無料SSL証明書(Let’s Encrypt)

スポンサーリンク

無料で利用できるSSL証明書(Let’s Encrypt)を導入して、ブラウザに「保護されていません」といったメッセージを出さないようにします。

システム環境

$ uname -rm
5.4.51-v7+ armv7l
$ lsb_release -a
No LSB modules are available.
Distributor ID: Raspbian
Description: Raspbian GNU/Linux 10 (buster)
Release: 10
Codename: buster
$ sudo apache2 -v
Server version: Apache/2.4.38 (Raspbian)
Server built: 2019-10-15T19:53:42

Let’s Encryptのセットアップ

Let’s Encryptを利用するために、certbotをインストールして、設定を行ないます。

certbotのインストール

$ sudo apt install certbot python-certbot-apache
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following additional packages will be installed:
   : (割愛)
Suggested packages:
   : (割愛)
The following NEW packages will be installed:
   : (割愛)
0 upgraded, 32 newly installed, 0 to remove and 0 not upgraded.
Need to get 4,498 kB of archives.
After this operation, 17.6 MB of additional disk space will be used.
Do you want to continue? [Y/n] y
   : (割愛)
update-alternatives: using /usr/bin/python3-futurize to provide
 /usr/bin/futurize (futurize) in auto mode
update-alternatives: using /usr/bin/python3-pasteurize to provide
 /usr/bin/pasteurize (pasteurize) in auto mode
   : (割愛)
Created symlink
 /etc/systemd/system/timers.target.wants/certbot.timer →
 /lib/systemd/system/certbot.timer.
   : (割愛)
Created symlink
 /etc/systemd/system/multi-user.target.wants/apache2.service →
 /lib/systemd/system/apache2.service.
Created symlink
 /etc/systemd/system/multi-user.target.wants/apache-htcacheclean.service →
 /lib/systemd/system/apache-htcacheclean.service.
Setting up python3-certbot-apache (0.31.0-1) ...
Setting up python-certbot-apache (0.31.0-1) ...
Processing triggers for man-db (2.8.5-2) ...
Processing triggers for libc-bin (2.28-10) ...
Processing triggers for systemd (241-7~deb10u3) ...

証明書の発行

$ sudo certbot --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
No names were found in your configuration files. Please enter in your domain
name(s) (comma and/or space separated)  (Enter 'c' to cancel): www.orangetakam.com
Obtaining a new certificate
Created an SSL vhost at /etc/apache2/sites-available/000-default-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/sites-available/000-default-le-ssl.conf
Enabling available site: /etc/apache2/sites-available/000-default-le-ssl.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://www.orangetakam.com

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=www.orangetakam.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/www.orangetakam.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/www.orangetakam.com/privkey.pem
   Your cert will expire on 2020-11-07. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

$ $ sudo certbot renew --force-renewal <= 強制的に更新をしてみる
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/www.orangetakam.com.conf

Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate

new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/www.orangetakam.com/fullchain.pem


Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/www.orangetakam.com/fullchain.pem (success)

自動更新の設定

Raspberry Pi OSのパッケージでは、あらかじめ、自動更新がされるようになっているようです。

$ cd /lib/systemd/system
$ cat certbot.timer
[Unit]
Description=Run certbot twice daily

[Timer]
OnCalendar=*-*-* 00,12:00:00
RandomizedDelaySec=43200
Persistent=true

[Install]
WantedBy=timers.target
$ cat certbot.service
[Unit]
Description=Certbot
Documentation=file:///usr/share/doc/python-certbot-doc/html/index.html
Documentation=https://letsencrypt.readthedocs.io/en/latest/
[Service]
Type=oneshot
ExecStart=/usr/bin/certbot -q renew
PrivateTmp=true