CentOS7.9でLet’s Encrypt証明書をインストールする

2022年2月8日

環境情報
nginx 1.10.2
CentOS Linux release 7.9.2009 (Core)
PHP 5.6.40

操作方法
1.ファイアウォールの設定確認
1.1 httpsサービスを許可

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
# firewall-cmd --add-service=https --permanent
success
設定反映
# firewall-cmd --reload
success
設定確認
# firewall-cmd --list-all
# firewall-cmd --add-service=https --permanent success 設定反映 # firewall-cmd --reload success 設定確認 # firewall-cmd --list-all
# firewall-cmd --add-service=https --permanent
success
設定反映
# firewall-cmd --reload
success
設定確認
# firewall-cmd --list-all

1.2 443ポートを開放します

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
# firewall-cmd --zone=public --add-port=443/tcp --permanent
success
# firewall-cmd --reload
success
# firewall-cmd --list-all
# firewall-cmd --zone=public --add-port=443/tcp --permanent success # firewall-cmd --reload success # firewall-cmd --list-all
# firewall-cmd --zone=public --add-port=443/tcp --permanent
success
# firewall-cmd --reload
success
# firewall-cmd --list-all

2.certbotパッケージのインストール

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
# yum -y install certbot
インストール確認
# yum list installed | grep certbot
# yum -y install certbot インストール確認 # yum list installed | grep certbot
# yum -y install certbot
インストール確認
# yum list installed | grep certbot

3. Let’s Encryptによるサーバー証明書の作成

nginxのサービスを停止
# systemctl stop nginx.service

証明書をインストールします

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
# certbot certonly --standalone -d www.sample.com -m test@sample.com --agree-tos -n
# certbot certonly --standalone -d www.sample.com -m test@sample.com --agree-tos -n
# certbot certonly --standalone -d www.sample.com -m test@sample.com --agree-tos -n
Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Requesting a certificate for www.sample.com
Performing the following challenges:
http-01 challenge for www.sample.com
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/www.sample.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/www.sample.com/privkey.pem
Your certificate will expire on 2022-02-16. To obtain a new or
tweaked version of this certificate in the future, simply run
certbot again. To non-interactively renew *all* of your
certificates, run "certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator standalone, Installer None Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org Requesting a certificate for www.sample.com Performing the following challenges: http-01 challenge for www.sample.com Waiting for verification... Cleaning up challenges IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/www.sample.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/www.sample.com/privkey.pem Your certificate will expire on 2022-02-16. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Requesting a certificate for www.sample.com
Performing the following challenges:
http-01 challenge for www.sample.com
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/www.sample.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/www.sample.com/privkey.pem
   Your certificate will expire on 2022-02-16. To obtain a new or
   tweaked version of this certificate in the future, simply run
   certbot again. To non-interactively renew *all* of your
   certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

サーバー証明書ファイルの確認

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
# ls -l /etc/letsencrypt/live/www.ctoit.net/
total 4
-rw-r--r-- 1 root root 692 Nov 18 10:49 README
lrwxrwxrwx 1 root root 37 Nov 18 10:49 cert.pem -> ../../archive/www.sample.com/cert1.pem
lrwxrwxrwx 1 root root 38 Nov 18 10:49 chain.pem -> ../../archive/www.sample.com/chain1.pem
lrwxrwxrwx 1 root root 42 Nov 18 10:49 fullchain.pem -> ../../archive/www.sample.com/fullchain1.pem
lrwxrwxrwx 1 root root 40 Nov 18 10:49 privkey.pem -> ../../archive/www.sample.com/privkey1.pem
# ls -l /etc/letsencrypt/live/www.ctoit.net/ total 4 -rw-r--r-- 1 root root 692 Nov 18 10:49 README lrwxrwxrwx 1 root root 37 Nov 18 10:49 cert.pem -> ../../archive/www.sample.com/cert1.pem lrwxrwxrwx 1 root root 38 Nov 18 10:49 chain.pem -> ../../archive/www.sample.com/chain1.pem lrwxrwxrwx 1 root root 42 Nov 18 10:49 fullchain.pem -> ../../archive/www.sample.com/fullchain1.pem lrwxrwxrwx 1 root root 40 Nov 18 10:49 privkey.pem -> ../../archive/www.sample.com/privkey1.pem
# ls -l /etc/letsencrypt/live/www.ctoit.net/
total 4
-rw-r--r-- 1 root root 692 Nov 18 10:49 README
lrwxrwxrwx 1 root root  37 Nov 18 10:49 cert.pem -> ../../archive/www.sample.com/cert1.pem
lrwxrwxrwx 1 root root  38 Nov 18 10:49 chain.pem -> ../../archive/www.sample.com/chain1.pem
lrwxrwxrwx 1 root root  42 Nov 18 10:49 fullchain.pem -> ../../archive/www.sample.com/fullchain1.pem
lrwxrwxrwx 1 root root  40 Nov 18 10:49 privkey.pem -> ../../archive/www.sample.com/privkey1.pem

4. dhparam用ファイルの作成

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
# mkdir /etc/nginx/ssl
# openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048
# ls -a /etc/nginx/ssl/
. .. dhparam.pem
# mkdir /etc/nginx/ssl # openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048 # ls -a /etc/nginx/ssl/ . .. dhparam.pem
# mkdir /etc/nginx/ssl
# openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048
# ls -a /etc/nginx/ssl/
.  ..  dhparam.pem

5.nginxへのSSL通信用の配置ファイルを作成します

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
# vi /etc/nginx/conf.d/www.sample.com.conf
# vi /etc/nginx/conf.d/www.sample.com.conf
# vi /etc/nginx/conf.d/www.sample.com.conf

以下の内容を編集します

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
server {
listen 80;
server_name sample.com www.sample.com;
rewrite ^ https://$server_name$request_uri? permanent;
}
server {
listen 443 ssl;
server_name sample.com www.sample.com;
access_log /var/log/nginx/www.sample.com-access.log main;
error_log /var/log/nginx/www.sample.com-error.log;
root /home/www/www.sample.com;
ssl_certificate /etc/letsencrypt/live/www.sample.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.sample.com/privkey.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets on;
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
index index.php index.html index.htm;
}
location ~ \.php$ {
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}
server { listen 80; server_name sample.com www.sample.com; rewrite ^ https://$server_name$request_uri? permanent; } server { listen 443 ssl; server_name sample.com www.sample.com; access_log /var/log/nginx/www.sample.com-access.log main; error_log /var/log/nginx/www.sample.com-error.log; root /home/www/www.sample.com; ssl_certificate /etc/letsencrypt/live/www.sample.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/www.sample.com/privkey.pem; ssl_session_timeout 1d; ssl_session_cache shared:SSL:50m; ssl_session_tickets on; ssl_dhparam /etc/nginx/ssl/dhparam.pem; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; location / { index index.php index.html index.htm; } location ~ \.php$ { fastcgi_pass 127.0.0.1:9000; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; include fastcgi_params; } }
server {
  listen 80;
  server_name sample.com www.sample.com;
  rewrite ^ https://$server_name$request_uri? permanent;
}
server {
  listen 443 ssl;
  server_name sample.com www.sample.com;
  
  access_log /var/log/nginx/www.sample.com-access.log main;
  error_log /var/log/nginx/www.sample.com-error.log;
  root /home/www/www.sample.com;

  ssl_certificate /etc/letsencrypt/live/www.sample.com/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/www.sample.com/privkey.pem;
  ssl_session_timeout 1d;
  ssl_session_cache shared:SSL:50m;
  ssl_session_tickets on;
  ssl_dhparam /etc/nginx/ssl/dhparam.pem;
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_ciphers HIGH:!aNULL:!MD5;
 ssl_prefer_server_ciphers on;
location / {
   index index.php index.html index.htm;
}
location ~ \.php$ {
  fastcgi_pass 127.0.0.1:9000;
  fastcgi_index index.php;
  fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
 include fastcgi_params;
 }
}

6.配置ファイルの確認

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# nginx -t nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful
# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

7.nginx再起動

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
# systemctl start nginx.service
# systemctl start php-fpm.service
# systemctl start nginx.service # systemctl start php-fpm.service
# systemctl start nginx.service
# systemctl start php-fpm.service

 

CentOS 7

Posted by arkgame