元経理マンが27歳でエンジニアに転向してからのメモ集

元経理マンがエンジニアに転向して現在

GCPでLet's EncryptしてSSL(TLS)の表示

ざっくり

GCPの無料枠

CentOS7のimage

前提

  • GCPインスタンスを生成している
  • Nginxをインストールしている
  • DocumentRootを設定して、ブラウザで表示ができる

Gitのインストール

# yum install git

certbotのインストール

$ cd usr/local

$ sudo git clone https://github.com/certbot/certbot.git

$ cd certbot

SSL証明書の取得

$ ./certbot-auto certonly --standalone -t

 (略) 

完了しました!
Creating virtual environment...
Installing Python packages...
Installation succeeded.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): // メールアドレスを入力する。
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A    // ライセンスにアグリーか。
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: N     // 財団からメールを送っていいか。

Please enter in your domain name(s) (comma and/or space separated)  (Enter 'c'
to cancel):     // ドメイン名を送る。

Obtaining a new certificate
Performing the following challenges:
http-01 challenge for xxxx.xxxx
Cleaning up challenges
Problem binding to port 80: Could not bind to IPv4 or IPv6.

IMPORTANT NOTES:
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.

どうやら失敗。 nginx起動中はだめみたいなので、 $ systemctl stop nginxで止める。

再チャレンジ

take2はドメイン入力から始まる。

$ sudo systemctl stop nginx

$ ./certbot-auto certonly --standalone -t
Requesting to rerun ./certbot-auto with root privileges...
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Please enter in your domain name(s) (comma and/or space separated)  (Enter 'c'
to cancel): xxxx.xxxx
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for xxxx.xxxx
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/xxxx/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/xxxx/privkey.pem
   Your cert will expire on 2018-11-29. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again. To non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

すかざず再起動

$ sudo systemctl start nginx

取得した証明書

$ tree /etc/letsencrypt/
/etc/letsencrypt/
├── accounts [error opening dir]
├── archive [error opening dir]
├── csr
│   ├── 0000_csr-certbot.pem
│   └── 0001_csr-certbot.pem
├── keys [error opening dir]
├── live [error opening dir]
├── renewal
│   └── xxxx.xxxx.conf
└── renewal-hooks
    ├── deploy
    ├── post
    └── pre

Nginxの設定

最低限ここの設定が必要と思われる。

server {
  listen 80;
  server_name xxxx.xxxx;
  return 301 https://$host$request_uri;
}

server {
  listen 443;
  server_name xxxx.xxxx;

  ssl on;
  ssl_certificate /etc/letsencrypt/live/xxxx.xxxx/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/xxxx.xxxx/privkey.pem;

  access_log  /var/log/nginx/host.access.log  main;

  charset UTF-8;
  location / {
  #   root   /usr/share/nginx/html;
      root   /home/[ユーザー名]/[ディレクトリ];
      index  index.html index.htm;
  }

  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;     // 普通のSSLでは脆弱性あるので、TLSのみ受付

}

ブラウザで入力

https://xxxx.xxxx」 これでつながればOK!

Let's Encryptは証明書が3ヶ月で切れるみたいなので、次回は自動更新。(できたら。)

続き

ryomoyr.hatenablog.com

参考記事