証明書発行用ドキュメントルート用意
Let's Encryptで証明書発行(ドメイン使用権認証)用のファイルを設置するドキュメントルートが必要です。
ここでは、既存のvhostについて、Let's encrypt が webroot 更新で使う部分だけを別のディレクトリに設定しています。
mkdir /srv/www/letsencrypt_webroot
chown apache:apache /srv/www/letsencrypt_webroot
cd /etc/httpd/conf.d/
vi hogehoge.conf
# 以下を追記する
Alias /.well-known/ /srv/www/letsencrypt_webroot/.well-known/
<Directory /srv/www/letsencrypt_webroot/>
Order Allow,Deny
AllowOverride All
</Directory>
※2.4系だと
<Directory /srv/www/letsencrypt_webroot/>
Options FollowSymLinks
Require all granted
</Directory>
書式テスト&反映
service httpd configtest
service httpd graceful
Let's Encrypt インストール
1. AWSのセキュリティグループを設定
→サーバに適用されているセキュリティグループのインバウンドのHTTP(80)、HTTPS(443)を許可(0.0.0.0/0)にしておきます。
2. certbotのダウンロード&配置&権限設定
curl https://dl.eff.org/certbot-auto -o /usr/bin/certbot-auto
chmod 700 /usr/bin/certbot-auto
3. 証明書の発行
cerbotのコマンドで証明書が自動生成されます。
certbot-auto certonly --webroot -w /srv/www/letsencrypt_webroot -d hogehoge --email admin@hogehoge --debug
→ 不足している必須モジュールがインストールされる
# 必要なモジュールが追加インストールされる
★ここでエラーが出た場合は下端を参照してください
以下対話式で進める
-------------------------------------------------------------------------------
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf. You must agree
in order to register with the ACME server at
https://acme-staging.api.letsencrypt.org/directory
-------------------------------------------------------------------------------
(A)gree/(C)ancel: A
-------------------------------------------------------------------------------
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about EFF and
our work to encrypt the web, protect its users and defend digital rights.
-------------------------------------------------------------------------------
(Y)es/(N)o: Y
(省略)
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/hogehoge/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/hogehoge/privkey.pem
Your cert will expire on 2017-12-04. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again. To non-interactively renew *all* of your certificates, run
"certbot-auto renew"
(省略)
4. 生成された証明書の確認
以下のディレクトリに証明書が生成されます。
/etc/letsencrypt/live/hogehoge/
vi /etc/httpd/conf.d/ssl.hogehoge.conf
NameVirtualHost *:443
<VirtualHost *:443>
SSLEngine on
(省略)
SSLCertificateFile /etc/letsencrypt/live/hogehoge/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/hogehoge/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/hogehoge/chain.pem
(省略)
</VirtualHost>
書式テスト&反映
service httpd configtest
service httpd graceful
7.証明書の自動更新
crontab -e
50 3 * * 0 /usr/bin/certbot-auto renew --post-hook "/etc/init.d/httpd graceful" > /path/to/log 2>&1
エラー対応メモ
# certbot-auto certonly で以下のエラーが出た
# 解決方法は:https://blog.yskw.info/articles/326/を参考にしました
ack (most recent call last):
File "/opt/eff.org/certbot/venv/bin/letsencrypt", line 7, in <module>
from certbot.main import main
File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/certbot/main.py", line 9, in <module>
import zope.component
File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/zope/component/__init__.py", line 16, in <module>
from zope.interface import Interface
ImportError: No module named interface
unset PYTHON_INSTALL_LAYOUT を実行
env | grep PYTHON_INSTALL_LAYOUT
# PYTHON_INSTALL_LAYOUT=amzn
unset PYTHON_INSTALL_LAYOUT
# 確認
env | grep PYTHON_INSTALL_LAYOUT
→設定が無くなった事を確認
# certbot-auto certonly再実行
# まだ以下のエラーが出る
Error: couldn't get currently installed version for /opt/eff.org/certbot/venv/bin/letsencrypt:
Traceback (most recent call last):
File "/opt/eff.org/certbot/venv/bin/letsencrypt", line 7, in <module>
from certbot.main import main
File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/certbot/main.py", line 9, in <module>
import zope.component
File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/zope/component/__init__.py", line 16, in <module>
from zope.interface import Interface
ImportError: No module named interface
→/opt/eff.org ディレクトリを退避(or 削除)して再実行
エラー対応メモ2
古いAmazonLinuxでいつの間にか以下のエラーが出ていたパターン
FATAL: Amazon Linux support is very experimental at present...
if you would like to work on improving it, please ensure you have backups
and then run this script again with the --debug flag!
Alternatively, you can install OS dependencies yourself and run this script
again with --no-bootstrap.
メッセージに従い、--debugを付加して実行
/usr/bin/certbot-auto renew --debug --post-hook "/sbin/service httpd reload"
(略)
Updated:
python27-devel.x86_64 0:2.7.16-1.127.amzn1
python27-tools.x86_64 0:2.7.16-1.127.amzn1
Dependency Updated:
python27.x86_64 0:2.7.16-1.127.amzn1
python27-libs.x86_64 0:2.7.16-1.127.amzn1
(略)
Creating virtual environment...
Traceback (most recent call last):
File "/usr/bin/virtualenv", line 6, in <module>
from pkg_resources import load_entry_point
File "/usr/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 3049, in <module>
@_call_aside
File "/usr/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 3033, in _call_aside
f(*args, **kwargs)
File "/usr/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 3062, in _initialize_master_working_set
working_set = WorkingSet._build_master()
File "/usr/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 660, in _build_master
return cls._build_from_requirements(__requires__)
File "/usr/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 673, in _build_from_requirements
dists = ws.resolve(reqs, Environment())
File "/usr/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 858, in resolve
raise DistributionNotFound(req, requirers)
pkg_resources.DistributionNotFound: The 'virtualenv==15.1.0' distribution was not found and is required by the application
Traceback (most recent call last):
File "<stdin>", line 27, in <module>
File "<stdin>", line 19, in create_venv
File "/usr/lib64/python2.7/subprocess.py", line 190, in check_call
raise CalledProcessError(retcode, cmd)
subprocess.CalledProcessError: Command '['virtualenv', '--no-site-packages', '--python', '/usr/bin/python2.7', '/opt/eff.org/certbot/venv']' returned non-zero exit status 1