GCPでLet's EncryptしてSSL(TLS)の表示
ざっくり
GCPの無料枠
CentOS7のimage
前提
Gitのインストール
# yum install git
certbotのインストール
$ cd usr/local $ sudo git clone https://github.com/certbot/certbot.git $ cd certbot
SSL証明書の取得
$ ./certbot-auto certonly --standalone -t (略) 完了しました! Creating virtual environment... Installing Python packages... Installation succeeded. Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator standalone, Installer None Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): // メールアドレスを入力する。 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must agree in order to register with the ACME server at https://acme-v02.api.letsencrypt.org/directory - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (A)gree/(C)ancel: A // ライセンスにアグリーか。 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Would you be willing to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: N // 財団からメールを送っていいか。 Please enter in your domain name(s) (comma and/or space separated) (Enter 'c' to cancel): // ドメイン名を送る。 Obtaining a new certificate Performing the following challenges: http-01 challenge for xxxx.xxxx Cleaning up challenges Problem binding to port 80: Could not bind to IPv4 or IPv6. IMPORTANT NOTES: - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal.
どうやら失敗。
nginx起動中はだめみたいなので、
$ systemctl stop nginxで止める。
再チャレンジ
take2はドメイン入力から始まる。
$ sudo systemctl stop nginx $ ./certbot-auto certonly --standalone -t Requesting to rerun ./certbot-auto with root privileges... Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator standalone, Installer None Please enter in your domain name(s) (comma and/or space separated) (Enter 'c' to cancel): xxxx.xxxx Obtaining a new certificate Performing the following challenges: http-01 challenge for xxxx.xxxx Waiting for verification... Cleaning up challenges IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/xxxx/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/xxxx/privkey.pem Your cert will expire on 2018-11-29. To obtain a new or tweaked version of this certificate in the future, simply run certbot-auto again. To non-interactively renew *all* of your certificates, run "certbot-auto renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
すかざず再起動
$ sudo systemctl start nginx
取得した証明書
$ tree /etc/letsencrypt/
/etc/letsencrypt/
├── accounts [error opening dir]
├── archive [error opening dir]
├── csr
│ ├── 0000_csr-certbot.pem
│ └── 0001_csr-certbot.pem
├── keys [error opening dir]
├── live [error opening dir]
├── renewal
│ └── xxxx.xxxx.conf
└── renewal-hooks
├── deploy
├── post
└── pre
Nginxの設定
最低限ここの設定が必要と思われる。
server {
listen 80;
server_name xxxx.xxxx;
return 301 https://$host$request_uri;
}
server {
listen 443;
server_name xxxx.xxxx;
ssl on;
ssl_certificate /etc/letsencrypt/live/xxxx.xxxx/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/xxxx.xxxx/privkey.pem;
access_log /var/log/nginx/host.access.log main;
charset UTF-8;
location / {
# root /usr/share/nginx/html;
root /home/[ユーザー名]/[ディレクトリ];
index index.html index.htm;
}
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; // 普通のSSLでは脆弱性あるので、TLSのみ受付
}
ブラウザで入力
「https://xxxx.xxxx」 これでつながればOK!
Let's Encryptは証明書が3ヶ月で切れるみたいなので、次回は自動更新。(できたら。)
