UbuntuにLet’s Encriptを導入する方法をご紹介します。
目次
条件
- Ubuntu 18.04
- Nginx
- ドメイン(サブドメイン)設定済み
Let’s Encriptとは
Let’s Encryptは、非営利団体の Internet Security Research Group (ISRG) が提供する自動化されたフリーでオープンな認証局です。
Certbotのインストール
リポジトリを追加
以下のコマンドでリポジトリを追加します。
$ sudo add-apt-repository ppa:certbot/certbot
CertbotのNginxパッケージをインストール
パッケージリストを更新して、certbotをインストールします。
$ sudo apt update $ sudo apt install python-certbot-nginx
Nginxの構成の確認
※今回は、特に作業なし。(サブドメイン追加で、sub_domain.confを設定してあるため)
confファイルを修正後、以下のコマンドで正しいか確認します。
$ sudo nginx -t nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful
confファイルを修正後、以下のコマンドで再起動して反映します。
$ sudo service nginx restart
参考(sub_domain.conf)
サブドメイン設定を行った際、/etc/nginx/conf.d/sub_domain.confを作成し、以下のような記述を行いました。
(server_nameとproxy_passは、正しい値を設定します。)
server {
listen 80;
server_name sub.test.co.jp;
location / {
proxy_pass http://111.22.33.444:7000/;
}
}
ファイアウォールの設定
HTTPSで利用するポート(443)を開けます。
ufwを用いている場合、以下のコマンドを実行します。
$ sudo ufw allow 443
以下のコマンドで状態を確認できます。
$ sudo ufw status Status: active To Action From -- ------ ---- 80 ALLOW Anywhere 8000 ALLOW Anywhere 21 ALLOW Anywhere 443 ALLOW Anywhere
証明書の取得
ドメイン認証を使用して証明書を取得します。
(sub.test.co.jpは、使用しているドメインに読み替えてください)
$ sudo certbot --nginx -d sub.test.co.jp Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator nginx, Installer nginx Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): test@sub.test.jp - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must agree in order to register with the ACME server at https://acme-v02.api.letsencrypt.org/directory - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (A)gree/(C)ancel: a - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Would you be willing to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: n Obtaining a new certificate Performing the following challenges: http-01 challenge for sub.test.co.jp Waiting for verification... Cleaning up challenges Deploying Certificate to VirtualHost /etc/nginx/conf.d/sub_domain.conf Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: No redirect - Make no further changes to the webserver configuration. 2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for new sites, or if you're confident your site works on HTTPS. You can undo this change by editing your web server's configuration. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2 Redirecting all traffic on port 80 to ssl in /etc/nginx/conf.d/sub_domain.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Congratulations! You have successfully enabled https://sub.test.co.jp You should test your configuration at: https://www.ssllabs.com/ssltest/analyze.html?d=sub.test.co.jp - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/sub.test.co.jp/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/sub.test.co.jp/privkey.pem Your cert will expire on 2021-01-18. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option. To non-interactively renew *all* of your certificates, run "certbot renew" - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le $
参考(sub_domain.conf)
自動で情報が追記されます。
server {
server_name sub.test.co.jp;
location / {
proxy_pass http://111.22.33.444:7000/;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/sub.test.co.jp/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/sub.test.co.jp/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = sub.test.co.jp) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name sub.test.co.jp;
return 404; # managed by Certbot
}
自動更新設定
以下のコマンドで、更新のdry-run(リハーサル)を行います。
$ sudo certbot renew --dry-run Saving debug log to /var/log/letsencrypt/letsencrypt.log - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Processing /etc/letsencrypt/renewal/sub.test.co.jp.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Cert not due for renewal, but simulating renewal for dry run Plugins selected: Authenticator nginx, Installer nginx Renewing an existing certificate Performing the following challenges: http-01 challenge for sub.test.co.jp Waiting for verification... Cleaning up challenges - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - new certificate deployed with reload of nginx server; fullchain is /etc/letsencrypt/live/sub.test.co.jp/fullchain.pem - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ** DRY RUN: simulating 'certbot renew' close to cert expiry ** (The test certificates below have not been saved.) Congratulations, all renewals succeeded. The following certs have been renewed: /etc/letsencrypt/live/sub.test.co.jp/fullchain.pem (success) ** DRY RUN: simulating 'certbot renew' close to cert expiry ** (The test certificates above have not been saved.) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - IMPORTANT NOTES: - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. $
cronの設定
不要です。
/etc/cron.d/certbot が存在します。
有効期限が切れる30日前に、自動で更新してくれるみたいです。
# /etc/cron.d/certbot: crontab entries for the certbot package # # Upstream recommends attempting renewal twice a day # # Eventually, this will be an opportunity to validate certificates # haven't been revoked, etc. Renewal will only occur if expiration # is within 30 days. # # Important Note! This cronjob will NOT be executed if you are # running systemd as your init system. If you are running systemd, # the cronjob.timer function takes precedence over this cronjob. For # more details, see the systemd.timer manpage, or use systemctl show # certbot.timer. SHELL=/bin/sh PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin 0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew
自動更新
導入時には、有効期間 2020/10/20 から 2021/01/18 になっていました。
その後、有効期限が近付いてから確認すると、有効期間 2020/12/19 から 2021/03/19 になっていました。
いい感じに自動更新してくれたみたいです。