centos6にlet’s encryptをインストールしてみた。以前とくらべて格段に楽になっていたので、まとめておく。
まずは、インストールに際してEPELレポジトリを利用するようなので、利用できるようようにしておく。
[root@www ~]# yum install epel-release
次にlet’s encryptの設定をするためにcertbotを取得して動かす。
[root@www ~]# mkdir /root/letsencrypt [root@www ~]# cd /root/letsencrypt/ [root@www letsencrypt]# wget https://dl.eff.org/certbot-auto --2017-02-22 09:40:32-- https://dl.eff.org/certbot-auto Resolving dl.eff.org... 173.239.79.196 Connecting to dl.eff.org|173.239.79.196|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 46789 (46K) [application/octet-stream] Saving to: “certbot-auto” 100%[=============================================================================================================>] 46,789 --.-K/s in 0.1s 2017-02-22 09:40:33 (393 KB/s) - “certbot-auto” saved [46789/46789] [root@www letsencrypt]# chmod a+x certbot-auto [root@www letsencrypt]# ./certbot-auto
yumで必要な環境の設定が行われる。
Bootstrapping dependencies for RedHat-based OSes... yum is /usr/bin/yum Loaded plugins: fastestmirror Setting up Install Process Loading mirror speeds from cached hostfile * base: www.ftp.ne.jp * epel: ftp.riken.jp * extras: www.ftp.ne.jp * updates: www.ftp.ne.jp Package gcc-4.4.7-17.el6.x86_64 already installed and latest version Package openssl-1.0.1e-48.el6_8.3.x86_64 already installed and latest version Package ca-certificates-2015.2.6-65.0.1.el6_7.noarch already installed and latest version Package python-2.6.6-66.el6_8.x86_64 already installed and latest version Package 1:mod_ssl-2.2.15-56.el6.centos.3.x86_64 already installed and latest version Resolving Dependencies --> Running transaction check ---> Package augeas-libs.x86_64 0:1.0.0-10.el6 will be installed ---> Package libffi-devel.x86_64 0:3.0.5-3.2.el6 will be installed ---> Package openssl-devel.x86_64 0:1.0.1e-48.el6_8.3 will be installed --> Processing Dependency: zlib-devel for package: openssl-devel-1.0.1e-48.el6_8.3.x86_64 --> Processing Dependency: krb5-devel for package: openssl-devel-1.0.1e-48.el6_8.3.x86_64 ---> Package python-devel.x86_64 0:2.6.6-66.el6_8 will be installed ---> Package python-pip.noarch 0:7.1.0-1.el6 will be installed --> Processing Dependency: python-setuptools for package: python-pip-7.1.0-1.el6.noarch ---> Package python-tools.x86_64 0:2.6.6-66.el6_8 will be installed --> Processing Dependency: tkinter = 2.6.6-66.el6_8 for package: python-tools-2.6.6-66.el6_8.x86_64 ---> Package python-virtualenv.noarch 0:1.10.1-1.el6 will be installed ---> Package redhat-rpm-config.noarch 0:9.0.3-51.el6.centos will be installed --> Running transaction check ---> Package krb5-devel.x86_64 0:1.10.3-57.el6 will be installed --> Processing Dependency: libselinux-devel for package: krb5-devel-1.10.3-57.el6.x86_64 --> Processing Dependency: libcom_err-devel for package: krb5-devel-1.10.3-57.el6.x86_64 --> Processing Dependency: keyutils-libs-devel for package: krb5-devel-1.10.3-57.el6.x86_64 ---> Package python-setuptools.noarch 0:0.6.10-3.el6 will be installed ---> Package tkinter.x86_64 0:2.6.6-66.el6_8 will be installed --> Processing Dependency: libtk8.5.so()(64bit) for package: tkinter-2.6.6-66.el6_8.x86_64 --> Processing Dependency: libtcl8.5.so()(64bit) for package: tkinter-2.6.6-66.el6_8.x86_64 --> Processing Dependency: libTix.so()(64bit) for package: tkinter-2.6.6-66.el6_8.x86_64 ---> Package zlib-devel.x86_64 0:1.2.3-29.el6 will be installed --> Running transaction check ---> Package keyutils-libs-devel.x86_64 0:1.4-5.el6 will be installed ---> Package libcom_err-devel.x86_64 0:1.41.12-22.el6 will be installed ---> Package libselinux-devel.x86_64 0:2.0.94-7.el6 will be installed --> Processing Dependency: libsepol-devel >= 2.0.32-1 for package: libselinux-devel-2.0.94-7.el6.x86_64 --> Processing Dependency: pkgconfig(libsepol) for package: libselinux-devel-2.0.94-7.el6.x86_64 ---> Package tcl.x86_64 1:8.5.7-6.el6 will be installed ---> Package tix.x86_64 1:8.4.3-5.el6 will be installed ---> Package tk.x86_64 1:8.5.7-5.el6 will be installed --> Processing Dependency: libfontconfig.so.1()(64bit) for package: 1:tk-8.5.7-5.el6.x86_64 --> Processing Dependency: libXrender.so.1()(64bit) for package: 1:tk-8.5.7-5.el6.x86_64 --> Processing Dependency: libXft.so.2()(64bit) for package: 1:tk-8.5.7-5.el6.x86_64 --> Running transaction check ---> Package fontconfig.x86_64 0:2.8.0-5.el6 will be installed ---> Package libXft.x86_64 0:2.3.2-1.el6 will be installed ---> Package libXrender.x86_64 0:0.9.8-2.1.el6_8.1 will be installed ---> Package libsepol-devel.x86_64 0:2.0.41-4.el6 will be installed --> Finished Dependency Resolution Dependencies Resolved ======================================================================================================================================================= Package Arch Version Repository Size ======================================================================================================================================================= Installing: augeas-libs x86_64 1.0.0-10.el6 base 314 k libffi-devel x86_64 3.0.5-3.2.el6 base 18 k openssl-devel x86_64 1.0.1e-48.el6_8.3 updates 1.2 M python-devel x86_64 2.6.6-66.el6_8 updates 173 k python-pip noarch 7.1.0-1.el6 epel 1.5 M python-tools x86_64 2.6.6-66.el6_8 updates 871 k python-virtualenv noarch 1.10.1-1.el6 epel 1.3 M redhat-rpm-config noarch 9.0.3-51.el6.centos base 60 k Installing for dependencies: fontconfig x86_64 2.8.0-5.el6 base 186 k keyutils-libs-devel x86_64 1.4-5.el6 base 29 k krb5-devel x86_64 1.10.3-57.el6 base 504 k libXft x86_64 2.3.2-1.el6 base 55 k libXrender x86_64 0.9.8-2.1.el6_8.1 updates 24 k libcom_err-devel x86_64 1.41.12-22.el6 base 33 k libselinux-devel x86_64 2.0.94-7.el6 base 137 k libsepol-devel x86_64 2.0.41-4.el6 base 64 k python-setuptools noarch 0.6.10-3.el6 base 336 k tcl x86_64 1:8.5.7-6.el6 base 1.9 M tix x86_64 1:8.4.3-5.el6 base 252 k tk x86_64 1:8.5.7-5.el6 base 1.4 M tkinter x86_64 2.6.6-66.el6_8 updates 258 k zlib-devel x86_64 1.2.3-29.el6 base 44 k Transaction Summary ======================================================================================================================================================= Install 22 Package(s) Total download size: 11 M Installed size: 29 M Is this ok [y/N]: y Downloading Packages: (1/22): augeas-libs-1.0.0-10.el6.x86_64.rpm | 314 kB 00:00 (2/22): fontconfig-2.8.0-5.el6.x86_64.rpm | 186 kB 00:00 (3/22): keyutils-libs-devel-1.4-5.el6.x86_64.rpm | 29 kB 00:00 (4/22): krb5-devel-1.10.3-57.el6.x86_64.rpm | 504 kB 00:00 (5/22): libXft-2.3.2-1.el6.x86_64.rpm | 55 kB 00:00 (6/22): libXrender-0.9.8-2.1.el6_8.1.x86_64.rpm | 24 kB 00:00 (7/22): libcom_err-devel-1.41.12-22.el6.x86_64.rpm | 33 kB 00:00 (8/22): libffi-devel-3.0.5-3.2.el6.x86_64.rpm | 18 kB 00:00 (9/22): libselinux-devel-2.0.94-7.el6.x86_64.rpm | 137 kB 00:00 (10/22): libsepol-devel-2.0.41-4.el6.x86_64.rpm | 64 kB 00:00 (11/22): openssl-devel-1.0.1e-48.el6_8.3.x86_64.rpm | 1.2 MB 00:00 (12/22): python-devel-2.6.6-66.el6_8.x86_64.rpm | 173 kB 00:00 (13/22): python-pip-7.1.0-1.el6.noarch.rpm | 1.5 MB 00:00 (14/22): python-setuptools-0.6.10-3.el6.noarch.rpm | 336 kB 00:00 (15/22): python-tools-2.6.6-66.el6_8.x86_64.rpm | 871 kB 00:00 (16/22): python-virtualenv-1.10.1-1.el6.noarch.rpm | 1.3 MB 00:00 (17/22): redhat-rpm-config-9.0.3-51.el6.centos.noarch.rpm | 60 kB 00:00 (18/22): tcl-8.5.7-6.el6.x86_64.rpm | 1.9 MB 00:00 (19/22): tix-8.4.3-5.el6.x86_64.rpm | 252 kB 00:00 (20/22): tk-8.5.7-5.el6.x86_64.rpm | 1.4 MB 00:00 (21/22): tkinter-2.6.6-66.el6_8.x86_64.rpm | 258 kB 00:00 (22/22): zlib-devel-1.2.3-29.el6.x86_64.rpm | 44 kB 00:00 ------------------------------------------------------------------------------------------------------------------------------------------------------- Total 5.1 MB/s | 11 MB 00:02 Running rpm_check_debug Running Transaction Test Transaction Test Succeeded Running Transaction Installing : 1:tcl-8.5.7-6.el6.x86_64 1/22 Installing : python-setuptools-0.6.10-3.el6.noarch 2/22 Installing : libXrender-0.9.8-2.1.el6_8.1.x86_64 3/22 Installing : fontconfig-2.8.0-5.el6.x86_64 4/22 Installing : libXft-2.3.2-1.el6.x86_64 5/22 Installing : 1:tk-8.5.7-5.el6.x86_64 6/22 Installing : 1:tix-8.4.3-5.el6.x86_64 7/22 Installing : tkinter-2.6.6-66.el6_8.x86_64 8/22 Installing : libsepol-devel-2.0.41-4.el6.x86_64 9/22 Installing : libselinux-devel-2.0.94-7.el6.x86_64 10/22 Installing : libcom_err-devel-1.41.12-22.el6.x86_64 11/22 Installing : zlib-devel-1.2.3-29.el6.x86_64 12/22 Installing : keyutils-libs-devel-1.4-5.el6.x86_64 13/22 Installing : krb5-devel-1.10.3-57.el6.x86_64 14/22 Installing : python-devel-2.6.6-66.el6_8.x86_64 15/22 Installing : python-virtualenv-1.10.1-1.el6.noarch 16/22 Installing : openssl-devel-1.0.1e-48.el6_8.3.x86_64 17/22 Installing : python-tools-2.6.6-66.el6_8.x86_64 18/22 Installing : python-pip-7.1.0-1.el6.noarch 19/22 Installing : augeas-libs-1.0.0-10.el6.x86_64 20/22 Installing : redhat-rpm-config-9.0.3-51.el6.centos.noarch 21/22 Installing : libffi-devel-3.0.5-3.2.el6.x86_64 22/22 Verifying : python-devel-2.6.6-66.el6_8.x86_64 1/22 Verifying : fontconfig-2.8.0-5.el6.x86_64 2/22 Verifying : tkinter-2.6.6-66.el6_8.x86_64 3/22 Verifying : 1:tcl-8.5.7-6.el6.x86_64 4/22 Verifying : 1:tix-8.4.3-5.el6.x86_64 5/22 Verifying : python-pip-7.1.0-1.el6.noarch 6/22 Verifying : libffi-devel-3.0.5-3.2.el6.x86_64 7/22 Verifying : keyutils-libs-devel-1.4-5.el6.x86_64 8/22 Verifying : redhat-rpm-config-9.0.3-51.el6.centos.noarch 9/22 Verifying : zlib-devel-1.2.3-29.el6.x86_64 10/22 Verifying : krb5-devel-1.10.3-57.el6.x86_64 11/22 Verifying : libXrender-0.9.8-2.1.el6_8.1.x86_64 12/22 Verifying : libcom_err-devel-1.41.12-22.el6.x86_64 13/22 Verifying : augeas-libs-1.0.0-10.el6.x86_64 14/22 Verifying : python-setuptools-0.6.10-3.el6.noarch 15/22 Verifying : python-tools-2.6.6-66.el6_8.x86_64 16/22 Verifying : libXft-2.3.2-1.el6.x86_64 17/22 Verifying : libsepol-devel-2.0.41-4.el6.x86_64 18/22 Verifying : openssl-devel-1.0.1e-48.el6_8.3.x86_64 19/22 Verifying : python-virtualenv-1.10.1-1.el6.noarch 20/22 Verifying : libselinux-devel-2.0.94-7.el6.x86_64 21/22 Verifying : 1:tk-8.5.7-5.el6.x86_64 22/22 Installed: augeas-libs.x86_64 0:1.0.0-10.el6 libffi-devel.x86_64 0:3.0.5-3.2.el6 openssl-devel.x86_64 0:1.0.1e-48.el6_8.3 python-devel.x86_64 0:2.6.6-66.el6_8 python-pip.noarch 0:7.1.0-1.el6 python-tools.x86_64 0:2.6.6-66.el6_8 python-virtualenv.noarch 0:1.10.1-1.el6 redhat-rpm-config.noarch 0:9.0.3-51.el6.centos Dependency Installed: fontconfig.x86_64 0:2.8.0-5.el6 keyutils-libs-devel.x86_64 0:1.4-5.el6 krb5-devel.x86_64 0:1.10.3-57.el6 libXft.x86_64 0:2.3.2-1.el6 libXrender.x86_64 0:0.9.8-2.1.el6_8.1 libcom_err-devel.x86_64 0:1.41.12-22.el6 libselinux-devel.x86_64 0:2.0.94-7.el6 libsepol-devel.x86_64 0:2.0.41-4.el6 python-setuptools.noarch 0:0.6.10-3.el6 tcl.x86_64 1:8.5.7-6.el6 tix.x86_64 1:8.4.3-5.el6 tk.x86_64 1:8.5.7-5.el6 tkinter.x86_64 0:2.6.6-66.el6_8 zlib-devel.x86_64 0:1.2.3-29.el6 Complete! Creating virtual environment... Installing Python packages... Installation succeeded. /root/.local/share/letsencrypt/lib/python2.6/site-packages/cryptography/__init__.py:26: DeprecationWarning: Python 2.6 is no longer supported by the Python core team, please upgrade your Python. A future version of cryptography will drop support for Python 2.6 DeprecationWarning Saving debug log to /var/log/letsencrypt/letsencrypt.log
SSLで利用するドメインを聞かれるので入力する。(以下の場合はprjapan-service.com)
No names were found in your configuration files. Please enter in your domain name(s) (comma and/or space separated) (Enter 'c' to cancel):prjapan-service.com
次にSSL更新の通知などを受け取るメルアドを入力する。
Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel):admin@prjapan-service.com
利用規約への同意を求められるのでAgreeのaを入力する。
Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf. You must agree in order to register with the ACME server at https://acme-v01.api.letsencrypt.org/directory (A)gree/(C)ancel: a
メルアド利用に関する同意も求められるのでYesのyを入力する。
Would you be willing to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about EFF and our work to encrypt the web, protect its users and defend digital rights. (Y)es/(N)o: y
sslの設定を書き出すファイルを選択する。(1を選択する)
Obtaining a new certificate Performing the following challenges: tls-sni-01 challenge for prjapan-service.com We were unable to find a vhost with a ServerName or Address of prjapan-service.com. Which virtual host would you like to choose? (note: conf files with multiple vhosts are not yet supported) 1: ssl.conf | | HTTPS | Enabled Press 1 [enter] to confirm the selection (press 'c' to cancel): 1
再度sslの設定を書き出すファイルを選択する。(1を選択する)
Waiting for verification... Cleaning up challenges Generating key (2048 bits): /etc/letsencrypt/keys/0000_key-certbot.pem Creating CSR: /etc/letsencrypt/csr/0000_csr-certbot.pem We were unable to find a vhost with a ServerName or Address of prjapan-service.com. Which virtual host would you like to choose? (note: conf files with multiple vhosts are not yet supported) 1: ssl.conf | | HTTPS | Enabled Press 1 [enter] to confirm the selection (press 'c' to cancel): 1
しばらくすると、ssl.confへの書き出しが終わり、サーバへのアクセスについてはhttpsのみに制限するかどうかを聞かれる。今回はhttpでもアクセスしたかったので、1を選択する。
Deploying Certificate to VirtualHost /etc/httpd/conf.d/ssl.conf Please choose whether HTTPS access is required or optional. 1: Easy - Allow both HTTP and HTTPS access to these sites 2: Secure - Make all requests redirect to secure HTTPS access Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
以下のような表示が出て、sslに関する設定が完了する。
Congratulations! You have successfully enabled https://prjapan-service.com You should test your configuration at: https://www.ssllabs.com/ssltest/analyze.html?d=prjapan-service.com IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/prjapan-service.com/fullchain.pem. Your cert will expire on 2017-05-22. To obtain a new or tweaked version of this certificate in the future, simply run certbot-auto again with the "certonly" option. To non-interactively renew *all* of your certificates, run "certbot-auto renew" - If you lose your account credentials, you can recover through e-mails sent to admin@prjapan-service.com. - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le [root@www letsencrypt]#
あとは、httpdを再起動して完了。なんて楽!
[root@www]# service httpd start
なお、let’s encryptの証明書は期間が90日なので、以下のようなコマンドをCronに仕込んで、定期的に証明書の更新作業を行うようにする。
/root/letsencrypt/certbot-auto renew && service httpd reload