Install letsencrypt - インストール
めんどくさいのでrootで。
# git clone https://github.com/letsencrypt/letsencrypt /usr/local
# cd letsencrypt
# ./letsencrypt-auto --help
Edit nginx conf (for letsencrypt) - letsencryptからの確認アクセス用設定
# vi /etc/nginx/conf.d/virtual.conf (or site-availables ... etc)
---
server {
listen 80;
server_name example.jp;
location '/.well-known/' {
default_type "text/plain";
root /tmp/letsencrypttmp;
}
location / {
return 301 https://$host$request_uri;
}
}
Get certificates - 証明書取得
# mkdir /tmp/letsencrypttmp
# /path/to/letsencrypt-auto certonly --webroot -w /tmp/letsencrypttmp -d example.com --agree-tos
Error が出た。
Downloading zope.interface==4.1.3 (141K)...
Downloading mock==1.0.1 (818K)...
Downloading acme==0.4.2 (95K)...
Downloading letsencrypt==0.4.2 (199K)...
Downloading letsencrypt-apache==0.4.2 (99K)...
You are using pip version 6.0.8, however version 8.0.3 is available.
You should consider upgrading via the 'pip install --upgrade pip' command.
Processing /tmp/peep-xGHlQg/argparse-1.4.0-py2.py3-none-any.whl
Installing collected packages: argparse
Successfully installed argparse-1.4.0
You are using pip version 6.0.8, however version 8.0.3 is available.
You should consider upgrading via the 'pip install --upgrade pip' command.
Processing /tmp/peep-uCy7pg/pycparser-2.14.tar.gz
Installing collected packages: pycparser
Running setup.py install for pycparser
Build the lexing/parsing tables
Successfully installed pycparser-2.14
You are using pip version 6.0.8, however version 8.0.3 is available.
You should consider upgrading via the 'pip install --upgrade pip' command.
Processing /tmp/peep-ee_aNB/cffi-1.4.2.tar.gz
Installing collected packages: cffi
Running setup.py install for cffi
building '_cffi_backend' extension
gcc -pthread -fno-strict-aliasing -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -D_GNU_SOURCE -fPIC -fwrapv -DNDEBUG -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -D_GNU_SOURCE -fPIC -fwrapv -fPIC -DUSE__THREAD -I/usr/include/python2.7 -c c/_cffi_backend.c -o build/temp.linux-x86_64-2.7/c/_cffi_backend.o
c/_cffi_backend.c:2:20: fatal error: Python.h: No such file or directory
#include
^
compilation terminated.
error: command 'gcc' failed with exit status 1
python2.7用のライブラリが欠けてるらしい。
https://community.letsencrypt.org/t/redhat-centos-6-x-users-need-python-2-7/2190
# yum install python27-devel python27-pip python27-setuptools python27-virtualenv
今回はpython27-virtualenvが欠けているだけだった。
最初のコマンドを再実行。以下の結果が出ればOK。/etc/letsencrypt配下にそれぞれファイルが保存される。
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/example.jp/fullchain.pem. Your cert
will expire on 2016-06-02. To obtain a new version of the
certificate in the future, simply run Let's Encrypt again.
- If you like Let's Encrypt, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
cert.pem(証明書)
chain.pem(中間証明書)
fullchain.pem(cert.pem + chain.pem)
privkey.pem(秘密鍵)
Setting nginx SSL - nginxでSSL設定
# vi /etc/nginx/conf.d/virtual.conf (or site-availables ... etc)
---
server {
listen 443 ssl;
ssl on;
ssl_certificate /etc/letsencrypt/live/example.jp/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.jp/privkey.pem;
server_name example.jp;
# ~~~(略)
}
reloadでSSLが動く
# /etc/init.d/nginx reload
Set auto update script - 自動更新
/path/to/update.sh
#!/bin/sh
if ! /usr/local/letsencrypt/letsencrypt-auto renew --force-renew > /var/log/letsencrypt/renew.log 2>&1 ; then
echo Automated renewal failed:
cat /var/log/letsencrypt/renew.log
exit 1
fi
/etc/init.d/nginx reload
crontabとかに登録。毎月2日4:30。どのくらいのペースで実行すればいいんだろう。
# crontab -e
30 04 02 * * /home/xxxx/letsencrypt/update.sh
セットアップのためになんどもrenewしてたら多すぎって怒られた。5回目くらいからかな。
参考
