
ウェブサイトを公開する際、SSLで暗号化するのが一般出来になってきているにょろ

アンコウ?
アジとかサンマの方が好きにゃ!

魚の話じゃないにょろ!
SSL(エスエスエル)とは、通信を暗号化するための仕組みです。
ウェブサイトの通信を暗号化するためには、SSL証明書を導入する必要があります。
以前は、ショッピングサイトの購入フォームなど、一部のページしかSSL証明書は使用されていませんでしたが、Googleが常時SSL化を推奨したため、ウェブサイトのすべてのページをSSLで暗号化する事が一般的になりました。
今回は、無料でSSL証明書を利用できるLet’s Encrypt(レッツ・エンクリプト)を利用してウェブサイトを常時SSL化します。
Let’s Encrypt(レッツ・エンクリプト)とは
無償で利用できるSSL認証局です。Certbotなどのプログラムを利用して自動的にSSL証明書を導入する事ができます。
一般的な有償のSSL証明書は有効期間1年の場合が多いですが、Let’s Encryptで取得できるSSL証明書の期間は90日間になります。
Let’s Encrypt – フリーな SSL/TLS 証明書
https://letsencrypt.org/ja/
Cerbotとは
Let’s EncryptのSSL証明書を導入するためのプログラムです。
1.mode_sslをインストールします。
[root@wordpress chatora]# dnf install -y mod_ssl Last metadata expiration check: 1:54:17 ago on Sun 15 Nov 2020 10:25:30 AM UTC. Dependencies resolved. ================================================================================ Package Arch Version Repo Size ================================================================================ Installing: mod_ssl x86_64 1:2.4.37-21.module_el8.2.0+494+1df74eae AppStream 132 k Upgrading: httpd x86_64 2.4.37-21.module_el8.2.0+494+1df74eae AppStream 1.7 M httpd-filesystem noarch 2.4.37-21.module_el8.2.0+494+1df74eae AppStream 36 k httpd-tools x86_64 2.4.37-21.module_el8.2.0+494+1df74eae AppStream 103 k Installing dependencies: sscg x86_64 2.3.3-14.el8 AppStream 49 k Transaction Summary ================================================================================ Install 2 Packages Upgrade 3 Packages Total download size: 2.0 M Downloading Packages: (1/5): sscg-2.3.3-14.el8.x86_64.rpm 138 kB/s | 49 kB 00:00 (2/5): httpd-filesystem-2.4.37-21.module_el8.2. 109 kB/s | 36 kB 00:00 (3/5): mod_ssl-2.4.37-21.module_el8.2.0+494+1df 192 kB/s | 132 kB 00:00 (4/5): httpd-tools-2.4.37-21.module_el8.2.0+494 184 kB/s | 103 kB 00:00 (5/5): httpd-2.4.37-21.module_el8.2.0+494+1df74 1.0 MB/s | 1.7 MB 00:01 -------------------------------------------------------------------------------- Total 1.0 MB/s | 2.0 MB 00:01 Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing : 1/1 Running scriptlet: httpd-filesystem-2.4.37-21.module_el8.2.0+494+1df74e 1/1 Running scriptlet: httpd-filesystem-2.4.37-21.module_el8.2.0+494+1df74e 1/8 Upgrading : httpd-filesystem-2.4.37-21.module_el8.2.0+494+1df74e 1/8 Upgrading : httpd-tools-2.4.37-21.module_el8.2.0+494+1df74eae.x8 2/8 Upgrading : httpd-2.4.37-21.module_el8.2.0+494+1df74eae.x86_64 3/8 Running scriptlet: httpd-2.4.37-21.module_el8.2.0+494+1df74eae.x86_64 3/8 Installing : sscg-2.3.3-14.el8.x86_64 4/8 Installing : mod_ssl-1:2.4.37-21.module_el8.2.0+494+1df74eae.x86_ 5/8 Running scriptlet: httpd-2.4.37-21.module_el8.2.0+382+15b0afa8.x86_64 6/8 Cleanup : httpd-2.4.37-21.module_el8.2.0+382+15b0afa8.x86_64 6/8 Running scriptlet: httpd-2.4.37-21.module_el8.2.0+382+15b0afa8.x86_64 6/8 Cleanup : httpd-filesystem-2.4.37-21.module_el8.2.0+382+15b0af 7/8 Cleanup : httpd-tools-2.4.37-21.module_el8.2.0+382+15b0afa8.x8 8/8 Running scriptlet: httpd-2.4.37-21.module_el8.2.0+494+1df74eae.x86_64 8/8 Running scriptlet: httpd-tools-2.4.37-21.module_el8.2.0+382+15b0afa8.x8 8/8 Verifying : mod_ssl-1:2.4.37-21.module_el8.2.0+494+1df74eae.x86_ 1/8 Verifying : sscg-2.3.3-14.el8.x86_64 2/8 Verifying : httpd-2.4.37-21.module_el8.2.0+494+1df74eae.x86_64 3/8 Verifying : httpd-2.4.37-21.module_el8.2.0+382+15b0afa8.x86_64 4/8 Verifying : httpd-filesystem-2.4.37-21.module_el8.2.0+494+1df74e 5/8 Verifying : httpd-filesystem-2.4.37-21.module_el8.2.0+382+15b0af 6/8 Verifying : httpd-tools-2.4.37-21.module_el8.2.0+494+1df74eae.x8 7/8 Verifying : httpd-tools-2.4.37-21.module_el8.2.0+382+15b0afa8.x8 8/8 Upgraded: httpd-2.4.37-21.module_el8.2.0+494+1df74eae.x86_64 httpd-filesystem-2.4.37-21.module_el8.2.0+494+1df74eae.noarch httpd-tools-2.4.37-21.module_el8.2.0+494+1df74eae.x86_64 Installed: mod_ssl-1:2.4.37-21.module_el8.2.0+494+1df74eae.x86_64 sscg-2.3.3-14.el8.x86_64 Complete!
2.EPELリポジトリをインストールします。
[root@wordpress chatora]# dnf install -y epel-release Last metadata expiration check: 1:59:38 ago on Sun 15 Nov 2020 10:25:30 AM UTC. Dependencies resolved. ================================================================================ Package Architecture Version Repository Size ================================================================================ Installing: epel-release noarch 8-8.el8 extras 23 k Transaction Summary ================================================================================ Install 1 Package Total download size: 23 k Installed size: 32 k Downloading Packages: epel-release-8-8.el8.noarch.rpm 295 kB/s | 23 kB 00:00 -------------------------------------------------------------------------------- Total 6.2 kB/s | 23 kB 00:03 Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing : 1/1 Installing : epel-release-8-8.el8.noarch 1/1 Running scriptlet: epel-release-8-8.el8.noarch 1/1 Verifying : epel-release-8-8.el8.noarch 1/1 Installed: epel-release-8-8.el8.noarch Complete!
3.Cerbotをインストールします。
[root@wordpress chatora]# dnf install -y certbot python3-certbot-apache Last metadata expiration check: 0:00:23 ago on Sun 15 Nov 2020 12:26:34 PM UTC. Dependencies resolved. ================================================================================ Package Arch Version Repo Size ================================================================================ Installing: certbot noarch 1.9.0-1.el8 epel 48 k python3-certbot-apache noarch 1.9.0-1.el8 epel 143 k Installing dependencies: augeas-libs x86_64 1.12.0-5.el8 BaseOS 436 k python3-acme noarch 1.9.0-1.el8 epel 88 k python3-augeas noarch 0.5.0-12.el8 AppStream 31 k python3-certbot noarch 1.9.0-1.el8 epel 382 k python3-chardet noarch 3.0.4-7.el8 BaseOS 195 k python3-configargparse noarch 0.14.0-6.el8 epel 36 k python3-distro noarch 1.4.0-2.module_el8.1.0+245+c39af44f AppStream 37 k python3-josepy noarch 1.2.0-5.el8 epel 95 k python3-ndg_httpsclient noarch 0.5.1-4.el8 epel 53 k python3-parsedatetime noarch 2.5-1.el8 epel 79 k python3-pyasn1 noarch 0.3.7-6.el8 AppStream 126 k python3-pyrfc3339 noarch 1.1-1.el8 epel 19 k python3-pysocks noarch 1.6.8-3.el8 BaseOS 34 k python3-pytz noarch 2017.2-9.el8 AppStream 54 k python3-requests noarch 2.20.0-2.1.el8_1 BaseOS 123 k python3-requests-toolbelt noarch 0.9.1-4.el8 epel 91 k python3-urllib3 noarch 1.24.2-4.el8 BaseOS 176 k python3-zope-component noarch 4.3.0-8.el8 epel 313 k python3-zope-event noarch 4.2.0-12.el8 epel 210 k python3-zope-interface x86_64 4.6.0-1.el8 epel 158 k Installing weak dependencies: python-josepy-doc noarch 1.2.0-5.el8 epel 21 k Transaction Summary ================================================================================ Install 23 Packages Total download size: 2.9 M Installed size: 11 M Downloading Packages: (1/23): python3-augeas-0.5.0-12.el8.noarch.rpm 111 kB/s | 31 kB 00:00 (2/23): python3-distro-1.4.0-2.module_el8.1.0+2 106 kB/s | 37 kB 00:00 (3/23): python3-pyasn1-0.3.7-6.el8.noarch.rpm 207 kB/s | 126 kB 00:00 (4/23): augeas-libs-1.12.0-5.el8.x86_64.rpm 1.3 MB/s | 436 kB 00:00 (5/23): python3-pytz-2017.2-9.el8.noarch.rpm 133 kB/s | 54 kB 00:00 (6/23): python3-pysocks-1.6.8-3.el8.noarch.rpm 775 kB/s | 34 kB 00:00 (7/23): python3-urllib3-1.24.2-4.el8.noarch.rpm 3.8 MB/s | 176 kB 00:00 (8/23): python3-chardet-3.0.4-7.el8.noarch.rpm 939 kB/s | 195 kB 00:00 (9/23): python3-requests-2.20.0-2.1.el8_1.noarc 594 kB/s | 123 kB 00:00 (10/23): python-josepy-doc-1.2.0-5.el8.noarch.r 121 kB/s | 21 kB 00:00 (11/23): certbot-1.9.0-1.el8.noarch.rpm 204 kB/s | 48 kB 00:00 (12/23): python3-certbot-apache-1.9.0-1.el8.noa 1.2 MB/s | 143 kB 00:00 (13/23): python3-acme-1.9.0-1.el8.noarch.rpm 380 kB/s | 88 kB 00:00 (14/23): python3-configargparse-0.14.0-6.el8.no 634 kB/s | 36 kB 00:00 (15/23): python3-josepy-1.2.0-5.el8.noarch.rpm 1.6 MB/s | 95 kB 00:00 (16/23): python3-certbot-1.9.0-1.el8.noarch.rpm 1.6 MB/s | 382 kB 00:00 (17/23): python3-ndg_httpsclient-0.5.1-4.el8.no 934 kB/s | 53 kB 00:00 (18/23): python3-parsedatetime-2.5-1.el8.noarch 1.3 MB/s | 79 kB 00:00 (19/23): python3-pyrfc3339-1.1-1.el8.noarch.rpm 320 kB/s | 19 kB 00:00 (20/23): python3-requests-toolbelt-0.9.1-4.el8. 1.5 MB/s | 91 kB 00:00 (21/23): python3-zope-event-4.2.0-12.el8.noarch 3.6 MB/s | 210 kB 00:00 (22/23): python3-zope-interface-4.6.0-1.el8.x86 2.7 MB/s | 158 kB 00:00 (23/23): python3-zope-component-4.3.0-8.el8.noa 2.6 MB/s | 313 kB 00:00 -------------------------------------------------------------------------------- Total 1.5 MB/s | 2.9 MB 00:01 warning: /var/cache/dnf/epel-6519ee669354a484/packages/certbot-1.9.0-1.el8.noarch.rpm: Header V4 RSA/SHA256 Signature, key ID 2f86d6a1: NOKEY Extra Packages for Enterprise Linux 8 - x86_64 89 kB/s | 1.6 kB 00:00 Importing GPG key 0x2F86D6A1: Userid : "Fedora EPEL (8) <epel@fedoraproject.org>" Fingerprint: 94E2 79EB 8D8F 25B2 1810 ADF1 21EA 45AB 2F86 D6A1 From : /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8 Key imported successfully Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing : 1/1 Installing : python3-zope-event-4.2.0-12.el8.noarch 1/23 Installing : python3-zope-interface-4.6.0-1.el8.x86_64 2/23 Installing : python3-zope-component-4.3.0-8.el8.noarch 3/23 Installing : python3-pyrfc3339-1.1-1.el8.noarch 4/23 Installing : python3-pytz-2017.2-9.el8.noarch 5/23 Installing : python3-parsedatetime-2.5-1.el8.noarch 6/23 Installing : python3-ndg_httpsclient-0.5.1-4.el8.noarch 7/23 Installing : python3-configargparse-0.14.0-6.el8.noarch 8/23 Installing : python-josepy-doc-1.2.0-5.el8.noarch 9/23 Installing : python3-josepy-1.2.0-5.el8.noarch 10/23 Installing : python3-pysocks-1.6.8-3.el8.noarch 11/23 Installing : python3-urllib3-1.24.2-4.el8.noarch 12/23 Installing : python3-chardet-3.0.4-7.el8.noarch 13/23 Installing : python3-requests-2.20.0-2.1.el8_1.noarch 14/23 Installing : python3-requests-toolbelt-0.9.1-4.el8.noarch 15/23 Installing : augeas-libs-1.12.0-5.el8.x86_64 16/23 Running scriptlet: augeas-libs-1.12.0-5.el8.x86_64 16/23 Installing : python3-augeas-0.5.0-12.el8.noarch 17/23 Installing : python3-pyasn1-0.3.7-6.el8.noarch 18/23 Installing : python3-acme-1.9.0-1.el8.noarch 19/23 Installing : python3-distro-1.4.0-2.module_el8.1.0+245+c39af44f 20/23 Installing : python3-certbot-1.9.0-1.el8.noarch 21/23 Installing : certbot-1.9.0-1.el8.noarch 22/23 Running scriptlet: certbot-1.9.0-1.el8.noarch 22/23 Installing : python3-certbot-apache-1.9.0-1.el8.noarch 23/23 Running scriptlet: python3-certbot-apache-1.9.0-1.el8.noarch 23/23 Verifying : python3-augeas-0.5.0-12.el8.noarch 1/23 Verifying : python3-distro-1.4.0-2.module_el8.1.0+245+c39af44f 2/23 Verifying : python3-pyasn1-0.3.7-6.el8.noarch 3/23 Verifying : python3-pytz-2017.2-9.el8.noarch 4/23 Verifying : augeas-libs-1.12.0-5.el8.x86_64 5/23 Verifying : python3-chardet-3.0.4-7.el8.noarch 6/23 Verifying : python3-pysocks-1.6.8-3.el8.noarch 7/23 Verifying : python3-requests-2.20.0-2.1.el8_1.noarch 8/23 Verifying : python3-urllib3-1.24.2-4.el8.noarch 9/23 Verifying : certbot-1.9.0-1.el8.noarch 10/23 Verifying : python-josepy-doc-1.2.0-5.el8.noarch 11/23 Verifying : python3-acme-1.9.0-1.el8.noarch 12/23 Verifying : python3-certbot-1.9.0-1.el8.noarch 13/23 Verifying : python3-certbot-apache-1.9.0-1.el8.noarch 14/23 Verifying : python3-configargparse-0.14.0-6.el8.noarch 15/23 Verifying : python3-josepy-1.2.0-5.el8.noarch 16/23 Verifying : python3-ndg_httpsclient-0.5.1-4.el8.noarch 17/23 Verifying : python3-parsedatetime-2.5-1.el8.noarch 18/23 Verifying : python3-pyrfc3339-1.1-1.el8.noarch 19/23 Verifying : python3-requests-toolbelt-0.9.1-4.el8.noarch 20/23 Verifying : python3-zope-component-4.3.0-8.el8.noarch 21/23 Verifying : python3-zope-event-4.2.0-12.el8.noarch 22/23 Verifying : python3-zope-interface-4.6.0-1.el8.x86_64 23/23 Installed: augeas-libs-1.12.0-5.el8.x86_64 certbot-1.9.0-1.el8.noarch python-josepy-doc-1.2.0-5.el8.noarch python3-acme-1.9.0-1.el8.noarch python3-augeas-0.5.0-12.el8.noarch python3-certbot-1.9.0-1.el8.noarch python3-certbot-apache-1.9.0-1.el8.noarch python3-chardet-3.0.4-7.el8.noarch python3-configargparse-0.14.0-6.el8.noarch python3-distro-1.4.0-2.module_el8.1.0+245+c39af44f.noarch python3-josepy-1.2.0-5.el8.noarch python3-ndg_httpsclient-0.5.1-4.el8.noarch python3-parsedatetime-2.5-1.el8.noarch python3-pyasn1-0.3.7-6.el8.noarch python3-pyrfc3339-1.1-1.el8.noarch python3-pysocks-1.6.8-3.el8.noarch python3-pytz-2017.2-9.el8.noarch python3-requests-2.20.0-2.1.el8_1.noarch python3-requests-toolbelt-0.9.1-4.el8.noarch python3-urllib3-1.24.2-4.el8.noarch python3-zope-component-4.3.0-8.el8.noarch python3-zope-event-4.2.0-12.el8.noarch python3-zope-interface-4.6.0-1.el8.x86_64 Complete!
4.証明書の取得(webroot)します。
[root@wordpress chatora]# certbot certonly --webroot -w /var/www/html/ -d linux.gakubu.net -m chatora@ciel.gakubu.net --agree-tos Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator webroot, Installer None - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Would you be willing, once your first certificate is successfully issued, to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: N Obtaining a new certificate Performing the following challenges: http-01 challenge for linux.gakubu.net Using the webroot path /var/www/html for all unmatched domains. Waiting for verification... Cleaning up challenges IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/linux.gakubu.net/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/linux.gakubu.net/privkey.pem Your cert will expire on 2021-02-13. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
5.取得した証明書をApacheに設定します。
[root@wordpress chatora]# vi /etc/httpd/conf.d/ssl.conf # Point SSLCertificateFile at a PEM encoded certificate. If # the certificate is encrypted, then you will be prompted for a # pass phrase. Note that restarting httpd will prompt again. Keep # in mind that if you have both an RSA and a DSA certificate you # can configure both in parallel (to also allow the use of DSA # ciphers, etc.) # Some ECC cipher suites (http://www.ietf.org/rfc/rfc4492.txt) # require an ECC certificate which can also be configured in # parallel. #SSLCertificateFile /etc/pki/tls/certs/localhost.crt SSLCertificateFile /etc/letsencrypt/live/linux.gakubu.net/fullchain.pem # Server Private Key: # If the key is not combined with the certificate, use this # directive to point at the key file. Keep in mind that if # you've both a RSA and a DSA private key you can configure # both in parallel (to also allow the use of DSA ciphers, etc.) # ECC keys, when in use, can also be configured in parallel #SSLCertificateKeyFile /etc/pki/tls/private/localhost.key SSLCertificateKeyFile /etc/letsencrypt/live/linux.gakubu.net/privkey.pem
6.Apacheを再起動します。
[root@wordpress chatora]# systemctl restart httpd
7.ブラウザから、httpsをつけて、ウェブサイトにアクセスします。
アドレスに鍵マークが表示された状態で、テストページが表示されれば成功です。


SSLの有効期限は90日間だにょろ
忘れずに更新するにょろ!