[1] ダウンロード

# wget https://github.com/lukas2511/dehydrated/archive/master.zip

# unzip master.zip

[2] 設定

Directory作成

# mkdir /etc/dehydrated

# chmod 700 /etc/dehydrated

# mkdir /var/www/dehydrated

configファイル

# cp ~/src/dehydrated-master/docs/examples/config /etc/dehydrated/.

メールアドレスを入れるくらい。

# cp ~/src/dehydrated-master/docs/examples/hook.sh /etc/dehydrated/.

httpd (とpostfix, dovecot)のreloadスクリプトを追加しておく

# cat /etc/domains.txt

example.com www.example.com example.example.com

一行に書くと証明書は共用になる。サブドメインは一行に書け、と書いてあった。

[3] httpd (apache)設定

/etc/httd/conf.dにdehydrated.confを追加。中身は

Alias /.well-known/acme-challenge /var/www/dehydrated

Options None

AllowOverride None

Order allow,deny

Allow from all

apacheバージョンによって違うらしいが最近勉強してないからわからない。

[4] 実行 (エラー)

# dehydrated -c -4 -f /etc/dehydrated/config

# INFO: Using main config file /etc/dehydrated/config

ERROR: Problem connecting to server (get for https://acme-v01.api.letsencrypt.org/directory; curl returned with 35)

真似ばかりしているからエラーすると先に進まない。Google先生に聞いたりしてしらべたところopensslが古いらしい。

# yum update openssl openssl-devel

[5] 実行

# dehydrated -c -f /etc/dehydrated/config

# INFO: Using main config file /etc/dehydrated/config

Processing example.com with alternative names: www.example.com example.example.com

+ Signing domains...

+ Generating private key...

+ Generating signing request...

+ Requesting challenge for example.com...

+ Already validated!

+ Requesting challenge for www.example.com...

+ Already validated!

+ Requesting challenge for example.example.com...

+ Responding to challenge for example.example.com...

+ Challenge is valid!

+ Requesting certificate...

+ Checking certificate...

+ Done!

+ Creating fullchain.pem...

httpd を再読み込み中: [ OK ]

Dovecot Imap を再読み込み中: [ OK ]

postfix を再読み込み中: [ OK ]

+ Done!

[6] apacheのSSL_Certに設定する

# rcsdiff -r1.2 ssl.conf

===================================================================

RCS file: RCS/ssl.conf,v

retrieving revision 1.2

diff -r1.2 ssl.conf

113c113,114

< SSLCertificateFile /etc/pki/tls/certs/server.crt

---

> #SSLCertificateFile /etc/pki/tls/certs/server.crt

> SSLCertificateFile /etc/dehydrated/certs/hayama.net/fullchain.pem

121c122,123

< SSLCertificateKeyFile /etc/pki/tls/certs/server.key

---

> #SSLCertificateKeyFile /etc/pki/tls/certs/server.key

> SSLCertificateKeyFile /etc/dehydrated/certs/hayama.net/privkey.pem

130a133

> SSLCertificateChainFile /etc/dehydrated/certs/hayama.net/chain.pem

[root@xenon conf.d]# service httpd restart

httpd を停止中: [ OK ]

httpd を起動中: [ OK ]

[7]　確認

https://www.example.com/にアクセスすると、chromeに「保護された通信」と表示される。OK!!

[8] cronで自動更新

# crontab -l

#

# dehydrated for letsencrypt

0 3 10 * * /usr/local/sbin/dehydrated -c -f /etc/dehydrated/config

テスト実行

# /usr/local/sbin/dehydrated -c -f /etc/dehydrated/config

# INFO: Using main config file /etc/dehydrated/config

Processing example.com with alternative names: www.example.com example.example.com

+ Checking domain name(s) of existing cert... unchanged.

+ Checking expire date of existing cert...

+ Valid till Apr 14 03:15:00 2017 GMT (Longer than 30 days). Skipping renew!

これで毎月一回チェックして、期限が近づいたら更新してくれる。

やれやれ。