2016年3月5日土曜日

EC2(Amazon Linux)をletsencryptでSSL(https)証明書設定(nginx利用)


Install letsencrypt - インストール


めんどくさいのでrootで。

# git clone https://github.com/letsencrypt/letsencrypt /usr/local
# cd letsencrypt
# ./letsencrypt-auto --help



Edit nginx conf (for letsencrypt) - letsencryptからの確認アクセス用設定


# vi /etc/nginx/conf.d/virtual.conf (or site-availables ... etc)

---
server {
    listen 80;
    server_name example.jp;

    location '/.well-known/' {
        default_type "text/plain";
        root /tmp/letsencrypttmp;
    }
    location / {
        return 301 https://$host$request_uri;
    }
}



Get certificates - 証明書取得


# mkdir /tmp/letsencrypttmp
# /path/to/letsencrypt-auto certonly --webroot -w /tmp/letsencrypttmp -d example.com --agree-tos

Error が出た。
Downloading zope.interface==4.1.3 (141K)...
Downloading mock==1.0.1 (818K)...
Downloading acme==0.4.2 (95K)...
Downloading letsencrypt==0.4.2 (199K)...
Downloading letsencrypt-apache==0.4.2 (99K)...
You are using pip version 6.0.8, however version 8.0.3 is available.
You should consider upgrading via the 'pip install --upgrade pip' command.
Processing /tmp/peep-xGHlQg/argparse-1.4.0-py2.py3-none-any.whl
Installing collected packages: argparse

Successfully installed argparse-1.4.0
You are using pip version 6.0.8, however version 8.0.3 is available.
You should consider upgrading via the 'pip install --upgrade pip' command.
Processing /tmp/peep-uCy7pg/pycparser-2.14.tar.gz
Installing collected packages: pycparser
  Running setup.py install for pycparser
    Build the lexing/parsing tables
Successfully installed pycparser-2.14
You are using pip version 6.0.8, however version 8.0.3 is available.
You should consider upgrading via the 'pip install --upgrade pip' command.
Processing /tmp/peep-ee_aNB/cffi-1.4.2.tar.gz
Installing collected packages: cffi
  Running setup.py install for cffi
    building '_cffi_backend' extension
    gcc -pthread -fno-strict-aliasing -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -D_GNU_SOURCE -fPIC -fwrapv -DNDEBUG -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -D_GNU_SOURCE -fPIC -fwrapv -fPIC -DUSE__THREAD -I/usr/include/python2.7 -c c/_cffi_backend.c -o build/temp.linux-x86_64-2.7/c/_cffi_backend.o
    c/_cffi_backend.c:2:20: fatal error: Python.h: No such file or directory
     #include 
                        ^
    compilation terminated.
    error: command 'gcc' failed with exit status 1

python2.7用のライブラリが欠けてるらしい。
https://community.letsencrypt.org/t/redhat-centos-6-x-users-need-python-2-7/2190

# yum install python27-devel python27-pip python27-setuptools python27-virtualenv

今回はpython27-virtualenvが欠けているだけだった。

最初のコマンドを再実行。以下の結果が出ればOK。/etc/letsencrypt配下にそれぞれファイルが保存される。

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/example.jp/fullchain.pem. Your cert
   will expire on 2016-06-02. To obtain a new version of the
   certificate in the future, simply run Let's Encrypt again.
 - If you like Let's Encrypt, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le


cert.pem(証明書)
chain.pem(中間証明書)
fullchain.pem(cert.pem + chain.pem)
privkey.pem(秘密鍵)




Setting nginx SSL - nginxでSSL設定



# vi /etc/nginx/conf.d/virtual.conf (or site-availables ... etc)

---
server {
    listen 443 ssl;
    ssl on;
    ssl_certificate      /etc/letsencrypt/live/example.jp/fullchain.pem;
    ssl_certificate_key  /etc/letsencrypt/live/example.jp/privkey.pem;
    server_name example.jp;

#    ~~~(略)
}

reloadでSSLが動く
# /etc/init.d/nginx reload



Set auto update script - 自動更新


/path/to/update.sh
#!/bin/sh
if ! /usr/local/letsencrypt/letsencrypt-auto renew --force-renew > /var/log/letsencrypt/renew.log 2>&1 ; then
    echo Automated renewal failed:
    cat /var/log/letsencrypt/renew.log
    exit 1
fi
/etc/init.d/nginx reload

crontabとかに登録。毎月2日4:30。どのくらいのペースで実行すればいいんだろう。
# crontab -e
30 04 02 * * /home/xxxx/letsencrypt/update.sh


セットアップのためになんどもrenewしてたら多すぎって怒られた。5回目くらいからかな。



参考