ownCloud를 설치한 Amazon Linux에 Let’s Encrypt로 SSL 인증서 설치

ownCloud를 설치한 Amazon Linux에 Let’s Encrypt로 SSL 인증서 설치

2022-10-04 last update

5 minutes reading letsencrypt AmazonLinux ownCloud 아파치


Let’s Encrypt를 사용하여 Amazon Linux의 ownCloud를 SSL화할 때 몇 가지 망설였으므로 그 비망록입니다.


FATAL: Amazon Linux support is very experimental at present...
if you would like to work on improving it, please ensure you have backups
라는 것이므로, 작업을 실시할 때는 자기 책임으로 부탁합니다.


  • Amazon Linux AMI release 2017.03
  • Apache/2.4.27 (Amazon)

  • 작업 시작!

    certbot-auto를 가져옵니다.

    $ sudo curl https://dl.eff.org/certbot-auto -o /usr/bin/certbot-auto
    $ sudo chmod 700 /usr/bin/certbot-auto

    테스트 모드에서 실행합니다. 여기 오류 발생.

    $ sudo certbot-auto --debug
    Bootstrapping dependencies for Amazon... (you can skip this with --no-bootstrap)
    yum は /usr/bin/yum です
    読み込んだプラグイン:priorities, update-motd, upgrade-helper
    Creating virtual environment...
    /usr/bin/certbot-auto: 行 700: virtualenv: コマンドが見つかりません

    분명히 Python 2.7에서는 안 되는 것이 판명. 현재 Python 버전을 확인합니다.

    $ alternatives --display python
    python - ステータスは手動です。
    リンクは現在 /usr/bin/python2.6 を指しています。
    現在の「最適」バージョンは /usr/bin/python2.7 です。

    파이썬 버전을 2.7로 만듭니다.

    $ sudo alternatives --set python /usr/bin/python2.7
    $ python -V
    Python 2.7.12

    증명서 발행을 실시합니다.

    $ sudo certbot-auto certonly --webroot -w 【ドキュメントルート】 -d 【ドメイン名】 --email 【メールアドレス】
     - The following errors were reported by the server:
       Domain: 【ドメイン名】
       Type:   unauthorized
       Detail: Invalid response from
       "<!DOCTYPE html>
       <!--[if lt IE 7]><html class="ng-csp ie ie6 lte9 lte8 lte7"
       data-placeholder-focus="false" lang="en"><![endif]--"
       To fix these errors, please make sure that your domain name was
       entered correctly and the DNS A/AAAA record(s) for that domain
       contain(s) the right IP address.
     - Your account credentials have been saved in your Certbot
       configuration directory at /etc/letsencrypt. You should make a
       secure backup of this folder now. This configuration directory will
       also contain certificates and private keys obtained by Certbot so
       making regular backups of this folder is ideal.

    또한 오류 발생. 분명히 ownCloud에서 오류가 발생했으며 Let's Encrypt에서 여기에 연결할 수 없었습니다. 일단 DocumentRoot를 다시 씁니다.

    DocumentRoot "/var/www/html/"

    Apache를 다시 시작합니다.

    $ sudo service httpd restart

    다시 인증서를 발급합니다.

    $ sudo certbot-auto certonly --webroot -w /var/www/html -d 【ドメイン名】 --email 【メールアドレス】
    Saving debug log to /var/log/letsencrypt/letsencrypt.log
    Obtaining a new certificate
    Performing the following challenges:
    http-01 challenge for 【ドメイン名】
    Using the webroot path /var/www/html for all unmatched domains.
    Waiting for verification...
    Cleaning up challenges
     - Congratulations! Your certificate and chain have been saved at:
       Your key file has been saved at:
       Your cert will expire on 2017-11-29. To obtain a new or tweaked
       version of this certificate in the future, simply run certbot-auto
       again. To non-interactively renew *all* of your certificates, run
       "certbot-auto renew"
     - If you like Certbot, please consider supporting our work by:
       Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
       Donating to EFF:                    https://eff.org/donate-le

    DocumentRoot를 바탕으로 되돌립니다.

    ssl.conf를 열고 다음을 수정합니다.

    #   Server Certificate:
    # Point SSLCertificateFile at a PEM encoded certificate.  If
    # the certificate is encrypted, then you will be prompted for a
    # pass phrase.  Note that a kill -HUP will prompt again.  A new
    # certificate can be generated using the genkey(1) command.
    SSLCertificateFile /etc/letsencrypt/live/【ドメイン名】/fullchain.pem
    #   Server Private Key:
    #   If the key is not combined with the certificate, use this
    #   directive to point at the key file.  Keep in mind that if
    #   you've both a RSA and a DSA private key you can configure
    #   both in parallel (to also allow the use of DSA ciphers, etc.)
    SSLCertificateKeyFile /etc/letsencrypt/live/【ドメイン名】/privkey.pem

    http 할 수 있으면 https에 날리는 설정을 넣습니다.

    <ifModule mod_rewrite.c>
      RewriteEngine On
      LogLevel alert rewrite:trace3
      RewriteCond %{HTTPS} off
      RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R,L]

    Apache를 다시 시작합니다.

    $ sudo service httpd restart

    SSL 인증서의 자동 업데이트를 설정합니다.

    $ sudo crontab -e
    50 3 * * 0 certbot-auto renew --force-renew --post-hook "service httpd restart"

    참고로 한 사이트

    Let’s Encrypt의 SSL 인증서로 보안 웹사이트 공개
    apache에서 http에 대한 액세스를 https로 자동 리디렉션