Let's Encrypt in Conoha! Simple!

14

Prerequisite: CentOS7.4

Conoha Login -> Domain -> Domain Acquisition -> Acquire and purchase appropriate domain names

Domain Settings

DNS -> +Domain -> Acquired Domain Name Entry -> SaveWS000027.JPG

Edit when the domain name is reflected.

・Domain Name Click -> Pencil Mark -> + -> A @ 3600 Conoha IP Address -> Save

(Note: Do not set forwarding settings.) Let's get hooked on Encrypt. ) (Beans: It takes 1~3 days to change the address of the server associated with the domain.) )

Checking and setting up firewalls

要管理者権限
--> 確認
# firewall-cmd --list-all --permanent
--> http https があればOKです。
--> なければ
# firewall-cmd --add-service=http --zone=public --permanent
# firewall-cmd --add-service=https --zone=public --permanent
# systemctl restart firewalld.service

(Note: Conoha -> Server -> Network Information -> Connection Permission Port -> All Allowed)

Configuring VirtualHost

/etc/httpd/conf/httpd.conf
NameVirtualHost *:80

<VirtualHost *:80>
ServerAdmin root@{ドメイン名}
DocumentRoot /var/www/html
ServerName {ドメイン名}
</VirtualHost>

Installing SSL Certificates for Let's Encrypt

要管理者権限
# yum install -y certbot python2-certbot-apache
# certbot --apache -d {ドメイン名}
-> 対話方式でメールアドレス等を入力 -> Agree -> 任意でy/n

Hopefully you'll get this message! WS000028.JPG Key Points -> Deploying Certficate to VirtualHost /etc/httpd/conf/httpd-le-ssl.conf Automatic creation of httpd-le-ssl.conf. -> Enabling site /etc/httpd/conf/httpd-le-ssl.conf by adding Include to root configuration Add the Include setting of the above file to httpd.conf. -> Redirecting vhost in /etc/httpd/conf/httpd/conf to ssl vhost in /etc/httpd/conf/httpd-le-ssl.conf Automatic configuration of http to https redirection processing.

Verifying the Certificate Installation

## 証明書
# ls /etc/letsencrypt/live/{ドメイン名}
-> cert.pem chain.pem fullchain.pem privkey.pem README
## 追加された設定
-> /etc/httpd/conf/httpd-le-ssl.conf が追加されているか?
-> /etc/httpd/conf/httpd.conf の末尾にhttpd-le-ssl.confのIncludeが追記されたか?
## http -> httpsのリダイレクトは正しく動作しているか?

Configuring ssl.conf (certificate activation)

/etc/httpd/conf.d/ssl.conf
+ SSLCertificateFile /etc/letsencrypt/live/{ドメイン名}/cert.pem
+ SSLCertificateKeyFile /etc/letsencrypt/live/{ドメイン名}/privkey.pem
+ SSLCertificateChainFile /etc/letsencrypt/live/{ドメイン名}/chain.pem

# systemctl restart firewalld.service

Check the expiration date of the certificate

$ sudo certbot certificates
#証明書の有効期限が89日間の例
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: ******.***
    Serial Number: 41b036408751294a375b4ec64ab9f67c973
    Domains: ******.***
    Expiry Date: 2021-01-15 16:52:20+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/******.***/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/******.***/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -```

Renewal Procedures

要管理者権限
-> 更新コマンド
# /usr/bin/certbot renew --post-hook "systemctl restart httpd.service"

Since the deadline is still there, it should not be possible, but it is OK with such a screen.WS000029.JPG

Check the crond

# systemctl status crond
-> active

Automatic certificate renewal settings

/etc/cron.d/letsencrypt
##3ヶ月に1度更新するのが本当なのですがここでは1週間に1度更新を試みます。
# vim /etc/cron.d/letsencrypt -> 新規作成
+ 12 02 * * 1 root /bin/certbot renew --post-hook "systemctl restart httpd.service"
-> 毎週月曜の2時12分に更新。サーバーの負荷分散を考え中途半端な時刻にしてみた。

Checking the execution result of cron

# less /var/log/cron

If you have done the redirection process so far, you do not need the following

Redirect handling

Forwarding access to HTTP to HTTPS.

/var/www/html/.htaccess
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
</IfModule>

Enable .htaccess settings

/etc/httpd/conf/httpd.conf
<Directory "/var/www/html">
-    AllowOverride none
+    AllowOverride all
</Directory>

That's all. Congratulations on your hard work!

LGTM please! LGTM please, for stock! Motivation! (^^)

Share:
14
Author by

Updated on January 22, 2021