supported) ------------------------------------------------------------------------------- 1: 000-default.conf | | | Enabled 2: default-ssl.conf | | HTTPS | 3: 000-default-le-ssl.conf | Multiple Names | HTTPS | Enabled ------------------------------------------------------------------------------- Select the appropriate number [1-3] then [enter] (press 'c' to cancel): 3 Deploying Certificate to VirtualHost /etc/apache2/sites-available/000-default-le-ssl.conf We were unable to find a vhost with a ServerName or Address of sakura.yamasita.jp. Which virtual host would you like to choose? (note: conf files with multiple vhosts are not yet supported) ------------------------------------------------------------------------------- 1: 000-default.conf | | | Enabled 2: default-ssl.conf | | HTTPS | 3: 000-default-le-ssl.conf | Multiple Names | HTTPS | Enabled ------------------------------------------------------------------------------- Select the appropriate number [1-3] then [enter] (press 'c' to cancel): 3 Deploying Certificate to VirtualHost /etc/apache2/sites-available/000-default-le-ssl.conf Please choose whether HTTPS access is required or optional. ------------------------------------------------------------------------------- 1: Easy - Allow both HTTP and HTTPS access to these sites 2: Secure - Make all requests redirect to secure HTTPS access ------------------------------------------------------------------------------- Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1 ------------------------------------------------------------------------------- Congratulations! You have successfully enabled https://yamasita.jp, https://www.yamasita.jp, https://osmjp.yamasita.jp, https://osmcs.yamasita.jp, and https://sakura.yamasita.jp You should test your configuration at: https://www.ssllabs.com/ssltest/analyze.html?d=yamasita.jp https://www.ssllabs.com/ssltest/analyze.html?d=www.yamasita.jp https://www.ssllabs.com/ssltest/analyze.html?d=osmjp.yamasita.jp https://www.ssllabs.com/ssltest/analyze.html?d=osmcs.yamasita.jp https://www.ssllabs.com/ssltest/analyze.html?d=sakura.yamasita.jp ------------------------------------------------------------------------------- IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/yamasita.jp/fullchain.pem. Your cert will expire on 2018-08-22. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le root@sakura:~# systemctl start apache2.service root@sakura:~#できた!指定されたアドレスにアクセスしてテストしてみる。
特に問題なさそう
証明書の更新
まずは、手動で確認root@sakura:~# certbot renew --pre-hook "systemctl stop apache2.service" --post-hook "systemctl start apache2.service" Saving debug log to /var/log/letsencrypt/letsencrypt.log ------------------------------------------------------------------------------- Processing /etc/letsencrypt/renewal/yamasita.jp.conf ------------------------------------------------------------------------------- Cert not yet due for renewal The following certs are not due for renewal yet: /etc/letsencrypt/live/yamasita.jp/fullchain.pem (skipped) No renewals were attempted. No hooks were run. root@sakura:~#cron に仕込むroot@sakura:~# crontab -e : : : crontab: installing new crontab root@sakura:~# crontab -l : : 0 5 * * * certbot renew --pre-hook "systemctl stop apache2.service" --post-hook "systemctl start apache2.service" 2>/dev/null 1>/dev/null root@sakura:~#こんなところか。。。
← Web サーバの構築(2)Movable Type のインストール |
山下康成の 雲の上 |
→ バックアップ |
ツイート Tweet to @yasunari_y @yasunari_yをフォロー
Copyright (C) 2003-2018 Yasunari Yamashita. All Rights Reserved.
yasunari @ yamasita.jp 山下康成@京都府向日市/東京都新宿区