SSL(エスエスエル)とは、通信を暗号化するための仕組みです。
ウェブサイトの通信を暗号化するためには、SSL証明書を導入する必要があります。
以前は、ショッピングサイトの購入フォームなど、一部のページしかSSL証明書は使用されていませんでしたが、Googleが常時SSL化を推奨したため、ウェブサイトのすべてのページをSSLで暗号化する事が一般的になりました。
今回は、無料でSSL証明書を利用できるLet’s Encrypt(レッツ・エンクリプト)を利用してウェブサイトを常時SSL化します。
Let’s Encrypt(レッツ・エンクリプト)とは
無償で利用できるSSL認証局です。Certbotなどのプログラムを利用して自動的にSSL証明書を導入する事ができます。
一般的な有償のSSL証明書は有効期間1年の場合が多いですが、Let’s Encryptで取得できるSSL証明書の期間は90日間になります。
Let’s Encrypt – フリーな SSL/TLS 証明書
https://letsencrypt.org/ja/
Cerbotとは
Let’s EncryptのSSL証明書を導入するためのプログラムです。
1.mode_sslをインストールします。
[root@wordpress chatora]# dnf install -y mod_ssl
Last metadata expiration check: 1:54:17 ago on Sun 15 Nov 2020 10:25:30 AM UTC.
Dependencies resolved.
================================================================================
Package Arch Version Repo Size
================================================================================
Installing:
mod_ssl x86_64 1:2.4.37-21.module_el8.2.0+494+1df74eae AppStream 132 k
Upgrading:
httpd x86_64 2.4.37-21.module_el8.2.0+494+1df74eae AppStream 1.7 M
httpd-filesystem
noarch 2.4.37-21.module_el8.2.0+494+1df74eae AppStream 36 k
httpd-tools x86_64 2.4.37-21.module_el8.2.0+494+1df74eae AppStream 103 k
Installing dependencies:
sscg x86_64 2.3.3-14.el8 AppStream 49 k
Transaction Summary
================================================================================
Install 2 Packages
Upgrade 3 Packages
Total download size: 2.0 M
Downloading Packages:
(1/5): sscg-2.3.3-14.el8.x86_64.rpm 138 kB/s | 49 kB 00:00
(2/5): httpd-filesystem-2.4.37-21.module_el8.2. 109 kB/s | 36 kB 00:00
(3/5): mod_ssl-2.4.37-21.module_el8.2.0+494+1df 192 kB/s | 132 kB 00:00
(4/5): httpd-tools-2.4.37-21.module_el8.2.0+494 184 kB/s | 103 kB 00:00
(5/5): httpd-2.4.37-21.module_el8.2.0+494+1df74 1.0 MB/s | 1.7 MB 00:01
--------------------------------------------------------------------------------
Total 1.0 MB/s | 2.0 MB 00:01
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Running scriptlet: httpd-filesystem-2.4.37-21.module_el8.2.0+494+1df74e 1/1
Running scriptlet: httpd-filesystem-2.4.37-21.module_el8.2.0+494+1df74e 1/8
Upgrading : httpd-filesystem-2.4.37-21.module_el8.2.0+494+1df74e 1/8
Upgrading : httpd-tools-2.4.37-21.module_el8.2.0+494+1df74eae.x8 2/8
Upgrading : httpd-2.4.37-21.module_el8.2.0+494+1df74eae.x86_64 3/8
Running scriptlet: httpd-2.4.37-21.module_el8.2.0+494+1df74eae.x86_64 3/8
Installing : sscg-2.3.3-14.el8.x86_64 4/8
Installing : mod_ssl-1:2.4.37-21.module_el8.2.0+494+1df74eae.x86_ 5/8
Running scriptlet: httpd-2.4.37-21.module_el8.2.0+382+15b0afa8.x86_64 6/8
Cleanup : httpd-2.4.37-21.module_el8.2.0+382+15b0afa8.x86_64 6/8
Running scriptlet: httpd-2.4.37-21.module_el8.2.0+382+15b0afa8.x86_64 6/8
Cleanup : httpd-filesystem-2.4.37-21.module_el8.2.0+382+15b0af 7/8
Cleanup : httpd-tools-2.4.37-21.module_el8.2.0+382+15b0afa8.x8 8/8
Running scriptlet: httpd-2.4.37-21.module_el8.2.0+494+1df74eae.x86_64 8/8
Running scriptlet: httpd-tools-2.4.37-21.module_el8.2.0+382+15b0afa8.x8 8/8
Verifying : mod_ssl-1:2.4.37-21.module_el8.2.0+494+1df74eae.x86_ 1/8
Verifying : sscg-2.3.3-14.el8.x86_64 2/8
Verifying : httpd-2.4.37-21.module_el8.2.0+494+1df74eae.x86_64 3/8
Verifying : httpd-2.4.37-21.module_el8.2.0+382+15b0afa8.x86_64 4/8
Verifying : httpd-filesystem-2.4.37-21.module_el8.2.0+494+1df74e 5/8
Verifying : httpd-filesystem-2.4.37-21.module_el8.2.0+382+15b0af 6/8
Verifying : httpd-tools-2.4.37-21.module_el8.2.0+494+1df74eae.x8 7/8
Verifying : httpd-tools-2.4.37-21.module_el8.2.0+382+15b0afa8.x8 8/8
Upgraded:
httpd-2.4.37-21.module_el8.2.0+494+1df74eae.x86_64
httpd-filesystem-2.4.37-21.module_el8.2.0+494+1df74eae.noarch
httpd-tools-2.4.37-21.module_el8.2.0+494+1df74eae.x86_64
Installed:
mod_ssl-1:2.4.37-21.module_el8.2.0+494+1df74eae.x86_64
sscg-2.3.3-14.el8.x86_64
Complete!
2.EPELリポジトリをインストールします。
[root@wordpress chatora]# dnf install -y epel-release
Last metadata expiration check: 1:59:38 ago on Sun 15 Nov 2020 10:25:30 AM UTC.
Dependencies resolved.
================================================================================
Package Architecture Version Repository Size
================================================================================
Installing:
epel-release noarch 8-8.el8 extras 23 k
Transaction Summary
================================================================================
Install 1 Package
Total download size: 23 k
Installed size: 32 k
Downloading Packages:
epel-release-8-8.el8.noarch.rpm 295 kB/s | 23 kB 00:00
--------------------------------------------------------------------------------
Total 6.2 kB/s | 23 kB 00:03
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Installing : epel-release-8-8.el8.noarch 1/1
Running scriptlet: epel-release-8-8.el8.noarch 1/1
Verifying : epel-release-8-8.el8.noarch 1/1
Installed:
epel-release-8-8.el8.noarch
Complete!
3.Cerbotをインストールします。
[root@wordpress chatora]# dnf install -y certbot python3-certbot-apache
Last metadata expiration check: 0:00:23 ago on Sun 15 Nov 2020 12:26:34 PM UTC.
Dependencies resolved.
================================================================================
Package Arch Version Repo Size
================================================================================
Installing:
certbot noarch 1.9.0-1.el8 epel 48 k
python3-certbot-apache noarch 1.9.0-1.el8 epel 143 k
Installing dependencies:
augeas-libs x86_64 1.12.0-5.el8 BaseOS 436 k
python3-acme noarch 1.9.0-1.el8 epel 88 k
python3-augeas noarch 0.5.0-12.el8 AppStream 31 k
python3-certbot noarch 1.9.0-1.el8 epel 382 k
python3-chardet noarch 3.0.4-7.el8 BaseOS 195 k
python3-configargparse noarch 0.14.0-6.el8 epel 36 k
python3-distro noarch 1.4.0-2.module_el8.1.0+245+c39af44f
AppStream 37 k
python3-josepy noarch 1.2.0-5.el8 epel 95 k
python3-ndg_httpsclient noarch 0.5.1-4.el8 epel 53 k
python3-parsedatetime noarch 2.5-1.el8 epel 79 k
python3-pyasn1 noarch 0.3.7-6.el8 AppStream 126 k
python3-pyrfc3339 noarch 1.1-1.el8 epel 19 k
python3-pysocks noarch 1.6.8-3.el8 BaseOS 34 k
python3-pytz noarch 2017.2-9.el8 AppStream 54 k
python3-requests noarch 2.20.0-2.1.el8_1 BaseOS 123 k
python3-requests-toolbelt noarch 0.9.1-4.el8 epel 91 k
python3-urllib3 noarch 1.24.2-4.el8 BaseOS 176 k
python3-zope-component noarch 4.3.0-8.el8 epel 313 k
python3-zope-event noarch 4.2.0-12.el8 epel 210 k
python3-zope-interface x86_64 4.6.0-1.el8 epel 158 k
Installing weak dependencies:
python-josepy-doc noarch 1.2.0-5.el8 epel 21 k
Transaction Summary
================================================================================
Install 23 Packages
Total download size: 2.9 M
Installed size: 11 M
Downloading Packages:
(1/23): python3-augeas-0.5.0-12.el8.noarch.rpm 111 kB/s | 31 kB 00:00
(2/23): python3-distro-1.4.0-2.module_el8.1.0+2 106 kB/s | 37 kB 00:00
(3/23): python3-pyasn1-0.3.7-6.el8.noarch.rpm 207 kB/s | 126 kB 00:00
(4/23): augeas-libs-1.12.0-5.el8.x86_64.rpm 1.3 MB/s | 436 kB 00:00
(5/23): python3-pytz-2017.2-9.el8.noarch.rpm 133 kB/s | 54 kB 00:00
(6/23): python3-pysocks-1.6.8-3.el8.noarch.rpm 775 kB/s | 34 kB 00:00
(7/23): python3-urllib3-1.24.2-4.el8.noarch.rpm 3.8 MB/s | 176 kB 00:00
(8/23): python3-chardet-3.0.4-7.el8.noarch.rpm 939 kB/s | 195 kB 00:00
(9/23): python3-requests-2.20.0-2.1.el8_1.noarc 594 kB/s | 123 kB 00:00
(10/23): python-josepy-doc-1.2.0-5.el8.noarch.r 121 kB/s | 21 kB 00:00
(11/23): certbot-1.9.0-1.el8.noarch.rpm 204 kB/s | 48 kB 00:00
(12/23): python3-certbot-apache-1.9.0-1.el8.noa 1.2 MB/s | 143 kB 00:00
(13/23): python3-acme-1.9.0-1.el8.noarch.rpm 380 kB/s | 88 kB 00:00
(14/23): python3-configargparse-0.14.0-6.el8.no 634 kB/s | 36 kB 00:00
(15/23): python3-josepy-1.2.0-5.el8.noarch.rpm 1.6 MB/s | 95 kB 00:00
(16/23): python3-certbot-1.9.0-1.el8.noarch.rpm 1.6 MB/s | 382 kB 00:00
(17/23): python3-ndg_httpsclient-0.5.1-4.el8.no 934 kB/s | 53 kB 00:00
(18/23): python3-parsedatetime-2.5-1.el8.noarch 1.3 MB/s | 79 kB 00:00
(19/23): python3-pyrfc3339-1.1-1.el8.noarch.rpm 320 kB/s | 19 kB 00:00
(20/23): python3-requests-toolbelt-0.9.1-4.el8. 1.5 MB/s | 91 kB 00:00
(21/23): python3-zope-event-4.2.0-12.el8.noarch 3.6 MB/s | 210 kB 00:00
(22/23): python3-zope-interface-4.6.0-1.el8.x86 2.7 MB/s | 158 kB 00:00
(23/23): python3-zope-component-4.3.0-8.el8.noa 2.6 MB/s | 313 kB 00:00
--------------------------------------------------------------------------------
Total 1.5 MB/s | 2.9 MB 00:01
warning: /var/cache/dnf/epel-6519ee669354a484/packages/certbot-1.9.0-1.el8.noarch.rpm: Header V4 RSA/SHA256 Signature, key ID 2f86d6a1: NOKEY
Extra Packages for Enterprise Linux 8 - x86_64 89 kB/s | 1.6 kB 00:00
Importing GPG key 0x2F86D6A1:
Userid : "Fedora EPEL (8) <epel@fedoraproject.org>"
Fingerprint: 94E2 79EB 8D8F 25B2 1810 ADF1 21EA 45AB 2F86 D6A1
From : /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8
Key imported successfully
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Installing : python3-zope-event-4.2.0-12.el8.noarch 1/23
Installing : python3-zope-interface-4.6.0-1.el8.x86_64 2/23
Installing : python3-zope-component-4.3.0-8.el8.noarch 3/23
Installing : python3-pyrfc3339-1.1-1.el8.noarch 4/23
Installing : python3-pytz-2017.2-9.el8.noarch 5/23
Installing : python3-parsedatetime-2.5-1.el8.noarch 6/23
Installing : python3-ndg_httpsclient-0.5.1-4.el8.noarch 7/23
Installing : python3-configargparse-0.14.0-6.el8.noarch 8/23
Installing : python-josepy-doc-1.2.0-5.el8.noarch 9/23
Installing : python3-josepy-1.2.0-5.el8.noarch 10/23
Installing : python3-pysocks-1.6.8-3.el8.noarch 11/23
Installing : python3-urllib3-1.24.2-4.el8.noarch 12/23
Installing : python3-chardet-3.0.4-7.el8.noarch 13/23
Installing : python3-requests-2.20.0-2.1.el8_1.noarch 14/23
Installing : python3-requests-toolbelt-0.9.1-4.el8.noarch 15/23
Installing : augeas-libs-1.12.0-5.el8.x86_64 16/23
Running scriptlet: augeas-libs-1.12.0-5.el8.x86_64 16/23
Installing : python3-augeas-0.5.0-12.el8.noarch 17/23
Installing : python3-pyasn1-0.3.7-6.el8.noarch 18/23
Installing : python3-acme-1.9.0-1.el8.noarch 19/23
Installing : python3-distro-1.4.0-2.module_el8.1.0+245+c39af44f 20/23
Installing : python3-certbot-1.9.0-1.el8.noarch 21/23
Installing : certbot-1.9.0-1.el8.noarch 22/23
Running scriptlet: certbot-1.9.0-1.el8.noarch 22/23
Installing : python3-certbot-apache-1.9.0-1.el8.noarch 23/23
Running scriptlet: python3-certbot-apache-1.9.0-1.el8.noarch 23/23
Verifying : python3-augeas-0.5.0-12.el8.noarch 1/23
Verifying : python3-distro-1.4.0-2.module_el8.1.0+245+c39af44f 2/23
Verifying : python3-pyasn1-0.3.7-6.el8.noarch 3/23
Verifying : python3-pytz-2017.2-9.el8.noarch 4/23
Verifying : augeas-libs-1.12.0-5.el8.x86_64 5/23
Verifying : python3-chardet-3.0.4-7.el8.noarch 6/23
Verifying : python3-pysocks-1.6.8-3.el8.noarch 7/23
Verifying : python3-requests-2.20.0-2.1.el8_1.noarch 8/23
Verifying : python3-urllib3-1.24.2-4.el8.noarch 9/23
Verifying : certbot-1.9.0-1.el8.noarch 10/23
Verifying : python-josepy-doc-1.2.0-5.el8.noarch 11/23
Verifying : python3-acme-1.9.0-1.el8.noarch 12/23
Verifying : python3-certbot-1.9.0-1.el8.noarch 13/23
Verifying : python3-certbot-apache-1.9.0-1.el8.noarch 14/23
Verifying : python3-configargparse-0.14.0-6.el8.noarch 15/23
Verifying : python3-josepy-1.2.0-5.el8.noarch 16/23
Verifying : python3-ndg_httpsclient-0.5.1-4.el8.noarch 17/23
Verifying : python3-parsedatetime-2.5-1.el8.noarch 18/23
Verifying : python3-pyrfc3339-1.1-1.el8.noarch 19/23
Verifying : python3-requests-toolbelt-0.9.1-4.el8.noarch 20/23
Verifying : python3-zope-component-4.3.0-8.el8.noarch 21/23
Verifying : python3-zope-event-4.2.0-12.el8.noarch 22/23
Verifying : python3-zope-interface-4.6.0-1.el8.x86_64 23/23
Installed:
augeas-libs-1.12.0-5.el8.x86_64
certbot-1.9.0-1.el8.noarch
python-josepy-doc-1.2.0-5.el8.noarch
python3-acme-1.9.0-1.el8.noarch
python3-augeas-0.5.0-12.el8.noarch
python3-certbot-1.9.0-1.el8.noarch
python3-certbot-apache-1.9.0-1.el8.noarch
python3-chardet-3.0.4-7.el8.noarch
python3-configargparse-0.14.0-6.el8.noarch
python3-distro-1.4.0-2.module_el8.1.0+245+c39af44f.noarch
python3-josepy-1.2.0-5.el8.noarch
python3-ndg_httpsclient-0.5.1-4.el8.noarch
python3-parsedatetime-2.5-1.el8.noarch
python3-pyasn1-0.3.7-6.el8.noarch
python3-pyrfc3339-1.1-1.el8.noarch
python3-pysocks-1.6.8-3.el8.noarch
python3-pytz-2017.2-9.el8.noarch
python3-requests-2.20.0-2.1.el8_1.noarch
python3-requests-toolbelt-0.9.1-4.el8.noarch
python3-urllib3-1.24.2-4.el8.noarch
python3-zope-component-4.3.0-8.el8.noarch
python3-zope-event-4.2.0-12.el8.noarch
python3-zope-interface-4.6.0-1.el8.x86_64
Complete!
4.証明書の取得(webroot)します。
[root@wordpress chatora]# certbot certonly --webroot -w /var/www/html/ -d linux.gakubu.net -m chatora@ciel.gakubu.net --agree-tos
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: N
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for linux.gakubu.net
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/linux.gakubu.net/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/linux.gakubu.net/privkey.pem
Your cert will expire on 2021-02-13. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
5.取得した証明書をApacheに設定します。
[root@wordpress chatora]# vi /etc/httpd/conf.d/ssl.conf
# Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
# pass phrase. Note that restarting httpd will prompt again. Keep
# in mind that if you have both an RSA and a DSA certificate you
# can configure both in parallel (to also allow the use of DSA
# ciphers, etc.)
# Some ECC cipher suites (http://www.ietf.org/rfc/rfc4492.txt)
# require an ECC certificate which can also be configured in
# parallel.
#SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateFile /etc/letsencrypt/live/linux.gakubu.net/fullchain.pem
# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you've both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
# ECC keys, when in use, can also be configured in parallel
#SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
SSLCertificateKeyFile /etc/letsencrypt/live/linux.gakubu.net/privkey.pem
6.Apacheを再起動します。
[root@wordpress chatora]# systemctl restart httpd
7.ブラウザから、httpsをつけて、ウェブサイトにアクセスします。
アドレスに鍵マークが表示された状態で、テストページが表示されれば成功です。