awsによるssl証明書(Certificate Manager)は、elbや cloud frontに適用できるものの、 ec2には適用できないようですので、メモ
install apache2.4
$ sudo yum update $ sudo yum install httpd $ sudo yum install mod_ssl $ sudo systemctl enable httpd.service $ sudo systemctl start httpd.service $ sudo vi /var/www/html/index.html
config dns (route53)
すると、http://apache.end0tknr.com/ のように httpアクセスが可能になります。
install letsencrypt
$ sudo amazon-linux-extras install epel $ sudo yum install certbot $ certbot --version certbot 1.11.0 $ sudo certbot certonly --manual \ --server https://acme-v02.api.letsencrypt.org/directory \ --preferred-challenges dns \ -d apache.end0tknr.com \ -m ないしょ@gmail.com Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator manual, Installer None Requesting a certificate for apache.end0tknr.com Performing the following challenges: dns-01 challenge for apache.end0tknr.com - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please deploy a DNS TXT record under the name _acme-challenge.apache.end0tknr.com with the following value: dF-KM8rquJGCrLi0sz1leoKlDS_4PDTNYJlq8DnE3KI Before continuing, verify the record is deployed. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
再 config dns (route53)
先程の「Please deploy a DNS TXT record」として表示された内容を dns登録し、更に nslookup で確認
$ nslookup -type=txt _acme-challenge.apache.end0tknr.com Server: 203.165.31.152 Address: 203.165.31.152#53 Non-authoritative answer: _acme-challenge.apache.end0tknr.com text="dF-KM8rquJGCrLi0sz1leoKlDS_4PDTNYJlq8DnE3KI"
再 sudo certbot certonly
dns登録完了後、sudo certbot certonly の続きを実行すると、 以下のようにssl証明書のセットが作成されます。
Waiting for verification... Cleaning up challenges Subscribe to the EFF mailing list (email: end0tknr@gmail.com). IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/apache.end0tknr.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/apache.end0tknr.com/privkey.pem Your certificate will expire on 2021-12-13. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le $ sudo ls -l /etc/letsencrypt/live/apache.end0tknr.com total 4 lrwxrwxrwx 1 43 cert.pem -> ../../archive/apache.end0tknr.com/cert1.pem lrwxrwxrwx 1 44 chain.pem -> ../../archive/apache.end0tknr.com/chain1.pem lrwxrwxrwx 1 48 fullchain.pem -> ../../archive/apache.end0tknr.com/fullchain1.pem lrwxrwxrwx 1 46 privkey.pem -> ../../archive/apache.end0tknr.com/privkey1.pem -rw-r--r-- 1 692 README
$ sudo chmod 755 /etc/letsencrypt/archive/ $ sudo chmod 755 /etc/letsencrypt/live/
config apache for ssl
$ sudo vi /etc/httpd/conf.d/ssl.conf ## 証明書 old) SSLCertificateFile /etc/pki/tls/certs/localhost.crt new) SSLCertificateFile /etc/letsencrypt/live/apache.end0tknr.com/cert.pem ## 鍵 old) SSLCertificateKeyFile /etc/pki/tls/private/localhost.key new) SSLCertificateKeyFile /etc/letsencrypt/live/apache.end0tknr.com/privkey.pem ## 中間証明書 old) SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt new) SSLCertificateChainFile /etc/letsencrypt/live/apache.end0tknr.com/chain.pem $ apachectl configtest Syntax OK $ sudo systemctl start httpd.service