AWS EC2で運用しているWebサイト(httpd/apache2.2)にLet's EncryptでSSL証明書設置したメモ。
【作業】
Webサーバ確認
/usr/sbin/apachectl -v # Server version: Apache/2.2.34 (Unix) # Server built: Sep 15 2017 20:57:31 # SSLモジュール確認 /usr/sbin/apachectl -M | grep ssl # ssl_module (shared)
証明書発行用ドキュメントルート用意
Let's Encryptで証明書発行(ドメイン使用権認証)用のファイルを設置するドキュメントルートが必要です。
ここでは、既存のvhostについて、Let's encrypt が webroot 更新で使う部分だけを別のディレクトリに設定しています。
mkdir /srv/www/letsencrypt_webroot chown apache:apache /srv/www/letsencrypt_webroot
cd /etc/httpd/conf.d/
vi hogehoge.conf
# 以下を追記する
Alias /.well-known/ /srv/www/letsencrypt_webroot/.well-known/ <Directory /srv/www/letsencrypt_webroot/> Order Allow,Deny AllowOverride All </Directory>
※2.4系だと
<Directory /srv/www/letsencrypt_webroot/> Options FollowSymLinks Require all granted </Directory>
Let's Encrypt インストール
2. certbotのダウンロード&配置&権限設定
curl https://dl.eff.org/certbot-auto -o /usr/bin/certbot-auto chmod 700 /usr/bin/certbot-auto
3. 証明書の発行
cerbotのコマンドで証明書が自動生成されます。
certbot-auto certonly --webroot -w /srv/www/letsencrypt_webroot -d hogehoge --email admin@hogehoge --debug
→ 不足している必須モジュールがインストールされる
# 必要なモジュールが追加インストールされる
★ここでエラーが出た場合は下端を参照してください
以下対話式で進める
------------------------------------------------------------------------------- Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf. You must agree in order to register with the ACME server at https://acme-staging.api.letsencrypt.org/directory ------------------------------------------------------------------------------- (A)gree/(C)ancel: A ------------------------------------------------------------------------------- Would you be willing to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about EFF and our work to encrypt the web, protect its users and defend digital rights. ------------------------------------------------------------------------------- (Y)es/(N)o: Y (省略) IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/hogehoge/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/hogehoge/privkey.pem Your cert will expire on 2017-12-04. To obtain a new or tweaked version of this certificate in the future, simply run certbot-auto again. To non-interactively renew *all* of your certificates, run "certbot-auto renew" (省略)
5.httpd側に設定
vi /etc/httpd/conf.d/ssl.hogehoge.conf
NameVirtualHost *:443 <VirtualHost *:443> SSLEngine on (省略) SSLCertificateFile /etc/letsencrypt/live/hogehoge/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/hogehoge/privkey.pem SSLCertificateChainFile /etc/letsencrypt/live/hogehoge/chain.pem (省略) </VirtualHost>
6.確認
https://hogehoge/
→SSL通信できていることを確認
# SSL脆弱性対策
# 【参照】https://qiita.com/kite_999/items/6243386fe9153e1c739c
# httpd.confに以下を追記
# for SSL SSLProtocol all -SSLv2 -SSLv3 SSLHonorCipherOrder on SSLCipherSuite DEFAULT:!EXP:!SSLv2:!DES:!IDEA:!SEED:+3DES:!RC4:!DH Header set Strict-Transport-Security "max-age=315360000;"
→https://www.ssllabs.comで確認してランクA+であることを確認
# 有効期限確認
openssl s_client -connect "hogehoge":443 < /dev/null 2> /dev/null | openssl x509 -text | grep "Not"
7.証明書の自動更新
crontab -e
50 3 * * 0 /usr/bin/certbot-auto renew --post-hook "/etc/init.d/httpd graceful" > /path/to/log 2>&1
エラー対応メモ
# certbot-auto certonly で以下のエラーが出た
# 解決方法は:https://blog.yskw.info/articles/326/を参考にしました
ack (most recent call last): File "/opt/eff.org/certbot/venv/bin/letsencrypt", line 7, in <module> from certbot.main import main File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/certbot/main.py", line 9, in <module> import zope.component File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/zope/component/__init__.py", line 16, in <module> from zope.interface import Interface ImportError: No module named interface
unset PYTHON_INSTALL_LAYOUT を実行
env | grep PYTHON_INSTALL_LAYOUT # PYTHON_INSTALL_LAYOUT=amzn unset PYTHON_INSTALL_LAYOUT # 確認 env | grep PYTHON_INSTALL_LAYOUT →設定が無くなった事を確認
# certbot-auto certonly再実行
# まだ以下のエラーが出る
Error: couldn't get currently installed version for /opt/eff.org/certbot/venv/bin/letsencrypt: Traceback (most recent call last): File "/opt/eff.org/certbot/venv/bin/letsencrypt", line 7, in <module> from certbot.main import main File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/certbot/main.py", line 9, in <module> import zope.component File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/zope/component/__init__.py", line 16, in <module> from zope.interface import Interface ImportError: No module named interface
→/opt/eff.org ディレクトリを退避(or 削除)して再実行
エラー対応メモ2
古いAmazonLinuxでいつの間にか以下のエラーが出ていたパターン
FATAL: Amazon Linux support is very experimental at present... if you would like to work on improving it, please ensure you have backups and then run this script again with the --debug flag! Alternatively, you can install OS dependencies yourself and run this script again with --no-bootstrap.
メッセージに従い、--debugを付加して実行
/usr/bin/certbot-auto renew --debug --post-hook "/sbin/service httpd reload" (略) Updated: python27-devel.x86_64 0:2.7.16-1.127.amzn1 python27-tools.x86_64 0:2.7.16-1.127.amzn1 Dependency Updated: python27.x86_64 0:2.7.16-1.127.amzn1 python27-libs.x86_64 0:2.7.16-1.127.amzn1 (略) Creating virtual environment... Traceback (most recent call last): File "/usr/bin/virtualenv", line 6, in <module> from pkg_resources import load_entry_point File "/usr/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 3049, in <module> @_call_aside File "/usr/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 3033, in _call_aside f(*args, **kwargs) File "/usr/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 3062, in _initialize_master_working_set working_set = WorkingSet._build_master() File "/usr/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 660, in _build_master return cls._build_from_requirements(__requires__) File "/usr/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 673, in _build_from_requirements dists = ws.resolve(reqs, Environment()) File "/usr/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 858, in resolve raise DistributionNotFound(req, requirers) pkg_resources.DistributionNotFound: The 'virtualenv==15.1.0' distribution was not found and is required by the application Traceback (most recent call last): File "<stdin>", line 27, in <module> File "<stdin>", line 19, in create_venv File "/usr/lib64/python2.7/subprocess.py", line 190, in check_call raise CalledProcessError(retcode, cmd) subprocess.CalledProcessError: Command '['virtualenv', '--no-site-packages', '--python', '/usr/bin/python2.7', '/opt/eff.org/certbot/venv']' returned non-zero exit status 1
■参考
https://serverfault.com/questions/912973/lets-encrypt-error-with-amazon-linux-with-virtualenv
virtualenvの再インストールで解決する模様
pip uninstall virtualenv →以下のエラー pkg_resources.DistributionNotFound: The 'pip==9.0.3' distribution was not found and is required by the application # pipインストール easy_install pip==9.0.3 # 再実行 pip uninstall virtualenv pip install virtualenv # 再テスト /usr/bin/certbot-auto renew --debug --post-hook "/sbin/service httpd reload"