end0tknr's kipple - web写経開発

太宰府天満宮の狛犬って、妙にカワイイ

amazon linux2 + apache2.4 + letsencrypt による ssl化

awsによるssl証明書(Certificate Manager)は、elbや cloud frontに適用できるものの、 ec2には適用できないようですので、メモ

install apache2.4

$ sudo yum update
$ sudo yum install httpd
$ sudo yum install mod_ssl

$ sudo systemctl enable httpd.service
$ sudo systemctl start  httpd.service

$ sudo vi /var/www/html/index.html

config dns (route53)

すると、http://apache.end0tknr.com/ のように httpアクセスが可能になります。

install letsencrypt

$ sudo amazon-linux-extras install epel
$ sudo yum install certbot
$ certbot --version
certbot 1.11.0

$ sudo certbot certonly --manual \
   --server https://acme-v02.api.letsencrypt.org/directory \
   --preferred-challenges dns \
   -d apache.end0tknr.com \
   -m ないしょ@gmail.com

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Requesting a certificate for apache.end0tknr.com
Performing the following challenges:
dns-01 challenge for apache.end0tknr.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.apache.end0tknr.com with the following value:

dF-KM8rquJGCrLi0sz1leoKlDS_4PDTNYJlq8DnE3KI

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

再 config dns (route53)

先程の「Please deploy a DNS TXT record」として表示された内容を dns登録し、更に nslookup で確認

$ nslookup -type=txt _acme-challenge.apache.end0tknr.com
Server:     203.165.31.152
Address:    203.165.31.152#53

Non-authoritative answer:
_acme-challenge.apache.end0tknr.com
   text="dF-KM8rquJGCrLi0sz1leoKlDS_4PDTNYJlq8DnE3KI"

再 sudo certbot certonly

dns登録完了後、sudo certbot certonly の続きを実行すると、 以下のようにssl証明書のセットが作成されます。

Waiting for verification...
Cleaning up challenges
Subscribe to the EFF mailing list (email: end0tknr@gmail.com).

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/apache.end0tknr.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/apache.end0tknr.com/privkey.pem
   Your certificate will expire on 2021-12-13. To obtain a new or
   tweaked version of this certificate in the future, simply run
   certbot again. To non-interactively renew *all* of your
   certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le


$ sudo ls -l /etc/letsencrypt/live/apache.end0tknr.com

total 4
lrwxrwxrwx 1  43 cert.pem -> ../../archive/apache.end0tknr.com/cert1.pem
lrwxrwxrwx 1  44 chain.pem -> ../../archive/apache.end0tknr.com/chain1.pem
lrwxrwxrwx 1  48 fullchain.pem -> ../../archive/apache.end0tknr.com/fullchain1.pem
lrwxrwxrwx 1  46 privkey.pem -> ../../archive/apache.end0tknr.com/privkey1.pem
-rw-r--r-- 1 692 README
$ sudo chmod 755 /etc/letsencrypt/archive/
$ sudo chmod 755 /etc/letsencrypt/live/

config apache for ssl

$ sudo vi /etc/httpd/conf.d/ssl.conf

 ## 証明書
 old) SSLCertificateFile /etc/pki/tls/certs/localhost.crt
 new) SSLCertificateFile /etc/letsencrypt/live/apache.end0tknr.com/cert.pem
 ## 鍵
 old) SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
 new) SSLCertificateKeyFile /etc/letsencrypt/live/apache.end0tknr.com/privkey.pem
 ## 中間証明書
 old) SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
 new) SSLCertificateChainFile /etc/letsencrypt/live/apache.end0tknr.com/chain.pem


$ apachectl configtest
Syntax OK
$ sudo systemctl start  httpd.service