UbuntuにLet’s Encriptを導入する方法

UbuntuにLet’s Encriptを導入する方法をご紹介します。

条件

  • Ubuntu 18.04
  • Nginx
  • ドメイン(サブドメイン)設定済み

Let’s Encriptとは

Let’s Encryptは、非営利団体の Internet Security Research Group (ISRG) が提供する自動化されたフリーでオープンな認証局です。

Certbotのインストール

リポジトリを追加

以下のコマンドでリポジトリを追加します。

$ sudo add-apt-repository ppa:certbot/certbot

CertbotのNginxパッケージをインストール

パッケージリストを更新して、certbotをインストールします。

$ sudo apt update

$ sudo apt install python-certbot-nginx

Nginxの構成の確認

※今回は、特に作業なし。(サブドメイン追加で、sub_domain.confを設定してあるため)

confファイルを修正後、以下のコマンドで正しいか確認します。

$ sudo nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

confファイルを修正後、以下のコマンドで再起動して反映します。

$ sudo service nginx restart

参考(sub_domain.conf)

サブドメイン設定を行った際、/etc/nginx/conf.d/sub_domain.confを作成し、以下のような記述を行いました。
(server_nameとproxy_passは、正しい値を設定します。)

server {
  listen 80;
  server_name sub.test.co.jp;
  location / {
    proxy_pass http://111.22.33.444:7000/;
  }
}

ファイアウォールの設定

HTTPSで利用するポート(443)を開けます。

ufwを用いている場合、以下のコマンドを実行します。

$ sudo ufw allow 443

以下のコマンドで状態を確認できます。

$ sudo ufw status
Status: active

To                         Action      From
--                         ------      ----
80                         ALLOW       Anywhere
8000                       ALLOW       Anywhere
21                         ALLOW       Anywhere
443                        ALLOW       Anywhere

証明書の取得

ドメイン認証を使用して証明書を取得します。
(sub.test.co.jpは、使用しているドメインに読み替えてください)

$ sudo certbot --nginx -d sub.test.co.jp
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): test@sub.test.jp

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: a

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: n
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for sub.test.co.jp
Waiting for verification...
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/nginx/conf.d/sub_domain.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Redirecting all traffic on port 80 to ssl in /etc/nginx/conf.d/sub_domain.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://sub.test.co.jp

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=sub.test.co.jp
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/sub.test.co.jp/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/sub.test.co.jp/privkey.pem
   Your cert will expire on 2021-01-18. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

$

参考(sub_domain.conf)

自動で情報が追記されます。

server {
  server_name sub.test.co.jp;
  location / {
    proxy_pass http://111.22.33.444:7000/;
  }

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/sub.test.co.jp/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/sub.test.co.jp/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}
server {
    if ($host = sub.test.co.jp) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


  listen 80;
  server_name sub.test.co.jp;
    return 404; # managed by Certbot


}

自動更新設定

以下のコマンドで、更新のdry-run(リハーサル)を行います。

$ sudo certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/sub.test.co.jp.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for sub.test.co.jp
Waiting for verification...
Cleaning up challenges

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of nginx server; fullchain is
/etc/letsencrypt/live/sub.test.co.jp/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/sub.test.co.jp/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
$

cronの設定

不要です。

/etc/cron.d/certbot が存在します。
有効期限が切れる30日前に、自動で更新してくれるみたいです。

# /etc/cron.d/certbot: crontab entries for the certbot package
#
# Upstream recommends attempting renewal twice a day
#
# Eventually, this will be an opportunity to validate certificates
# haven't been revoked, etc.  Renewal will only occur if expiration
# is within 30 days.
#
# Important Note!  This cronjob will NOT be executed if you are
# running systemd as your init system.  If you are running systemd,
# the cronjob.timer function takes precedence over this cronjob.  For
# more details, see the systemd.timer manpage, or use systemctl show
# certbot.timer.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew

自動更新

導入時には、有効期間 2020/10/20 から 2021/01/18 になっていました。

その後、有効期限が近付いてから確認すると、有効期間 2020/12/19 から 2021/03/19 になっていました。
いい感じに自動更新してくれたみたいです。

参考

Let’s Encript

https://letsencrypt.org/ja/

Qiita:Ubuntu + nginx + LetsEncryptでSSL/TLSを設定する

https://qiita.com/akubi0w1/items/c436343f544d13e3be1d

コメントを残す

メールアドレスが公開されることはありません。 * が付いている欄は必須項目です