end0tknr's kipple - 新web写経開発

http://d.hatena.ne.jp/end0tknr/ から移転します

無料ssl証明書のLet's Encryptのnginx on amazon linux へのお試し導入

ググルと、「Let's Encryptは、amazon linuxでは試験段階」と言う情報が チラホラ見られましたが、私の試した範囲では、迷うようなことはありませんでした。

STEP0 参考url

何より日本語urlがあったお陰ですね。 https://letsencrypt.jp/docs/using.html#installation

STEP1 クライアントのinstall

# cd /usr/local
git clone https://github.com/certbot/certbot

STEP2 証明書のinstall

# /usr/local/certbot/certbot-auto certonly --debug --webroot \
>   -d hoge.example.mydns.jp \
>   --webroot-path /usr/share/nginx/html
Version: 1.1-20080819
Version: 1.1-20080819

 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/hoge.example.mydns.jp/fullchain.pem. Your
   cert will expire on 2016-10-05. To obtain a new or tweaked version
   of this certificate in the future, simply run certbot-auto again.
   To non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

# ls -l /etc/letsencrypt/live/hoge.example.mydns.jp
  cert.pem -> ../../archive/hoge.example.mydns.jp/cert1.pem
  chain.pem -> ../../archive/hoge.example.mydns.jp/chain1.pem
  fullchain.pem -> ../../archive/hoge.example.mydns.jp/fullchain1.pem
  privkey.pem -> ../../archive/hoge.example.mydns.jp/privkey1.pem

STEP3 nginxの設定

# vi /etc/nginx/nginx.conf
http {
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';
    access_log  /var/log/nginx/access.log  main;

    sendfile            on;
    tcp_nopush          on;
    tcp_nodelay         on;
    keepalive_timeout   65;
    types_hash_max_size 2048;

    include             /etc/nginx/mime.types;
    default_type        application/octet-stream;
    include /etc/nginx/conf.d/*.conf;
    index   index.html index.htm;

    server {
        listen       80;
    return 302 https://$host$request_uri;

  server {
    listen 443 ssl;
    ssl_certificate /etc/letsencrypt/live/hoge.example.mydns.jp/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/hoge.example.mydns.jp/privkey.pem;
    ssl_session_cache shared:SSL:1m;
    ssl_session_timeout 5m;
    ssl_ciphers HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers on;
    root /usr/share/nginx/html;
    index index.html index.htm index.nginx-debian.html;
    server_name _;
    location / {
      # First attempt to serve request as file, then
      # as directory, then fall back to displaying a 404.
      try_files $uri $uri/ =404;

STEP4 nginxの再起動

# /etc/rc.d/init.d/nginx restart


Let's Encrypt によるssl証明書の有効期間は90日間らしく 「certbot renew」コマンドで証明書を更新するようです。