zuntan02のはてなブログ

備忘録的なものです。時々職場の技術者ブログにも転記してますが、メインはこちらで。

AmazonLinux+httpd(Apache2.2)にLet's Encrypt

AWS EC2で運用しているWebサイト(httpd/apache2.2)にLet's EncryptでSSL証明書設置したメモ。

【作業】

Webサーバ確認
/usr/sbin/apachectl -v
# Server version: Apache/2.2.34 (Unix)
# Server built:   Sep 15 2017 20:57:31

# SSLモジュール確認
/usr/sbin/apachectl -M | grep ssl
#  ssl_module (shared)

証明書発行用ドキュメントルート用意

Let's Encryptで証明書発行(ドメイン使用権認証)用のファイルを設置するドキュメントルートが必要です。
ここでは、既存のvhostについて、Let's encrypt が webroot 更新で使う部分だけを別のディレクトリに設定しています。

mkdir /srv/www/letsencrypt_webroot
chown apache:apache /srv/www/letsencrypt_webroot

cd /etc/httpd/conf.d/
vi hogehoge.conf
# 以下を追記する

Alias /.well-known/ /srv/www/letsencrypt_webroot/.well-known/
<Directory /srv/www/letsencrypt_webroot/>
    Order Allow,Deny
    AllowOverride All
</Directory>

※2.4系だと

<Directory /srv/www/letsencrypt_webroot/>
    Options FollowSymLinks
    Require all granted
</Directory>
書式テスト&反映

service httpd configtest
service httpd graceful

Let's Encrypt インストール

1. AWSのセキュリティグループを設定

→サーバに適用されているセキュリティグループのインバウンドのHTTP(80)、HTTPS(443)を許可(0.0.0.0/0)にしておきます。

2. certbotのダウンロード&配置&権限設定
curl https://dl.eff.org/certbot-auto -o /usr/bin/certbot-auto
chmod 700 /usr/bin/certbot-auto
3. 証明書の発行

cerbotのコマンドで証明書が自動生成されます。

certbot-auto certonly --webroot -w /srv/www/letsencrypt_webroot -d hogehoge --email admin@hogehoge --debug

→ 不足している必須モジュールがインストールされる

# 必要なモジュールが追加インストールされる
★ここでエラーが出た場合は下端を参照してください

以下対話式で進める

-------------------------------------------------------------------------------
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf. You must agree
in order to register with the ACME server at
https://acme-staging.api.letsencrypt.org/directory
-------------------------------------------------------------------------------
(A)gree/(C)ancel: A

-------------------------------------------------------------------------------
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about EFF and
our work to encrypt the web, protect its users and defend digital rights.
-------------------------------------------------------------------------------
(Y)es/(N)o: Y

(省略)

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/hogehoge/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/hogehoge/privkey.pem
   Your cert will expire on 2017-12-04. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again. To non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
(省略)
4. 生成された証明書の確認

以下のディレクトリに証明書が生成されます。

/etc/letsencrypt/live/hogehoge/
5.httpd側に設定

vi /etc/httpd/conf.d/ssl.hogehoge.conf

NameVirtualHost *:443
<VirtualHost *:443>
    SSLEngine on
(省略)
    SSLCertificateFile /etc/letsencrypt/live/hogehoge/cert.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/hogehoge/privkey.pem
    SSLCertificateChainFile /etc/letsencrypt/live/hogehoge/chain.pem
(省略)
</VirtualHost>
書式テスト&反映

service httpd configtest
service httpd graceful

6.確認

https://hogehoge/
SSL通信できていることを確認

# SSL脆弱性対策
# 【参照】https://qiita.com/kite_999/items/6243386fe9153e1c739c
# httpd.confに以下を追記

# for SSL
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite DEFAULT:!EXP:!SSLv2:!DES:!IDEA:!SEED:+3DES:!RC4:!DH
Header set Strict-Transport-Security "max-age=315360000;"

https://www.ssllabs.comで確認してランクA+であることを確認

# 有効期限確認

openssl s_client -connect "hogehoge":443 < /dev/null 2> /dev/null | openssl x509 -text | grep "Not"
7.証明書の自動更新

crontab -e

50 3 * * 0 /usr/bin/certbot-auto renew --post-hook "/etc/init.d/httpd graceful" > /path/to/log 2>&1

エラー対応メモ

# certbot-auto certonly で以下のエラーが出た
# 解決方法は:https://blog.yskw.info/articles/326/を参考にしました

ack (most recent call last):
  File "/opt/eff.org/certbot/venv/bin/letsencrypt", line 7, in <module>
    from certbot.main import main
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/certbot/main.py", line 9, in <module>
    import zope.component
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/zope/component/__init__.py", line 16, in <module>
    from zope.interface import Interface
ImportError: No module named interface
unset PYTHON_INSTALL_LAYOUT を実行
env | grep PYTHON_INSTALL_LAYOUT
# PYTHON_INSTALL_LAYOUT=amzn
unset PYTHON_INSTALL_LAYOUT
# 確認
env | grep PYTHON_INSTALL_LAYOUT
→設定が無くなった事を確認

# certbot-auto certonly再実行
# まだ以下のエラーが出る

Error: couldn't get currently installed version for /opt/eff.org/certbot/venv/bin/letsencrypt:
Traceback (most recent call last):
  File "/opt/eff.org/certbot/venv/bin/letsencrypt", line 7, in <module>
    from certbot.main import main
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/certbot/main.py", line 9, in <module>
    import zope.component
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/zope/component/__init__.py", line 16, in <module>
    from zope.interface import Interface
ImportError: No module named interface

→/opt/eff.org ディレクトリを退避(or 削除)して再実行

エラー対応メモ2

古いAmazonLinuxでいつの間にか以下のエラーが出ていたパターン

FATAL: Amazon Linux support is very experimental at present...
if you would like to work on improving it, please ensure you have backups
and then run this script again with the --debug flag!
Alternatively, you can install OS dependencies yourself and run this script
again with --no-bootstrap.

メッセージに従い、--debugを付加して実行

/usr/bin/certbot-auto renew --debug --post-hook "/sbin/service httpd reload"
(略)
Updated:
  python27-devel.x86_64 0:2.7.16-1.127.amzn1
  python27-tools.x86_64 0:2.7.16-1.127.amzn1

Dependency Updated:
  python27.x86_64 0:2.7.16-1.127.amzn1
  python27-libs.x86_64 0:2.7.16-1.127.amzn1

(略)

Creating virtual environment...
Traceback (most recent call last):
  File "/usr/bin/virtualenv", line 6, in <module>
    from pkg_resources import load_entry_point
  File "/usr/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 3049, in <module>
    @_call_aside
  File "/usr/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 3033, in _call_aside
    f(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 3062, in _initialize_master_working_set
    working_set = WorkingSet._build_master()
  File "/usr/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 660, in _build_master
    return cls._build_from_requirements(__requires__)
  File "/usr/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 673, in _build_from_requirements
    dists = ws.resolve(reqs, Environment())
  File "/usr/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 858, in resolve
    raise DistributionNotFound(req, requirers)
pkg_resources.DistributionNotFound: The 'virtualenv==15.1.0' distribution was not found and is required by the application
Traceback (most recent call last):
  File "<stdin>", line 27, in <module>
  File "<stdin>", line 19, in create_venv
  File "/usr/lib64/python2.7/subprocess.py", line 190, in check_call
    raise CalledProcessError(retcode, cmd)
subprocess.CalledProcessError: Command '['virtualenv', '--no-site-packages', '--python', '/usr/bin/python2.7', '/opt/eff.org/certbot/venv']' returned non-zero exit status 1
■参考

https://serverfault.com/questions/912973/lets-encrypt-error-with-amazon-linux-with-virtualenv
virtualenvの再インストールで解決する模様

pip uninstall virtualenv
→以下のエラー
pkg_resources.DistributionNotFound: The 'pip==9.0.3' distribution was not found and is required by the application

# pipインストール
easy_install pip==9.0.3

# 再実行
pip uninstall virtualenv
pip install virtualenv


# 再テスト
/usr/bin/certbot-auto renew --debug --post-hook "/sbin/service httpd reload"