Amazon LinuxのApacheにLet’s Encryptで証明書を付ける
ドメイン名を取得する
ざっくりと以下の手順。後日、別記事にする。
Let's Encryptの準備
Apacheはたぶん以下のコマンドで入れた。
$ sudo yum intall httpd24 -y
Apapche 2.4にmod_ssl(SSLモジュールを入れる)。
$ sudo yum install mod24_ssl $ sudo service httpd restart
Let's Encryptをダウンロード
$ sudo yum install git -y $ mkdir letsencrypt $ cd letsencrypt/ $ git clone https://github.com/certbot/certbot $ cd certbot/
Amazon LinuxではLet's Enryptは試験状態らしい。
$ ./certbot-auto WARNING: Amazon Linux support is very experimental at present... if you would like to work on improving it, please ensure you have backups and then run this script again with the --debug flag!
Let's Encryptの実行
証明書の作成
$ ./certbot-auto --debug Is this ok [y/d/N]: y ....... No installers are available on your OS yet; try running "letsencrypt-auto certonly" to get a cert you can install manually $ ./certbot-auto --debug certonly
この後はTUIに従って操作。以下のようなメッセージが出る
IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/XXXXXXXXXXXXXXX/fullchain.pem. Your cert will expire on 2016-11-05. To obtain a new or tweaked version of this certificate in the future, simply run certbot-auto again. To non-interactively renew *all* of your certificates, run "certbot-auto renew" - If you lose your account credentials, you can recover through e-mails sent to XXXXXXXXXXX@XXXXXXXXXXX. - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
証明書の設定
$ cd /etc/httpd/conf.d $ sudo vi ssl.conf SSLCertificateFile に /etc/letsencrypt/archive/ドメイン名/fullchain.pem を設定 SSLCertificateKeyFile に /etc/letsencrypt/archive/ドメイン名/privkey.pem を設定 $ sudo service httpd restart