Linux入門 SSL証明書の導入

SSL(エスエスエル)とは、通信を暗号化するための仕組みです。
ウェブサイトの通信を暗号化するためには、SSL証明書を導入する必要があります。
以前は、ショッピングサイトの購入フォームなど、一部のページしかSSL証明書は使用されていませんでしたが、Googleが常時SSL化を推奨したため、ウェブサイトのすべてのページをSSLで暗号化する事が一般的になりました。
今回は、無料でSSL証明書を利用できるLet’s Encrypt(レッツ・エンクリプト)を利用してウェブサイトを常時SSL化します。

Let’s Encrypt(レッツ・エンクリプト)とは
無償で利用できるSSL認証局です。Certbotなどのプログラムを利用して自動的にSSL証明書を導入する事ができます。
一般的な有償のSSL証明書は有効期間1年の場合が多いですが、Let’s Encryptで取得できるSSL証明書の期間は90日間になります。

Let’s Encrypt – フリーな SSL/TLS 証明書
https://letsencrypt.org/ja/

Cerbotとは
Let’s EncryptのSSL証明書を導入するためのプログラムです。

1.mode_sslをインストールします。

[root@wordpress chatora]# dnf install -y mod_ssl
Last metadata expiration check: 1:54:17 ago on Sun 15 Nov 2020 10:25:30 AM UTC.
Dependencies resolved.
================================================================================
 Package         Arch   Version                                 Repo       Size
================================================================================
Installing:
 mod_ssl         x86_64 1:2.4.37-21.module_el8.2.0+494+1df74eae AppStream 132 k
Upgrading:
 httpd           x86_64 2.4.37-21.module_el8.2.0+494+1df74eae   AppStream 1.7 M
 httpd-filesystem
                 noarch 2.4.37-21.module_el8.2.0+494+1df74eae   AppStream  36 k
 httpd-tools     x86_64 2.4.37-21.module_el8.2.0+494+1df74eae   AppStream 103 k
Installing dependencies:
 sscg            x86_64 2.3.3-14.el8                            AppStream  49 k

Transaction Summary
================================================================================
Install  2 Packages
Upgrade  3 Packages

Total download size: 2.0 M
Downloading Packages:
(1/5): sscg-2.3.3-14.el8.x86_64.rpm             138 kB/s |  49 kB     00:00
(2/5): httpd-filesystem-2.4.37-21.module_el8.2. 109 kB/s |  36 kB     00:00
(3/5): mod_ssl-2.4.37-21.module_el8.2.0+494+1df 192 kB/s | 132 kB     00:00
(4/5): httpd-tools-2.4.37-21.module_el8.2.0+494 184 kB/s | 103 kB     00:00
(5/5): httpd-2.4.37-21.module_el8.2.0+494+1df74 1.0 MB/s | 1.7 MB     00:01
--------------------------------------------------------------------------------
Total                                           1.0 MB/s | 2.0 MB     00:01
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                        1/1
  Running scriptlet: httpd-filesystem-2.4.37-21.module_el8.2.0+494+1df74e   1/1
  Running scriptlet: httpd-filesystem-2.4.37-21.module_el8.2.0+494+1df74e   1/8
  Upgrading        : httpd-filesystem-2.4.37-21.module_el8.2.0+494+1df74e   1/8
  Upgrading        : httpd-tools-2.4.37-21.module_el8.2.0+494+1df74eae.x8   2/8
  Upgrading        : httpd-2.4.37-21.module_el8.2.0+494+1df74eae.x86_64     3/8
  Running scriptlet: httpd-2.4.37-21.module_el8.2.0+494+1df74eae.x86_64     3/8
  Installing       : sscg-2.3.3-14.el8.x86_64                               4/8
  Installing       : mod_ssl-1:2.4.37-21.module_el8.2.0+494+1df74eae.x86_   5/8
  Running scriptlet: httpd-2.4.37-21.module_el8.2.0+382+15b0afa8.x86_64     6/8
  Cleanup          : httpd-2.4.37-21.module_el8.2.0+382+15b0afa8.x86_64     6/8
  Running scriptlet: httpd-2.4.37-21.module_el8.2.0+382+15b0afa8.x86_64     6/8
  Cleanup          : httpd-filesystem-2.4.37-21.module_el8.2.0+382+15b0af   7/8
  Cleanup          : httpd-tools-2.4.37-21.module_el8.2.0+382+15b0afa8.x8   8/8
  Running scriptlet: httpd-2.4.37-21.module_el8.2.0+494+1df74eae.x86_64     8/8
  Running scriptlet: httpd-tools-2.4.37-21.module_el8.2.0+382+15b0afa8.x8   8/8
  Verifying        : mod_ssl-1:2.4.37-21.module_el8.2.0+494+1df74eae.x86_   1/8
  Verifying        : sscg-2.3.3-14.el8.x86_64                               2/8
  Verifying        : httpd-2.4.37-21.module_el8.2.0+494+1df74eae.x86_64     3/8
  Verifying        : httpd-2.4.37-21.module_el8.2.0+382+15b0afa8.x86_64     4/8
  Verifying        : httpd-filesystem-2.4.37-21.module_el8.2.0+494+1df74e   5/8
  Verifying        : httpd-filesystem-2.4.37-21.module_el8.2.0+382+15b0af   6/8
  Verifying        : httpd-tools-2.4.37-21.module_el8.2.0+494+1df74eae.x8   7/8
  Verifying        : httpd-tools-2.4.37-21.module_el8.2.0+382+15b0afa8.x8   8/8

Upgraded:
  httpd-2.4.37-21.module_el8.2.0+494+1df74eae.x86_64
  httpd-filesystem-2.4.37-21.module_el8.2.0+494+1df74eae.noarch
  httpd-tools-2.4.37-21.module_el8.2.0+494+1df74eae.x86_64

Installed:
  mod_ssl-1:2.4.37-21.module_el8.2.0+494+1df74eae.x86_64
  sscg-2.3.3-14.el8.x86_64

Complete!

2.EPELリポジトリをインストールします。

[root@wordpress chatora]# dnf install -y epel-release
Last metadata expiration check: 1:59:38 ago on Sun 15 Nov 2020 10:25:30 AM UTC.
Dependencies resolved.
================================================================================
 Package               Architecture    Version            Repository       Size
================================================================================
Installing:
 epel-release          noarch          8-8.el8            extras           23 k

Transaction Summary
================================================================================
Install  1 Package

Total download size: 23 k
Installed size: 32 k
Downloading Packages:
epel-release-8-8.el8.noarch.rpm                 295 kB/s |  23 kB     00:00
--------------------------------------------------------------------------------
Total                                           6.2 kB/s |  23 kB     00:03
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                        1/1
  Installing       : epel-release-8-8.el8.noarch                            1/1
  Running scriptlet: epel-release-8-8.el8.noarch                            1/1
  Verifying        : epel-release-8-8.el8.noarch                            1/1

Installed:
  epel-release-8-8.el8.noarch

Complete!

3.Cerbotをインストールします。

[root@wordpress chatora]# dnf install -y certbot python3-certbot-apache
Last metadata expiration check: 0:00:23 ago on Sun 15 Nov 2020 12:26:34 PM UTC.
Dependencies resolved.
================================================================================
 Package                   Arch   Version                       Repo       Size
================================================================================
Installing:
 certbot                   noarch 1.9.0-1.el8                   epel       48 k
 python3-certbot-apache    noarch 1.9.0-1.el8                   epel      143 k
Installing dependencies:
 augeas-libs               x86_64 1.12.0-5.el8                  BaseOS    436 k
 python3-acme              noarch 1.9.0-1.el8                   epel       88 k
 python3-augeas            noarch 0.5.0-12.el8                  AppStream  31 k
 python3-certbot           noarch 1.9.0-1.el8                   epel      382 k
 python3-chardet           noarch 3.0.4-7.el8                   BaseOS    195 k
 python3-configargparse    noarch 0.14.0-6.el8                  epel       36 k
 python3-distro            noarch 1.4.0-2.module_el8.1.0+245+c39af44f
                                                                AppStream  37 k
 python3-josepy            noarch 1.2.0-5.el8                   epel       95 k
 python3-ndg_httpsclient   noarch 0.5.1-4.el8                   epel       53 k
 python3-parsedatetime     noarch 2.5-1.el8                     epel       79 k
 python3-pyasn1            noarch 0.3.7-6.el8                   AppStream 126 k
 python3-pyrfc3339         noarch 1.1-1.el8                     epel       19 k
 python3-pysocks           noarch 1.6.8-3.el8                   BaseOS     34 k
 python3-pytz              noarch 2017.2-9.el8                  AppStream  54 k
 python3-requests          noarch 2.20.0-2.1.el8_1              BaseOS    123 k
 python3-requests-toolbelt noarch 0.9.1-4.el8                   epel       91 k
 python3-urllib3           noarch 1.24.2-4.el8                  BaseOS    176 k
 python3-zope-component    noarch 4.3.0-8.el8                   epel      313 k
 python3-zope-event        noarch 4.2.0-12.el8                  epel      210 k
 python3-zope-interface    x86_64 4.6.0-1.el8                   epel      158 k
Installing weak dependencies:
 python-josepy-doc         noarch 1.2.0-5.el8                   epel       21 k

Transaction Summary
================================================================================
Install  23 Packages

Total download size: 2.9 M
Installed size: 11 M
Downloading Packages:
(1/23): python3-augeas-0.5.0-12.el8.noarch.rpm  111 kB/s |  31 kB     00:00
(2/23): python3-distro-1.4.0-2.module_el8.1.0+2 106 kB/s |  37 kB     00:00
(3/23): python3-pyasn1-0.3.7-6.el8.noarch.rpm   207 kB/s | 126 kB     00:00
(4/23): augeas-libs-1.12.0-5.el8.x86_64.rpm     1.3 MB/s | 436 kB     00:00
(5/23): python3-pytz-2017.2-9.el8.noarch.rpm    133 kB/s |  54 kB     00:00
(6/23): python3-pysocks-1.6.8-3.el8.noarch.rpm  775 kB/s |  34 kB     00:00
(7/23): python3-urllib3-1.24.2-4.el8.noarch.rpm 3.8 MB/s | 176 kB     00:00
(8/23): python3-chardet-3.0.4-7.el8.noarch.rpm  939 kB/s | 195 kB     00:00
(9/23): python3-requests-2.20.0-2.1.el8_1.noarc 594 kB/s | 123 kB     00:00
(10/23): python-josepy-doc-1.2.0-5.el8.noarch.r 121 kB/s |  21 kB     00:00
(11/23): certbot-1.9.0-1.el8.noarch.rpm         204 kB/s |  48 kB     00:00
(12/23): python3-certbot-apache-1.9.0-1.el8.noa 1.2 MB/s | 143 kB     00:00
(13/23): python3-acme-1.9.0-1.el8.noarch.rpm    380 kB/s |  88 kB     00:00
(14/23): python3-configargparse-0.14.0-6.el8.no 634 kB/s |  36 kB     00:00
(15/23): python3-josepy-1.2.0-5.el8.noarch.rpm  1.6 MB/s |  95 kB     00:00
(16/23): python3-certbot-1.9.0-1.el8.noarch.rpm 1.6 MB/s | 382 kB     00:00
(17/23): python3-ndg_httpsclient-0.5.1-4.el8.no 934 kB/s |  53 kB     00:00
(18/23): python3-parsedatetime-2.5-1.el8.noarch 1.3 MB/s |  79 kB     00:00
(19/23): python3-pyrfc3339-1.1-1.el8.noarch.rpm 320 kB/s |  19 kB     00:00
(20/23): python3-requests-toolbelt-0.9.1-4.el8. 1.5 MB/s |  91 kB     00:00
(21/23): python3-zope-event-4.2.0-12.el8.noarch 3.6 MB/s | 210 kB     00:00
(22/23): python3-zope-interface-4.6.0-1.el8.x86 2.7 MB/s | 158 kB     00:00
(23/23): python3-zope-component-4.3.0-8.el8.noa 2.6 MB/s | 313 kB     00:00
--------------------------------------------------------------------------------
Total                                           1.5 MB/s | 2.9 MB     00:01
warning: /var/cache/dnf/epel-6519ee669354a484/packages/certbot-1.9.0-1.el8.noarch.rpm: Header V4 RSA/SHA256 Signature, key ID 2f86d6a1: NOKEY
Extra Packages for Enterprise Linux 8 - x86_64   89 kB/s | 1.6 kB     00:00
Importing GPG key 0x2F86D6A1:
 Userid     : "Fedora EPEL (8) <epel@fedoraproject.org>"
 Fingerprint: 94E2 79EB 8D8F 25B2 1810 ADF1 21EA 45AB 2F86 D6A1
 From       : /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8
Key imported successfully
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                        1/1
  Installing       : python3-zope-event-4.2.0-12.el8.noarch                1/23
  Installing       : python3-zope-interface-4.6.0-1.el8.x86_64             2/23
  Installing       : python3-zope-component-4.3.0-8.el8.noarch             3/23
  Installing       : python3-pyrfc3339-1.1-1.el8.noarch                    4/23
  Installing       : python3-pytz-2017.2-9.el8.noarch                      5/23
  Installing       : python3-parsedatetime-2.5-1.el8.noarch                6/23
  Installing       : python3-ndg_httpsclient-0.5.1-4.el8.noarch            7/23
  Installing       : python3-configargparse-0.14.0-6.el8.noarch            8/23
  Installing       : python-josepy-doc-1.2.0-5.el8.noarch                  9/23
  Installing       : python3-josepy-1.2.0-5.el8.noarch                    10/23
  Installing       : python3-pysocks-1.6.8-3.el8.noarch                   11/23
  Installing       : python3-urllib3-1.24.2-4.el8.noarch                  12/23
  Installing       : python3-chardet-3.0.4-7.el8.noarch                   13/23
  Installing       : python3-requests-2.20.0-2.1.el8_1.noarch             14/23
  Installing       : python3-requests-toolbelt-0.9.1-4.el8.noarch         15/23
  Installing       : augeas-libs-1.12.0-5.el8.x86_64                      16/23
  Running scriptlet: augeas-libs-1.12.0-5.el8.x86_64                      16/23
  Installing       : python3-augeas-0.5.0-12.el8.noarch                   17/23
  Installing       : python3-pyasn1-0.3.7-6.el8.noarch                    18/23
  Installing       : python3-acme-1.9.0-1.el8.noarch                      19/23
  Installing       : python3-distro-1.4.0-2.module_el8.1.0+245+c39af44f   20/23
  Installing       : python3-certbot-1.9.0-1.el8.noarch                   21/23
  Installing       : certbot-1.9.0-1.el8.noarch                           22/23
  Running scriptlet: certbot-1.9.0-1.el8.noarch                           22/23
  Installing       : python3-certbot-apache-1.9.0-1.el8.noarch            23/23
  Running scriptlet: python3-certbot-apache-1.9.0-1.el8.noarch            23/23
  Verifying        : python3-augeas-0.5.0-12.el8.noarch                    1/23
  Verifying        : python3-distro-1.4.0-2.module_el8.1.0+245+c39af44f    2/23
  Verifying        : python3-pyasn1-0.3.7-6.el8.noarch                     3/23
  Verifying        : python3-pytz-2017.2-9.el8.noarch                      4/23
  Verifying        : augeas-libs-1.12.0-5.el8.x86_64                       5/23
  Verifying        : python3-chardet-3.0.4-7.el8.noarch                    6/23
  Verifying        : python3-pysocks-1.6.8-3.el8.noarch                    7/23
  Verifying        : python3-requests-2.20.0-2.1.el8_1.noarch              8/23
  Verifying        : python3-urllib3-1.24.2-4.el8.noarch                   9/23
  Verifying        : certbot-1.9.0-1.el8.noarch                           10/23
  Verifying        : python-josepy-doc-1.2.0-5.el8.noarch                 11/23
  Verifying        : python3-acme-1.9.0-1.el8.noarch                      12/23
  Verifying        : python3-certbot-1.9.0-1.el8.noarch                   13/23
  Verifying        : python3-certbot-apache-1.9.0-1.el8.noarch            14/23
  Verifying        : python3-configargparse-0.14.0-6.el8.noarch           15/23
  Verifying        : python3-josepy-1.2.0-5.el8.noarch                    16/23
  Verifying        : python3-ndg_httpsclient-0.5.1-4.el8.noarch           17/23
  Verifying        : python3-parsedatetime-2.5-1.el8.noarch               18/23
  Verifying        : python3-pyrfc3339-1.1-1.el8.noarch                   19/23
  Verifying        : python3-requests-toolbelt-0.9.1-4.el8.noarch         20/23
  Verifying        : python3-zope-component-4.3.0-8.el8.noarch            21/23
  Verifying        : python3-zope-event-4.2.0-12.el8.noarch               22/23
  Verifying        : python3-zope-interface-4.6.0-1.el8.x86_64            23/23

Installed:
  augeas-libs-1.12.0-5.el8.x86_64
  certbot-1.9.0-1.el8.noarch
  python-josepy-doc-1.2.0-5.el8.noarch
  python3-acme-1.9.0-1.el8.noarch
  python3-augeas-0.5.0-12.el8.noarch
  python3-certbot-1.9.0-1.el8.noarch
  python3-certbot-apache-1.9.0-1.el8.noarch
  python3-chardet-3.0.4-7.el8.noarch
  python3-configargparse-0.14.0-6.el8.noarch
  python3-distro-1.4.0-2.module_el8.1.0+245+c39af44f.noarch
  python3-josepy-1.2.0-5.el8.noarch
  python3-ndg_httpsclient-0.5.1-4.el8.noarch
  python3-parsedatetime-2.5-1.el8.noarch
  python3-pyasn1-0.3.7-6.el8.noarch
  python3-pyrfc3339-1.1-1.el8.noarch
  python3-pysocks-1.6.8-3.el8.noarch
  python3-pytz-2017.2-9.el8.noarch
  python3-requests-2.20.0-2.1.el8_1.noarch
  python3-requests-toolbelt-0.9.1-4.el8.noarch
  python3-urllib3-1.24.2-4.el8.noarch
  python3-zope-component-4.3.0-8.el8.noarch
  python3-zope-event-4.2.0-12.el8.noarch
  python3-zope-interface-4.6.0-1.el8.x86_64

Complete!

4.証明書の取得(webroot)します。

[root@wordpress chatora]# certbot certonly --webroot -w /var/www/html/ -d linux.gakubu.net -m chatora@ciel.gakubu.net --agree-tos
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: N
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for linux.gakubu.net
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/linux.gakubu.net/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/linux.gakubu.net/privkey.pem
   Your cert will expire on 2021-02-13. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

5.取得した証明書をApacheに設定します。

[root@wordpress chatora]# vi /etc/httpd/conf.d/ssl.conf

#   Point SSLCertificateFile at a PEM encoded certificate.  If
#   the certificate is encrypted, then you will be prompted for a
#   pass phrase.  Note that restarting httpd will prompt again.  Keep
#   in mind that if you have both an RSA and a DSA certificate you
#   can configure both in parallel (to also allow the use of DSA
#   ciphers, etc.)
#   Some ECC cipher suites (http://www.ietf.org/rfc/rfc4492.txt)
#   require an ECC certificate which can also be configured in
#   parallel.
#SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateFile /etc/letsencrypt/live/linux.gakubu.net/fullchain.pem

#   Server Private Key:
#   If the key is not combined with the certificate, use this
#   directive to point at the key file.  Keep in mind that if
#   you've both a RSA and a DSA private key you can configure
#   both in parallel (to also allow the use of DSA ciphers, etc.)
#   ECC keys, when in use, can also be configured in parallel
#SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
SSLCertificateKeyFile /etc/letsencrypt/live/linux.gakubu.net/privkey.pem

6.Apacheを再起動します。

[root@wordpress chatora]# systemctl restart httpd

7.ブラウザから、httpsをつけて、ウェブサイトにアクセスします。

アドレスに鍵マークが表示された状態で、テストページが表示されれば成功です。


タイトルとURLをコピーしました