投稿日: 投稿者: hiro

AlmaLinux8のApacheにLet’sEncryptの証明書をインストールする

AlmaLinux release 8.5 (Arctic Sphynx)
Apache 2.4.37
OpenSSL 1.1.1k

SSL関連のパッケージをインストールする。

# dnf install openssl
# dnf install mod_ssl

Let’sEncryptの証明書を発行するためのcertbotをインストールする。

# dnf install epel-release
# dnf install certbot

SSL証明書を発行する。何度も失敗したりしても制限がかかるので、–dry-runオプションを指定してテストする。

# certbot certonly --webroot -w /var/www/html/test/ -d test.example.com
-------------------------------------------------------------
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices)
 (Enter 'c' to cancel): admin@test.example.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: N
Account registered.
Requesting a certificate for test.example.com

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/test.example.com/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/test.example.com/privkey.pem
This certificate expires on 2022-06-01.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

発行が成功すると下記の場所に証明書が作られる。ほかのサーバーに移行する場合は/etc/letsencrypt/ごとコピーすればOKだった。

/etc/letsencrypt/live/test.example.com/cert.pem
/etc/letsencrypt/live/test.example.com/privkey.pem
/etc/letsencrypt/live/test.example.com/chain.pem

cronで毎朝4時にSSL証明書を更新するジョブを追加する。更新されるかは自動で決定され、更新された場合のみ–deploy-hookオプションで指定されたコマンドが実行される。

0 4 * * * certbot renew --deploy-hook "systemctl reload httpd"

ApacheのSSL設定ファイルの不要な設定をコメントアウトする。

…
#SSLEngine on
…
#SSLCertificateFile /etc/pki/tls/certs/localhost.crt
…
#SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
…

続いて設定ファイルの最下部にSSL証明書の設定を追記する。

<VirtualHost *:443>
    ServerName test.example.com
    DocumentRoot "/var/www/html/test/"
    <Directory "/var/www/html/test/">
        AllowOverride All
    </Directory>
    SSLEngine on
    SSLProtocol -All +TLSv1.2
    SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA:!3DES:!RC4:!DH
    SSLHonorCipherOrder On
    SSLCertificateFile /etc/letsencrypt/live/test.example.com/cert.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/test.example.com/privkey.pem
    SSLCertificateChainFile /etc/letsencrypt/live/test.example.com/chain.pem
</VirtualHost>

Apacheの設定を再読み込みする。

# systemctl reload httpd