ownCloud를 설치한 Amazon Linux에 Let’s Encrypt로 SSL 인증서 설치
2022-10-04 last update
5 minutes reading letsencrypt AmazonLinux ownCloud 아파치경위
Let’s Encrypt를 사용하여 Amazon Linux의 ownCloud를 SSL화할 때 몇 가지 망설였으므로 그 비망록입니다.
전제
FATAL: Amazon Linux support is very experimental at present...
if you would like to work on improving it, please ensure you have backups
라는 것이므로, 작업을 실시할 때는 자기 책임으로 부탁합니다.
환경
FATAL: Amazon Linux support is very experimental at present...
if you would like to work on improving it, please ensure you have backups
라는 것이므로, 작업을 실시할 때는 자기 책임으로 부탁합니다.
환경
작업 시작!
certbot-auto를 가져옵니다.
$ sudo curl https://dl.eff.org/certbot-auto -o /usr/bin/certbot-auto
$ sudo chmod 700 /usr/bin/certbot-auto
테스트 모드에서 실행합니다. 여기 오류 발생.
$ sudo certbot-auto --debug
Bootstrapping dependencies for Amazon... (you can skip this with --no-bootstrap)
yum は /usr/bin/yum です
読み込んだプラグイン:priorities, update-motd, upgrade-helper
・
・
・
Creating virtual environment...
/usr/bin/certbot-auto: 行 700: virtualenv: コマンドが見つかりません
분명히 Python 2.7에서는 안 되는 것이 판명. 현재 Python 버전을 확인합니다.
$ alternatives --display python
python - ステータスは手動です。
リンクは現在 /usr/bin/python2.6 を指しています。
・
・
・
現在の「最適」バージョンは /usr/bin/python2.7 です。
파이썬 버전을 2.7로 만듭니다.
$ sudo alternatives --set python /usr/bin/python2.7
$ python -V
Python 2.7.12
증명서 발행을 실시합니다.
$ sudo certbot-auto certonly --webroot -w 【ドキュメントルート】 -d 【ドメイン名】 --email 【メールアドレス】
・
・
・
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: 【ドメイン名】
Type: unauthorized
Detail: Invalid response from
http://【ドメイン名】/.well-known/acme-challenge/j86lIDb5VkS_f2cuFXf6tICw5FzP4YH7JaAASlPk35k:
"<!DOCTYPE html>
<!--[if lt IE 7]><html class="ng-csp ie ie6 lte9 lte8 lte7"
data-placeholder-focus="false" lang="en"><![endif]--"
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
또한 오류 발생. 분명히 ownCloud에서 오류가 발생했으며 Let's Encrypt에서 여기에 연결할 수 없었습니다. 일단 DocumentRoot를 다시 씁니다.
/etc/httpd/conf/httpd.conf・
・
DocumentRoot "/var/www/html/"
・
・
Apache를 다시 시작합니다.
$ sudo service httpd restart
다시 인증서를 발급합니다.
$ sudo certbot-auto certonly --webroot -w /var/www/html -d 【ドメイン名】 --email 【メールアドレス】
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for 【ドメイン名】
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/【ドメイン名】/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/【ドメイン名】/privkey.pem
Your cert will expire on 2017-11-29. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again. To non-interactively renew *all* of your certificates, run
"certbot-auto renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
DocumentRoot를 바탕으로 되돌립니다.
ssl.conf를 열고 다음을 수정합니다.
/etc/httpd/conf.d/ssl.conf・
・
# Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
# pass phrase. Note that a kill -HUP will prompt again. A new
# certificate can be generated using the genkey(1) command.
SSLCertificateFile /etc/letsencrypt/live/【ドメイン名】/fullchain.pem
# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you've both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile /etc/letsencrypt/live/【ドメイン名】/privkey.pem
・
・
http 할 수 있으면 https에 날리는 설정을 넣습니다.
/etc/httpd/conf.d/rewrite.conf<ifModule mod_rewrite.c>
RewriteEngine On
LogLevel alert rewrite:trace3
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R,L]
</ifModule>
Apache를 다시 시작합니다.
$ sudo service httpd restart
SSL 인증서의 자동 업데이트를 설정합니다.
$ sudo crontab -e
50 3 * * 0 certbot-auto renew --force-renew --post-hook "service httpd restart"
참고로 한 사이트
Let’s Encrypt의 SSL 인증서로 보안 웹사이트 공개
apache에서 http에 대한 액세스를 https로 자동 리디렉션
$ sudo curl https://dl.eff.org/certbot-auto -o /usr/bin/certbot-auto
$ sudo chmod 700 /usr/bin/certbot-auto
$ sudo certbot-auto --debug
Bootstrapping dependencies for Amazon... (you can skip this with --no-bootstrap)
yum は /usr/bin/yum です
読み込んだプラグイン:priorities, update-motd, upgrade-helper
・
・
・
Creating virtual environment...
/usr/bin/certbot-auto: 行 700: virtualenv: コマンドが見つかりません
$ alternatives --display python
python - ステータスは手動です。
リンクは現在 /usr/bin/python2.6 を指しています。
・
・
・
現在の「最適」バージョンは /usr/bin/python2.7 です。
$ sudo alternatives --set python /usr/bin/python2.7
$ python -V
Python 2.7.12
$ sudo certbot-auto certonly --webroot -w 【ドキュメントルート】 -d 【ドメイン名】 --email 【メールアドレス】
・
・
・
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: 【ドメイン名】
Type: unauthorized
Detail: Invalid response from
http://【ドメイン名】/.well-known/acme-challenge/j86lIDb5VkS_f2cuFXf6tICw5FzP4YH7JaAASlPk35k:
"<!DOCTYPE html>
<!--[if lt IE 7]><html class="ng-csp ie ie6 lte9 lte8 lte7"
data-placeholder-focus="false" lang="en"><![endif]--"
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
・
・
DocumentRoot "/var/www/html/"
・
・
$ sudo certbot-auto certonly --webroot -w /var/www/html -d 【ドメイン名】 --email 【メールアドレス】
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for 【ドメイン名】
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/【ドメイン名】/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/【ドメイン名】/privkey.pem
Your cert will expire on 2017-11-29. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again. To non-interactively renew *all* of your certificates, run
"certbot-auto renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
・
・
# Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
# pass phrase. Note that a kill -HUP will prompt again. A new
# certificate can be generated using the genkey(1) command.
SSLCertificateFile /etc/letsencrypt/live/【ドメイン名】/fullchain.pem
# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you've both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile /etc/letsencrypt/live/【ドメイン名】/privkey.pem
・
・
<ifModule mod_rewrite.c>
RewriteEngine On
LogLevel alert rewrite:trace3
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R,L]
</ifModule>
$ sudo crontab -e
50 3 * * 0 certbot-auto renew --force-renew --post-hook "service httpd restart"
Let’s Encrypt의 SSL 인증서로 보안 웹사이트 공개
apache에서 http에 대한 액세스를 https로 자동 리디렉션