Let' Enryptで証明書 (2)
[1] ダウンロード
# wget https://github.com/lukas2511/dehydrated/archive/master.zip
# unzip master.zip
[2] 設定
Directory作成
# mkdir /etc/dehydrated
# chmod 700 /etc/dehydrated
# mkdir /var/www/dehydrated
configファイル
# cp ~/src/dehydrated-master/docs/examples/config /etc/dehydrated/.
メールアドレスを入れるくらい。
# cp ~/src/dehydrated-master/docs/examples/hook.sh /etc/dehydrated/.
httpd (とpostfix, dovecot)のreloadスクリプトを追加しておく
# cat /etc/domains.txt
example.com www.example.com example.example.com
一行に書くと証明書は共用になる。サブドメインは一行に書け、と書いてあった。
/etc/httd/conf.dにdehydrated.confを追加。中身は
Alias /.well-known/acme-challenge /var/www/dehydrated
Options None
AllowOverride None
Order allow,deny
Allow from all
apacheバージョンによって違うらしいが最近勉強してないからわからない。
[4] 実行 (エラー)
# dehydrated -c -4 -f /etc/dehydrated/config
# INFO: Using main config file /etc/dehydrated/config
ERROR: Problem connecting to server (get for https://acme-v01.api.letsencrypt.org/directory; curl returned with 35)
真似ばかりしているからエラーすると先に進まない。Google先生に聞いたりしてしらべたところopensslが古いらしい。
# yum update openssl openssl-devel
[5] 実行
# dehydrated -c -f /etc/dehydrated/config
# INFO: Using main config file /etc/dehydrated/config
Processing example.com with alternative names: www.example.com example.example.com
+ Signing domains...
+ Generating private key...
+ Generating signing request...
+ Requesting challenge for example.com...
+ Already validated!
+ Requesting challenge for www.example.com...
+ Already validated!
+ Requesting challenge for example.example.com...
+ Responding to challenge for example.example.com...
+ Challenge is valid!
+ Requesting certificate...
+ Checking certificate...
+ Done!
+ Creating fullchain.pem...
httpd を再読み込み中: [ OK ]
postfix を再読み込み中: [ OK ]
+ Done!
# rcsdiff -r1.2 ssl.conf
===================================================================
retrieving revision 1.2
diff -r1.2 ssl.conf
113c113,114
< SSLCertificateFile /etc/pki/tls/certs/server.crt
---
> #SSLCertificateFile /etc/pki/tls/certs/server.crt
> SSLCertificateFile /etc/dehydrated/certs/hayama.net/fullchain.pem
121c122,123
< SSLCertificateKeyFile /etc/pki/tls/certs/server.key
---
> #SSLCertificateKeyFile /etc/pki/tls/certs/server.key
> SSLCertificateKeyFile /etc/dehydrated/certs/hayama.net/privkey.pem
130a133
> SSLCertificateChainFile /etc/dehydrated/certs/hayama.net/chain.pem
[root@xenon conf.d]# service httpd restart
httpd を停止中: [ OK ]
httpd を起動中: [ OK ]
[7] 確認
https://www.example.com/にアクセスすると、chromeに「保護された通信」と表示される。OK!!
[8] cronで自動更新
# crontab -l
#
# dehydrated for letsencrypt
0 3 10 * * /usr/local/sbin/dehydrated -c -f /etc/dehydrated/config
テスト実行
# /usr/local/sbin/dehydrated -c -f /etc/dehydrated/config
# INFO: Using main config file /etc/dehydrated/config
Processing example.com with alternative names: www.example.com example.example.com
+ Checking domain name(s) of existing cert... unchanged.
+ Checking expire date of existing cert...
+ Valid till Apr 14 03:15:00 2017 GMT (Longer than 30 days). Skipping renew!
これで毎月一回チェックして、期限が近づいたら更新してくれる。
やれやれ。