CentOS 7.xでLet’s Encrypt証明書をインストールする

2022年2月8日

環境
CentoS 7.9
nginx 1.10.2

操作方法
1.httpsサービスを許可します

# firewall-cmd --add-service=https --permanent

# firewall-cmd --reload

# firewall-cmd --list-all

# firewall-cmd --add-service=https --permanent # firewall-cmd --reload # firewall-cmd --list-all

# firewall-cmd --add-service=https --permanent
# firewall-cmd --reload
# firewall-cmd --list-all

2.443ポートを開放します

# firewall-cmd --zone=public --add-port=443/tcp --permanent

# firewall-cmd --reload

# firewall-cmd --list-all

# firewall-cmd --zone=public --add-port=443/tcp --permanent # firewall-cmd --reload # firewall-cmd --list-all

# firewall-cmd --zone=public --add-port=443/tcp --permanent
# firewall-cmd --reload
# firewall-cmd --list-all

3.certbotパッケージをインストールします

# yum -y install certbot

# yum list installed | grep certbot

# yum -y install certbot # yum list installed | grep certbot

# yum -y install certbot
# yum list installed | grep certbot

4.nginxのサービスを停止します
# systemctl stop nginx.service

5.SSL証明書をインストールします

# certbot certonly --standalone -d sample.com -m test@gmail.com --agree-tos -n

略

IMPORTANT NOTES:

- Congratulations! Your certificate and chain have been saved at:

/etc/letsencrypt/live/sample.com/fullchain.pem

Your key file has been saved at:

/etc/letsencrypt/live/sample.com/privkey.pem

Your certificate will expire on 2022-05-09. To obtain a new or

tweaked version of this certificate in the future, simply run

certbot again. To non-interactively renew *all* of your

certificates, run "certbot renew"

- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate

Donating to EFF: https://eff.org/donate-le

# certbot certonly --standalone -d sample.com -m test@gmail.com --agree-tos -n 略 IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/sample.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/sample.com/privkey.pem Your certificate will expire on 2022-05-09. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le

# certbot certonly --standalone -d sample.com -m test@gmail.com --agree-tos -n
略
IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/sample.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/sample.com/privkey.pem
   Your certificate will expire on 2022-05-09. To obtain a new or
   tweaked version of this certificate in the future, simply run
   certbot again. To non-interactively renew *all* of your
   certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

サーバー証明書ファイルを確認します

# ls -l /etc/letsencrypt/live/sample.com

total 4

-rw-r--r-- 1 root root 692 Feb 8 19:05 README

lrwxrwxrwx 1 root root 33 Feb 8 19:05 cert.pem -> ../../archive/sample.com/cert1.pem

lrwxrwxrwx 1 root root 34 Feb 8 19:05 chain.pem -> ../../archive/sample.com/chain1.pem

lrwxrwxrwx 1 root root 38 Feb 8 19:05 fullchain.pem -> ../../archive/sample.com/fullchain1.pem

lrwxrwxrwx 1 root root 36 Feb 8 19:05 privkey.pem -> ../../archive/sample.com/privkey1.pem

# ls -l /etc/letsencrypt/live/sample.com total 4 -rw-r--r-- 1 root root 692 Feb 8 19:05 README lrwxrwxrwx 1 root root 33 Feb 8 19:05 cert.pem -> ../../archive/sample.com/cert1.pem lrwxrwxrwx 1 root root 34 Feb 8 19:05 chain.pem -> ../../archive/sample.com/chain1.pem lrwxrwxrwx 1 root root 38 Feb 8 19:05 fullchain.pem -> ../../archive/sample.com/fullchain1.pem lrwxrwxrwx 1 root root 36 Feb 8 19:05 privkey.pem -> ../../archive/sample.com/privkey1.pem

#  ls -l /etc/letsencrypt/live/sample.com
total 4
-rw-r--r-- 1 root root 692 Feb  8 19:05 README
lrwxrwxrwx 1 root root  33 Feb  8 19:05 cert.pem -> ../../archive/sample.com/cert1.pem
lrwxrwxrwx 1 root root  34 Feb  8 19:05 chain.pem -> ../../archive/sample.com/chain1.pem
lrwxrwxrwx 1 root root  38 Feb  8 19:05 fullchain.pem -> ../../archive/sample.com/fullchain1.pem
lrwxrwxrwx 1 root root  36 Feb  8 19:05 privkey.pem -> ../../archive/sample.com/privkey1.pem

6.dhparam用ファイルを作成します

# mkdir /etc/nginx/ssl

# openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048

# ls -a /etc/nginx/ssl/

. .. dhparam.pem

# mkdir /etc/nginx/ssl # openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048 # ls -a /etc/nginx/ssl/ . .. dhparam.pem

# mkdir /etc/nginx/ssl
# openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048
# ls -a /etc/nginx/ssl/
.  ..  dhparam.pem

7.配置ファイルを作成します。
# vi /etc/nginx/conf.d/sample.com.conf
以下の内容を編集します

server {

listen 80;

server_name sample.com sample.com;

rewrite ^ https://$server_name$request_uri? permanent;

}

server {

listen 443 ssl;

server_name sample.com sample.com;

access_log /var/log/nginx/sample.com-access.log main;

error_log /var/log/nginx/sample.com-error.log;

root /home/www/sample.com;

ssl_certificate /etc/letsencrypt/live/sample.com/fullchain.pem;

ssl_certificate_key /etc/letsencrypt/live/sample.com/privkey.pem;

ssl_session_timeout 1d;

ssl_session_cache shared:SSL:50m;

ssl_session_tickets on;

ssl_dhparam /etc/nginx/ssl/dhparam.pem;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

ssl_ciphers HIGH:!aNULL:!MD5;

ssl_prefer_server_ciphers on;

location / {

index index.php index.html index.htm;

}

location ~ \.php$ {

fastcgi_pass 127.0.0.1:9000;

fastcgi_index index.php;

fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;

include fastcgi_params;

}

server { listen 80; server_name sample.com sample.com; rewrite ^ https://$server_name$request_uri? permanent; } server { listen 443 ssl; server_name sample.com sample.com; access_log /var/log/nginx/sample.com-access.log main; error_log /var/log/nginx/sample.com-error.log; root /home/www/sample.com; ssl_certificate /etc/letsencrypt/live/sample.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/sample.com/privkey.pem; ssl_session_timeout 1d; ssl_session_cache shared:SSL:50m; ssl_session_tickets on; ssl_dhparam /etc/nginx/ssl/dhparam.pem; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; location / { index index.php index.html index.htm; } location ~ \.php$ { fastcgi_pass 127.0.0.1:9000; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; include fastcgi_params; } }

server {
  listen 80;
  server_name sample.com sample.com;
  rewrite ^ https://$server_name$request_uri? permanent;
}
server {
  listen 443 ssl;
  server_name sample.com sample.com;
  
  access_log /var/log/nginx/sample.com-access.log main;
  error_log /var/log/nginx/sample.com-error.log;
  root /home/www/sample.com;
  ssl_certificate /etc/letsencrypt/live/sample.com/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/sample.com/privkey.pem;
  ssl_session_timeout 1d;
  ssl_session_cache shared:SSL:50m;
  ssl_session_tickets on;
  ssl_dhparam /etc/nginx/ssl/dhparam.pem;
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_ciphers HIGH:!aNULL:!MD5;
 ssl_prefer_server_ciphers on;
location / {
   index index.php index.html index.htm;
}
location ~ \.php$ {
  fastcgi_pass 127.0.0.1:9000;
  fastcgi_index index.php;
  fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
 include fastcgi_params;
 }
}

8.配置ファイルの確認
# nginx -t

9.nginx再起動
# systemctl start nginx.service

CentOS 7

Posted by arkgame

関連投稿: