CentOS 7でLet's Encryptを導入
6333 ワード
概要
(以下前提)
- CentOS 7
- 通常の証明書(非ワイルドカード)
- Webサーバー必要なし
- ファイアウォールで http(ポート80)を許可していること
- root ユーザーで作業
certbot をインストール
# yum install -y epel-release
:
完了しました!
# yum install certbot
:
完了しました!
SSL証明書の取得
certbot を実行してSSL証明書の取得をします
WebサーバーがインストールされていなくてもOKです
certbot が一時的にWebサーバーを稼働してくれます
# certbot certonly
Saving debug log to /var/log/letsencrypt/letsencrypt.log
How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):1
管理者の連絡先を尋ねられるのでメールアドレスを入力します
(このメールアドレスは証明書のドメインとは関係ないです)
Plugins selected: Authenticator standalone, Installer None
Enter email address (used for urgent renewal and security notices)
(Enter 'c' to cancel): [email protected]
利用規約に同意するように尋ねられるので y を入力します
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y
証明書が発行されたらあなたのメールアドレスを関係者と共有してニュースなどを送ってよいか尋ねられるので y か n を入力します
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: n
Account registered.
証明書を発行するFQDNを入力します
Please enter in your domain name(s) (comma and/or space separated) (Enter 'c'
to cancel): www.example.com
一時的にWebサーバーが起動し、自動でドメイン認証が行われます
成功すると証明書のファイルが作成されます
Requesting a certificate for www.example.com
Performing the following challenges:
http-01 challenge for www.example.com
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/www.example.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/www.example.com/privkey.pem
Your cert will expire on 2021-04-19. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
# ls -l /etc/letsencrypt/live/www.example.com/
合計 4
-rw-r--r-- 1 root root 692 1月 19 19:56 README
lrwxrwxrwx 1 root root 33 1月 19 19:56 cert.pem -> ../../archive/www.example.com/cert1.pem
lrwxrwxrwx 1 root root 34 1月 19 19:56 chain.pem -> ../../archive/www.example.com/chain1.pem
lrwxrwxrwx 1 root root 38 1月 19 19:56 fullchain.pem -> ../../archive/www.example.com/fullchain1.pem
lrwxrwxrwx 1 root root 36 1月 19 19:56 privkey.pem -> ../../archive/www.example.com/privkey1.pem
他のFQDNの証明書を取得したい場合は同様に繰り返します
なお、複数のFQDNを入力すると、1つの証明書を複数のサブドメインで使用することも可能です(Subject Alt Names に記載されます)
# certbot certonly
:
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):1
:
Please enter in your domain name(s) (comma and/or space separated) (Enter 'c'
to cancel): mail.example.com
:
証明書の有効期限は取得から3か月間です
30日前になったら以下を実行してすべての証明書を更新できます
(以下はそれより前に実行した例なので更新はされません)
# certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/www.example.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/mail.example.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The following certs are not due for renewal yet:
/etc/letsencrypt/live/www.example.com/fullchain.pem expires on 2021-04-19 (skipped)
/etc/letsencrypt/live/mail.example.com/fullchain.pem expires on 2021-04-19 (skipped)
No renewals were attempted.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Author And Source
この問題について(CentOS 7でLet's Encryptを導入), 我々は、より多くの情報をここで見つけました https://qiita.com/0714/items/ac2f60a9d59bd56d49c3著者帰属:元の著者の情報は、元のURLに含まれています。著作権は原作者に属する。
Content is automatically searched and collected through network algorithms . If there is a violation . Please contact us . We will adjust (correct author information ,or delete content ) as soon as possible .