スポンサーリンク
Let's Encryptは無料でSSL証明書を発行してくれるありがたい機関?です。
googleの検索順位もhttps化されたページの方が優先されるということで、今回このブログもhttps化しようかと思い、その手順を残しておこうかと思います。
基本的には公式のまんまです
yum install epel-release
yum install certbot
今回はnginx環境なのでpython-certbot-apacheはインストールしません。
certbotは証明書を発行するwebサーバ/ドメインが本当に使われているものかを確認するため、WEBサーバ上にテストファイルを置いて外部からアクセスできることを確認します。私の環境ではそれ用の設定を入れてないと以下のエラーが出てうまく行きませんでした。
## エラーが出るパターン
# certbot certonly --webroot -w /usr/share/nginx/html -d blog.setouchino.cloud
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for blog.setouchino.cloud
Using the webroot path /var/www/simpleblog/shared/public for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. blog.setouchino.cloud (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://blog.setouchino.cloud/.well-known/acme-challenge/FHpSClSuHmbGU8mnBTfqyO2BqGhMXytRsvRDZzvukzc: "<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>"
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: blog.setouchino.cloud
Type: unauthorized
Detail: Invalid response from
http://blog.setouchino.cloud/.well-known/acme-challenge/FHpSClSuHmbGU8mnBTfqyO2BqGhMXytRsvRDZzvukzc:
"<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>"
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
以下の設定を入れることで回避できます。
# vim /etc/nginx/conf.d/${nginxの設定ファイル名}
--------
server {
listen 80;
server_name blog.setouchino.cloud;
~~~~~中略~~~~~~~
location ^~ /.well-known/acme-challenge/ { # ★追記
root /usr/share/nginx/html; # ★追記
} # ★追記
}
--------
設定変更後、反映します。
systemctl reload nginx.service
再度実行し、以下のように結果が出ればOKです。
# certbot certonly --webroot -w /usr/share/nginx/html/ -d blog.setouchino.cloud
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for blog.setouchino.cloud
Using the webroot path /usr/share/nginx/html for all unmatched domains.
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/blog.setouchino.cloud/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/blog.setouchino.cloud/privkey.pem
Your cert will expire on 2018-03-18. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
これで証明書の払い出しはOKです。
証明書は
/etc/letsencrypt/live/ドメイン名
のディレクトリ配下に作られています。
# httpでアクセスしてきたらhttpsにリダイレクト
server {
listen 80;
server_name host.example.com;
return 301 https://$host$request_uri;
}
# httpsの設定
server {
listen 443 ssl;
server_name host.example.com;
ssl_certificate /etc/letsencrypt/live/blog.setouchino.cloud/cert.pem;
ssl_certificate_key /etc/letsencrypt/live/blog.setouchino.cloud/privkey.pem;
root /usr/share/nginx/html;
access_log /var/log/nginx/ssl_access.log;
error_log /var/log/nginx/ssl_error.log;
location ~ ^/assets/ {
}
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_pass http://unicorn;
}
#location ^~ /.well-known/acme-challenge/ {
#root /usr/share/nginx/html;
#}
}
systemctl restart nginx.service
これでブラウザにhttpsでアクセスして正しく表示されればOKです。
スポンサーリンク