Amazon Lightsail に SSL 証明書設置 with Let's Encrypt(自動更新)
Amazon Lightsailの設定で、プラットフォームで Linux/Unix、設計図で WordPress を選択した場合における内容です。 ロードバランサを利用し ACM を用いた方法でも可能ですが、ここではロードバランサを利用しないで Let's Encrypt による方法となります。
Let's Encrypt による SSL 証明書の導入
$ sudo apt-get update
$ sudo apt-get install software-properties-common
$ sudo apt-add-repository ppa:certbot/certbot -y
$ sudo apt-get update -y
$ sudo apt-get install certbot -y
$ wget https://github.com/joohoi/acme-dns-certbot-joohoi/raw/master/acme-dns-auth.py
$ chmod +x acme-dns-auth.py
$ vi acme-dns-auth.py
$ sudo mv acme-dns-auth.py /etc/letsencrypt/
$ sudo certbot certonly --manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth.py --preferred-challenges dn
s --debug-challenges -d hayashier.com
$ sudo cp /etc/letsencrypt/live/hayashier.com/fullchain.pem /opt/bitnami/apache2/conf/server.crt
$ sudo cp /etc/letsencrypt/live/hayashier.com/privkey.pem /opt/bitnami/apache2/conf/server.key
$ sudo /opt/bitnami/ctlscript.sh restart apache
更新時には、以下のコマンドを実行すると、DNS検証で必要なレコードがCNAMEレコードとして表示されますので、これを登録し、以降--dry-run
を抜いた形でrenewコマンドを実行するのみで問題ありません。
$ sudo certbot renew --manual-public-ip-logging-ok --dry-run
SSL 証明書の自動更新設定
cron 処理により更新します。
# crontab -e
以下設定内容
1 1 1 * * certbot renew --manual-public-ip-logging-ok
2 1 1 * * cp /etc/letsencrypt/live/hayashier.com/privkey.pem /opt/bitnami/apache2/conf/server.key
3 1 1 * * cp /etc/letsencrypt/live/hayashier.com/fullchain.pem /opt/bitnami/apache2/conf/server.crt
4 1 1 * * /opt/bitnami/ctlscript.sh restart apache
以前の方法
letsencrypt-auto
のよる方法ですが、バージョン0.6.0以降、certbotが独立したレポジトリに移動し、certbot-auto
というコマンドに変更されました。しかしながら、certbot-autoのコマンドは現在以下の通りインストールができない状態となっております。
To learn how to fix them, visit https://community.letsencrypt.org/t/certbot-auto-deployment-best-practices/91979/
Your system is not supported by certbot-auto anymore.
Certbot cannot be installed.
詳細は、下記URLをご参照ください。
letsencrypt-autoによる方法は以下の通りとなります。
$ sudo su
# apt-get install -y git
# git clone https://github.com/letsencrypt/letsencrypt
# cd letsencrypt
# ./letsencrypt-auto certonly --webroot -w /opt/bitnami/apps/wordpress/htdocs/ -d hayashier.com
# cp /etc/letsencrypt/live/hayashier.com/fullchain.pem /opt/bitnami/apache2/conf/server.crt
# cp /etc/letsencrypt/live/hayashier.com/privkey.pem /opt/bitnami/apache2/conf/server.key
# /opt/bitnami/ctlscript.sh restart apache
SSL 証明書の自動更新設定
cron 処理により更新します。
# crontab -e
以下設定内容
1 1 1 * * /tmp/letsencrypt/letsencrypt-auto renew
2 1 1 * * cp /etc/letsencrypt/live/hayashier.com/privkey.pem /opt/bitnami/apache2/conf/server.key
3 1 1 * * cp /etc/letsencrypt/live/hayashier.com/fullchain.pem /opt/bitnami/apache2/conf/server.crt
4 1 1 * * /opt/bitnami/ctlscript.sh restart apache
ここまでの設定だけでは、以下のようなログ(/var/log/letsencrypt/letsencrypt.log
)が表示されて、更新がうまくいきません。
2021-11-28 06:06:29,692:WARNING:certbot.renewal:Attempting to renew cert (hayashier.com) from /etc/letsencrypt/renewal/hayashier.com.conf produced an unexpected error: Missing command line flag or config entry for this setting:
NOTE: The IP of this machine will be publicly logged as having requested this certificate. If you're running certbot in manual mode on a machine that is not your server, please ensure you're okay with that.
Are you OK with your IP being logged?
(You can set this with the --manual-public-ip-logging-ok flag). Skipping.
以下のファイルの末尾に設定内容を追加しておきましょう。
$ vim /etc/letsencrypt/renewal/hayashier.com.conf
[[webroot_map]]
hayashier.com = /opt/bitnami/apache2/htdocs/
www.hayashier.com = /opt/bitnami/apache2/htdocs/
Dry runして正しく更新できることを確認しておきましょう。
$ sudo certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/hayashier.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator manual, Installer None
Renewing an existing certificate
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/hayashier.com/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)
Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/hayashier.com/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
動作確認
正常に設定が行えていることを確認
$ curl -svo /dev/null https://hayashier.com
* Rebuilt URL to: https://hayashier.com/
* Trying 34.225.220.198...
* TCP_NODELAY set
* Connected to hayashier.com (34.225.220.198) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
CAfile: /usr/local/etc/openssl/cert.pem
CApath: /usr/local/etc/openssl/certs
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
} [5 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.2 (IN), TLS handshake, Server hello (2):
{ [109 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [2731 bytes data]
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
{ [333 bytes data]
* TLSv1.2 (IN), TLS handshake, Server finished (14):
{ [4 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
} [70 bytes data]
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
} [1 bytes data]
* TLSv1.2 (OUT), TLS handshake, Finished (20):
} [16 bytes data]
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
{ [1 bytes data]
* TLSv1.2 (IN), TLS handshake, Finished (20):
{ [16 bytes data]
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
* subject: CN=hayashier.com
* start date: Aug 30 00:49:36 2018 GMT
* expire date: Nov 28 00:49:36 2018 GMT
* subjectAltName: host "hayashier.com" matched cert's "hayashier.com"
* issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
* SSL certificate verify ok.
} [5 bytes data]
httpsへ強制
sudo vim /opt/bitnami/apache2/conf/bitnami/bitnami.conf
<VirtualHost _default_:80>
以下に以下を追加
RewriteEngine On
RewriteCond %{HTTP} .*
RewriteRule ^/(.*) https://hayashier.com/$1 [R=301,L]
再起動して設定変更の読み込み
sudo /opt/bitnami/ctlscript.sh restart apache