Let's Encrypt in Conoha! Simple!
Prerequisite: CentOS7.4
Conoha Login -> Domain -> Domain Acquisition -> Acquire and purchase appropriate domain names
Domain Settings
DNS -> +Domain -> Acquired Domain Name Entry -> Save
Edit when the domain name is reflected.
・Domain Name Click -> Pencil Mark -> + -> A @ 3600 Conoha IP Address -> Save
(Note: Do not set forwarding settings.) Let's get hooked on Encrypt. ) (Beans: It takes 1~3 days to change the address of the server associated with the domain.) )
Checking and setting up firewalls
--> 確認
# firewall-cmd --list-all --permanent
--> http https があればOKです。
--> なければ
# firewall-cmd --add-service=http --zone=public --permanent
# firewall-cmd --add-service=https --zone=public --permanent
# systemctl restart firewalld.service
(Note: Conoha -> Server -> Network Information -> Connection Permission Port -> All Allowed)
Configuring VirtualHost
NameVirtualHost *:80
<VirtualHost *:80>
ServerAdmin root@{ドメイン名}
DocumentRoot /var/www/html
ServerName {ドメイン名}
</VirtualHost>
Installing SSL Certificates for Let's Encrypt
# yum install -y certbot python2-certbot-apache
# certbot --apache -d {ドメイン名}
-> 対話方式でメールアドレス等を入力 -> Agree -> 任意でy/n
Hopefully you'll get this message!
Key Points
-> Deploying Certficate to VirtualHost /etc/httpd/conf/httpd-le-ssl.conf
Automatic creation of httpd-le-ssl.conf.
-> Enabling site /etc/httpd/conf/httpd-le-ssl.conf by adding Include to root configuration
Add the Include setting of the above file to httpd.conf.
-> Redirecting vhost in /etc/httpd/conf/httpd/conf to ssl vhost in /etc/httpd/conf/httpd-le-ssl.conf
Automatic configuration of http to https redirection processing.
Verifying the Certificate Installation
## 証明書
# ls /etc/letsencrypt/live/{ドメイン名}
-> cert.pem chain.pem fullchain.pem privkey.pem README
## 追加された設定
-> /etc/httpd/conf/httpd-le-ssl.conf が追加されているか?
-> /etc/httpd/conf/httpd.conf の末尾にhttpd-le-ssl.confのIncludeが追記されたか?
## http -> httpsのリダイレクトは正しく動作しているか?
Configuring ssl.conf (certificate activation)
+ SSLCertificateFile /etc/letsencrypt/live/{ドメイン名}/cert.pem
+ SSLCertificateKeyFile /etc/letsencrypt/live/{ドメイン名}/privkey.pem
+ SSLCertificateChainFile /etc/letsencrypt/live/{ドメイン名}/chain.pem
# systemctl restart firewalld.service
Check the expiration date of the certificate
$ sudo certbot certificates
#証明書の有効期限が89日間の例
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
Certificate Name: ******.***
Serial Number: 41b036408751294a375b4ec64ab9f67c973
Domains: ******.***
Expiry Date: 2021-01-15 16:52:20+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/******.***/fullchain.pem
Private Key Path: /etc/letsencrypt/live/******.***/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -```
Renewal Procedures
-> 更新コマンド
# /usr/bin/certbot renew --post-hook "systemctl restart httpd.service"
Since the deadline is still there, it should not be possible, but it is OK with such a screen.
Check the crond
# systemctl status crond
-> active
Automatic certificate renewal settings
##3ヶ月に1度更新するのが本当なのですがここでは1週間に1度更新を試みます。
# vim /etc/cron.d/letsencrypt -> 新規作成
+ 12 02 * * 1 root /bin/certbot renew --post-hook "systemctl restart httpd.service"
-> 毎週月曜の2時12分に更新。サーバーの負荷分散を考え中途半端な時刻にしてみた。
Checking the execution result of cron
# less /var/log/cron
If you have done the redirection process so far, you do not need the following
Redirect handling
Forwarding access to HTTP to HTTPS.
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
</IfModule>
Enable .htaccess settings
<Directory "/var/www/html">
- AllowOverride none
+ AllowOverride all
</Directory>
That's all. Congratulations on your hard work!
LGTM please! LGTM please, for stock! Motivation! (^^)