Apache on CentOS 8 に certbot をインストール
Let's Encrypt のSSLサーバ証明書をインストールする場合、基本的には、certbot の公式ページhttps://certbot.eff.org/lets-encrypt/centosrhel8-apache
の手順通りにやればよいが、記載されていないことがいくつかあるので、参考までに以下を参照されたい。
■手順の要約
(1) python3 をインストール# dnf install python3
(2) python3-mock をインストール
# dnf --enablerepo=PowerTools install python3-mock
(3) EPEL repository を有効化
# yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
(4) certbot をインストール
# dnf install certbot python3-certbot-apache
(5) mod_ssl がインストールされたので、apacheを再起動
# systemctl restart httpd.service
(6) certbot を実行し、サーバ証明書をインストール
# certbot --apache
(7) サーバ証明書を更新するコマンドをcrontabに登録(サーバ証明書更新の自動化)
# echo "0 0,12 * * * root python -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew -q" | sudo tee -a /etc/crontab > /dev/null
(1) python3 をインストール
# dnf install python3Last metadata expiration check: 0:08:08 ago on Fri 22 May 2020 11:25:30 AM JST.
Dependencies resolved.
================================================================================
Package Arch Version Repo Size
================================================================================
Installing:
python36 x86_64 3.6.8-2.module_el8.1.0+245+c39af44f AppStream 19 k
Installing dependencies:
python3-pip noarch 9.0.3-15.el8 AppStream 19 k
python3-setuptools noarch 39.2.0-5.el8 BaseOS 162 k
Enabling module streams:
python36 3.6
Transaction Summary
================================================================================
Install 3 Packages
Total download size: 201 k
Installed size: 466 k
Is this ok [y/N]: y
Downloading Packages:
(1/3): python3-pip-9.0.3-15.el8.noarch.rpm 210 kB/s | 19 kB 00:00
(2/3): python36-3.6.8-2.module_el8.1.0+245+c39a 200 kB/s | 19 kB 00:00
(3/3): python3-setuptools-39.2.0-5.el8.noarch.r 792 kB/s | 162 kB 00:00
--------------------------------------------------------------------------------
Total 179 kB/s | 201 kB 00:01
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Installing : python3-setuptools-39.2.0-5.el8.noarch 1/3
Installing : python36-3.6.8-2.module_el8.1.0+245+c39af44f.x86_64 2/3
Running scriptlet: python36-3.6.8-2.module_el8.1.0+245+c39af44f.x86_64 2/3
Installing : python3-pip-9.0.3-15.el8.noarch 3/3
Running scriptlet: python3-pip-9.0.3-15.el8.noarch 3/3
Verifying : python3-pip-9.0.3-15.el8.noarch 1/3
Verifying : python36-3.6.8-2.module_el8.1.0+245+c39af44f.x86_64 2/3
Verifying : python3-setuptools-39.2.0-5.el8.noarch 3/3
Installed:
python36-3.6.8-2.module_el8.1.0+245+c39af44f.x86_64
python3-pip-9.0.3-15.el8.noarch
python3-setuptools-39.2.0-5.el8.noarch
Complete!
(2) python3-mock をインストール
# dnf --enablerepo=PowerTools install python3-mockCentOS-8 - PowerTools 2.4 MB/s | 2.0 MB 00:00
Dependencies resolved.
================================================================================
Package Architecture Version Repository Size
================================================================================
Installing:
python3-mock noarch 2.0.0-11.el8 PowerTools 59 k
Transaction Summary
================================================================================
Install 1 Package
Total download size: 59 k
Installed size: 160 k
Is this ok [y/N]: y
Downloading Packages:
python3-mock-2.0.0-11.el8.noarch.rpm 371 kB/s | 59 kB 00:00
--------------------------------------------------------------------------------
Total 48 kB/s | 59 kB 00:01
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Installing : python3-mock-2.0.0-11.el8.noarch 1/1
Running scriptlet: python3-mock-2.0.0-11.el8.noarch 1/1
Verifying : python3-mock-2.0.0-11.el8.noarch 1/1
Installed:
python3-mock-2.0.0-11.el8.noarch
Complete!
(3) EPEL repository を有効化
# yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpmCentOS-8 - AppStream 6.2 kB/s | 4.3 kB 00:00
CentOS-8 - Base 3.9 kB/s | 3.9 kB 00:00
CentOS-8 - Extras 862 B/s | 1.5 kB 00:01
epel-release-latest-8.noarch.rpm 20 kB/s | 22 kB 00:01
Dependencies resolved.
================================================================================
Package Architecture Version Repository Size
================================================================================
Installing:
epel-release noarch 8-8.el8 @commandline 22 k
Transaction Summary
================================================================================
Install 1 Package
Total size: 22 k
Installed size: 32 k
Is this ok [y/N]: y
Downloading Packages:
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Installing : epel-release-8-8.el8.noarch 1/1
Running scriptlet: epel-release-8-8.el8.noarch 1/1
Verifying : epel-release-8-8.el8.noarch 1/1
Installed:
epel-release-8-8.el8.noarch
Complete!
(4) certbot をインストール
# dnf install certbot python3-certbot-apacheLast metadata expiration check: 0:11:44 ago on Fri 22 May 2020 11:25:30 AM JST.
Dependencies resolved.
================================================================================
Package Arch Version Repo Size
================================================================================
Installing:
certbot noarch 1.3.0-3.el8 epel 46 k
python3-certbot-apache noarch 1.3.0-1.el8 epel 140 k
Installing dependencies:
mod_ssl x86_64 1:2.4.37-16.module_el8.1.0+256+ae790463
AppStream 131 k
python3-augeas noarch 0.5.0-12.el8 AppStream 31 k
python3-distro noarch 1.4.0-2.module_el8.1.0+245+c39af44f
AppStream 37 k
python3-pyasn1 noarch 0.3.7-6.el8 AppStream 126 k
python3-pytz noarch 2017.2-9.el8 AppStream 54 k
sscg x86_64 2.3.3-6.el8 AppStream 43 k
augeas-libs x86_64 1.12.0-2.el8_1.1 BaseOS 437 k
python3-chardet noarch 3.0.4-7.el8 BaseOS 195 k
python3-pysocks noarch 1.6.8-3.el8 BaseOS 34 k
python3-requests noarch 2.20.0-2.1.el8_1 BaseOS 123 k
python3-urllib3 noarch 1.24.2-2.el8 BaseOS 176 k
python3-acme noarch 1.3.0-1.el8 epel 80 k
python3-certbot noarch 1.3.0-3.el8 epel 367 k
python3-configargparse noarch 0.14.0-5.el8 epel 36 k
python3-josepy noarch 1.2.0-5.el8 epel 95 k
python3-ndg_httpsclient noarch 0.5.1-4.el8 epel 53 k
python3-parsedatetime noarch 2.5-1.el8 epel 79 k
python3-pyrfc3339 noarch 1.1-1.el8 epel 19 k
python3-requests-toolbelt noarch 0.9.1-4.el8 epel 91 k
python3-zope-component noarch 4.3.0-8.el8 epel 313 k
python3-zope-event noarch 4.2.0-12.el8 epel 210 k
python3-zope-interface x86_64 4.6.0-1.el8 epel 158 k
Installing weak dependencies:
python-josepy-doc noarch 1.2.0-5.el8 epel 21 k
Transaction Summary
================================================================================
Install 25 Packages
Total download size: 3.0 M
Installed size: 11 M
Is this ok [y/N]: y
Downloading Packages:
(1/25): python3-augeas-0.5.0-12.el8.noarch.rpm 325 kB/s | 31 kB 00:00
(2/25): python3-distro-1.4.0-2.module_el8.1.0+2 302 kB/s | 37 kB 00:00
(3/25): mod_ssl-2.4.37-16.module_el8.1.0+256+ae 792 kB/s | 131 kB 00:00
(4/25): python3-pytz-2017.2-9.el8.noarch.rpm 997 kB/s | 54 kB 00:00
(5/25): sscg-2.3.3-6.el8.x86_64.rpm 1.5 MB/s | 43 kB 00:00
(6/25): python3-pyasn1-0.3.7-6.el8.noarch.rpm 1.2 MB/s | 126 kB 00:00
(7/25): python3-pysocks-1.6.8-3.el8.noarch.rpm 1.1 MB/s | 34 kB 00:00
(8/25): python3-chardet-3.0.4-7.el8.noarch.rpm 3.0 MB/s | 195 kB 00:00
(9/25): python3-requests-2.20.0-2.1.el8_1.noarc 2.2 MB/s | 123 kB 00:00
(10/25): python3-urllib3-1.24.2-2.el8.noarch.rp 3.4 MB/s | 176 kB 00:00
(11/25): augeas-libs-1.12.0-2.el8_1.1.x86_64.rp 2.6 MB/s | 437 kB 00:00
(12/25): certbot-1.3.0-3.el8.noarch.rpm 295 kB/s | 46 kB 00:00
(13/25): python-josepy-doc-1.2.0-5.el8.noarch.r 145 kB/s | 21 kB 00:00
(14/25): python3-acme-1.3.0-1.el8.noarch.rpm 538 kB/s | 80 kB 00:00
(15/25): python3-configargparse-0.14.0-5.el8.no 945 kB/s | 36 kB 00:00
(16/25): python3-certbot-apache-1.3.0-1.el8.noa 1.5 MB/s | 140 kB 00:00
(17/25): python3-certbot-1.3.0-3.el8.noarch.rpm 3.1 MB/s | 367 kB 00:00
(18/25): python3-ndg_httpsclient-0.5.1-4.el8.no 1.6 MB/s | 53 kB 00:00
(19/25): python3-josepy-1.2.0-5.el8.noarch.rpm 1.8 MB/s | 95 kB 00:00
(20/25): python3-parsedatetime-2.5-1.el8.noarch 1.6 MB/s | 79 kB 00:00
(21/25): python3-pyrfc3339-1.1-1.el8.noarch.rpm 557 kB/s | 19 kB 00:00
(22/25): python3-requests-toolbelt-0.9.1-4.el8. 1.3 MB/s | 91 kB 00:00
(23/25): python3-zope-event-4.2.0-12.el8.noarch 2.0 MB/s | 210 kB 00:00
(24/25): python3-zope-component-4.3.0-8.el8.noa 2.7 MB/s | 313 kB 00:00
(25/25): python3-zope-interface-4.6.0-1.el8.x86 2.3 MB/s | 158 kB 00:00
--------------------------------------------------------------------------------
Total 1.3 MB/s | 3.0 MB 00:02
warning: /var/cache/dnf/epel-6519ee669354a484/packages/certbot-1.3.0-3.el8.noarch.rpm: Header V3 RSA/SHA256 Signature, key ID 2f86d6a1: NOKEY
Extra Packages for Enterprise Linux 8 - x86_64 1.6 MB/s | 1.6 kB 00:00
Importing GPG key 0x2F86D6A1:
Userid : "Fedora EPEL (8) <epel@fedoraproject.org>"
Fingerprint: 94E2 79EB 8D8F 25B2 1810 ADF1 21EA 45AB 2F86 D6A1
From : /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8
Is this ok [y/N]: y
Key imported successfully
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Installing : python3-zope-event-4.2.0-12.el8.noarch 1/25
Installing : python3-zope-interface-4.6.0-1.el8.x86_64 2/25
Installing : python3-zope-component-4.3.0-8.el8.noarch 3/25
Installing : python3-pyrfc3339-1.1-1.el8.noarch 4/25
Installing : python3-pytz-2017.2-9.el8.noarch 5/25
Installing : python3-parsedatetime-2.5-1.el8.noarch 6/25
Installing : python3-ndg_httpsclient-0.5.1-4.el8.noarch 7/25
Installing : python3-configargparse-0.14.0-5.el8.noarch 8/25
Installing : python-josepy-doc-1.2.0-5.el8.noarch 9/25
Installing : python3-josepy-1.2.0-5.el8.noarch 10/25
Installing : python3-pysocks-1.6.8-3.el8.noarch 11/25
Installing : python3-urllib3-1.24.2-2.el8.noarch 12/25
Installing : python3-chardet-3.0.4-7.el8.noarch 13/25
Installing : python3-requests-2.20.0-2.1.el8_1.noarch 14/25
Installing : python3-requests-toolbelt-0.9.1-4.el8.noarch 15/25
Installing : augeas-libs-1.12.0-2.el8_1.1.x86_64 16/25
Running scriptlet: augeas-libs-1.12.0-2.el8_1.1.x86_64 16/25
Installing : python3-augeas-0.5.0-12.el8.noarch 17/25
Installing : sscg-2.3.3-6.el8.x86_64 18/25
Installing : mod_ssl-1:2.4.37-16.module_el8.1.0+256+ae790463.x8 19/25
Installing : python3-pyasn1-0.3.7-6.el8.noarch 20/25
Installing : python3-acme-1.3.0-1.el8.noarch 21/25
Installing : python3-distro-1.4.0-2.module_el8.1.0+245+c39af44f 22/25
Installing : python3-certbot-1.3.0-3.el8.noarch 23/25
Installing : certbot-1.3.0-3.el8.noarch 24/25
Running scriptlet: certbot-1.3.0-3.el8.noarch 24/25
Installing : python3-certbot-apache-1.3.0-1.el8.noarch 25/25
Running scriptlet: python3-certbot-apache-1.3.0-1.el8.noarch 25/25
Verifying : mod_ssl-1:2.4.37-16.module_el8.1.0+256+ae790463.x8 1/25
Verifying : python3-augeas-0.5.0-12.el8.noarch 2/25
Verifying : python3-distro-1.4.0-2.module_el8.1.0+245+c39af44f 3/25
Verifying : python3-pyasn1-0.3.7-6.el8.noarch 4/25
Verifying : python3-pytz-2017.2-9.el8.noarch 5/25
Verifying : sscg-2.3.3-6.el8.x86_64 6/25
Verifying : augeas-libs-1.12.0-2.el8_1.1.x86_64 7/25
Verifying : python3-chardet-3.0.4-7.el8.noarch 8/25
Verifying : python3-pysocks-1.6.8-3.el8.noarch 9/25
Verifying : python3-requests-2.20.0-2.1.el8_1.noarch 10/25
Verifying : python3-urllib3-1.24.2-2.el8.noarch 11/25
Verifying : certbot-1.3.0-3.el8.noarch 12/25
Verifying : python-josepy-doc-1.2.0-5.el8.noarch 13/25
Verifying : python3-acme-1.3.0-1.el8.noarch 14/25
Verifying : python3-certbot-1.3.0-3.el8.noarch 15/25
Verifying : python3-certbot-apache-1.3.0-1.el8.noarch 16/25
Verifying : python3-configargparse-0.14.0-5.el8.noarch 17/25
Verifying : python3-josepy-1.2.0-5.el8.noarch 18/25
Verifying : python3-ndg_httpsclient-0.5.1-4.el8.noarch 19/25
Verifying : python3-parsedatetime-2.5-1.el8.noarch 20/25
Verifying : python3-pyrfc3339-1.1-1.el8.noarch 21/25
Verifying : python3-requests-toolbelt-0.9.1-4.el8.noarch 22/25
Verifying : python3-zope-component-4.3.0-8.el8.noarch 23/25
Verifying : python3-zope-event-4.2.0-12.el8.noarch 24/25
Verifying : python3-zope-interface-4.6.0-1.el8.x86_64 25/25
Installed:
certbot-1.3.0-3.el8.noarch
python3-certbot-apache-1.3.0-1.el8.noarch
python-josepy-doc-1.2.0-5.el8.noarch
mod_ssl-1:2.4.37-16.module_el8.1.0+256+ae790463.x86_64
python3-augeas-0.5.0-12.el8.noarch
python3-distro-1.4.0-2.module_el8.1.0+245+c39af44f.noarch
python3-pyasn1-0.3.7-6.el8.noarch
python3-pytz-2017.2-9.el8.noarch
sscg-2.3.3-6.el8.x86_64
augeas-libs-1.12.0-2.el8_1.1.x86_64
python3-chardet-3.0.4-7.el8.noarch
python3-pysocks-1.6.8-3.el8.noarch
python3-requests-2.20.0-2.1.el8_1.noarch
python3-urllib3-1.24.2-2.el8.noarch
python3-acme-1.3.0-1.el8.noarch
python3-certbot-1.3.0-3.el8.noarch
python3-configargparse-0.14.0-5.el8.noarch
python3-josepy-1.2.0-5.el8.noarch
python3-ndg_httpsclient-0.5.1-4.el8.noarch
python3-parsedatetime-2.5-1.el8.noarch
python3-pyrfc3339-1.1-1.el8.noarch
python3-requests-toolbelt-0.9.1-4.el8.noarch
python3-zope-component-4.3.0-8.el8.noarch
python3-zope-event-4.2.0-12.el8.noarch
python3-zope-interface-4.6.0-1.el8.x86_64
Complete!
(5) mod_ssl がインストールされたので、apacheを再起動
# systemctl restart httpd.service# systemctl status httpd.service
● httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor pres>
Drop-In: /usr/lib/systemd/system/httpd.service.d
└─php-fpm.conf
Active: active (running) since Fri 2020-05-22 11:44:50 JST; 11s ago
Docs: man:httpd.service(8)
Main PID: 30292 (httpd)
Status: "Running, listening on: port 443, port 80"
Tasks: 213 (limit: 6089)
Memory: 27.8M
CGroup: /system.slice/httpd.service
├─30292 /usr/sbin/httpd -DFOREGROUND
├─30294 /usr/sbin/httpd -DFOREGROUND
├─30295 /usr/sbin/httpd -DFOREGROUND
├─30296 /usr/sbin/httpd -DFOREGROUND
└─30297 /usr/sbin/httpd -DFOREGROUND
May 22 11:44:50 pf01 systemd[1]: Starting The Apache HTTP Server...
May 22 11:44:50 pf01 systemd[1]: Started The Apache HTTP Server.
May 22 11:44:50 pf01 httpd[30292]: Server configured, listening on: port 443, p>
(6) certbot を実行し、サーバ証明書をインストール
# certbot --apacheSaving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): my@mail.address
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: e-platform.org
2: pf.learning-square.jp
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for e-platform.org
Waiting for verification...
Cleaning up challenges
Created an SSL vhost at /etc/httpd/conf.d/e-platform-le-ssl.conf
Deploying Certificate to VirtualHost /etc/httpd/conf.d/e-platform-le-ssl.conf
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Redirecting vhost in /etc/httpd/conf.d/e-platform.conf to ssl vhost in /etc/httpd/conf.d/e-platform-le-ssl.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://e-platform.org
You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=e-platform.org
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/e-platform.org/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/e-platform.org/privkey.pem
Your cert will expire on 2020-08-20. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the "certonly" option. To non-interactively renew *all* of
your certificates, run "certbot renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
(7) サーバ証明書を更新するコマンドをcrontabに登録(サーバ証明書更新の自動化)
# echo "0 0,12 * * * root python -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew -q" | sudo tee -a /etc/crontab > /dev/null# less /etc/crontab
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
# For details see man 4 crontabs
# Example of job definition:
# .---------------- minute (0 - 59)
# | .------------- hour (0 - 23)
# | | .---------- day of month (1 - 31)
# | | | .------- month (1 - 12) OR jan,feb,mar,apr ...
# | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# | | | | |
# * * * * * user-name command to be executed
*/1 * * * * root /usr/bin/php /var/www/html/moodle_pf/admin/cli/cron.php > /dev/null
0 0,12 * * * root python -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew -q
0 コメント: