【CentOS stream 9】 Nginxに let’s encrypt SSL証明書インストール
このブログのdemoサイト「demo.sei-simple.com」にlet’s encrypt のSSL証明書を設定してみました。
関連記事 Nginx系インストール 1.ConoHa VPS のSSHセキュリティを強化する 2.【CentOS stream 9】 Nginxをインストールする 3.【CentOS stream 9】 Maria DBをインストールする 4.【CentOS stream 9】 phpをインストールする 5.【CentOS stream 9】 Nginxでphp、phpMyAdminを使う 6.【CentOS stream 9】 composerをインストールする 7.【CentOS stream 9】 Nginxに let's encrypt SSL証明書インストール
関連記事 ドメイン ConoHa WING VPS に サブドメインを追加する
let’s encrypt 証明書 インストール手順
dnfコマンドでepelリポジトリよりcertbotをインストール
# dnf --enablerepo=epel install certbot
Updating Subscription Management repositories.
Unable to read consumer identity
This system is not registered with an entitlement server. You can use subscription-manager to register.
Last metadata expiration check: 1:10:30 ago on Tue 07 Jun 2022 03:29:50 AM JST.
Dependencies resolved.
================================================================================
Package Arch Version Repository Size
================================================================================
Installing:
certbot noarch 1.27.0-1.el9 epel 44 k
Installing dependencies:
python3-acme noarch 1.27.0-1.el9 epel 90 k
python3-certbot noarch 1.27.0-1.el9 epel 394 k
python3-cffi x86_64 1.14.5-5.el9 appstream 253 k
python3-configargparse noarch 1.5.3-1.el9 epel 39 k
python3-cryptography x86_64 36.0.1-2.el9 appstream 1.2 M
python3-josepy noarch 1.13.0-1.el9 epel 60 k
python3-parsedatetime noarch 2.6-5.el9 epel 79 k
python3-ply noarch 3.11-14.el9 appstream 106 k
python3-pyOpenSSL noarch 21.0.0-1.el9 epel 90 k
python3-pycparser noarch 2.20-6.el9 appstream 135 k
python3-pyrfc3339 noarch 1.1-11.el9 epel 18 k
python3-requests-toolbelt noarch 0.9.1-16.el9 epel 87 k
python3-zope-component noarch 4.3.0-19.el9 epel 290 k
python3-zope-event noarch 4.5.0-1.el9~bootstrap.1 epel 17 k
python3-zope-interface x86_64 5.4.0-5.el9.1 epel 168 k
Installing weak dependencies:
python-josepy-doc noarch 1.13.0-1.el9 epel 19 k
Transaction Summary
================================================================================
Install 17 Packages
Total download size: 3.1 M
Installed size: 12 M
Is this ok [y/N]: y
Downloading Packages:
(1/17): python3-ply-3.11-14.el9.noarch.rpm 1.7 MB/s | 106 kB 00:00
(2/17): python3-cffi-1.14.5-5.el9.x86_64.rpm 3.0 MB/s | 253 kB 00:00
(3/17): python3-pycparser-2.20-6.el9.noarch.rpm 4.2 MB/s | 135 kB 00:00
(4/17): certbot-1.27.0-1.el9.noarch.rpm 2.5 MB/s | 44 kB 00:00
(5/17): python3-acme-1.27.0-1.el9.noarch.rpm 9.0 MB/s | 90 kB 00:00
(6/17): python-josepy-doc-1.13.0-1.el9.noarch.r 964 kB/s | 19 kB 00:00
(7/17): python3-certbot-1.27.0-1.el9.noarch.rpm 25 MB/s | 394 kB 00:00
(8/17): python3-configargparse-1.5.3-1.el9.noar 1.6 MB/s | 39 kB 00:00
(9/17): python3-josepy-1.13.0-1.el9.noarch.rpm 3.0 MB/s | 60 kB 00:00
(10/17): python3-parsedatetime-2.6-5.el9.noarch 7.5 MB/s | 79 kB 00:00
(11/17): python3-pyrfc3339-1.1-11.el9.noarch.rp 2.3 MB/s | 18 kB 00:00
(12/17): python3-pyOpenSSL-21.0.0-1.el9.noarch. 5.2 MB/s | 90 kB 00:00
(13/17): python3-zope-component-4.3.0-19.el9.no 23 MB/s | 290 kB 00:00
(14/17): python3-requests-toolbelt-0.9.1-16.el9 3.7 MB/s | 87 kB 00:00
(15/17): python3-zope-event-4.5.0-1.el9~bootstr 1.3 MB/s | 17 kB 00:00
(16/17): python3-zope-interface-5.4.0-5.el9.1.x 8.2 MB/s | 168 kB 00:00
(17/17): python3-cryptography-36.0.1-2.el9.x86_ 4.8 MB/s | 1.2 MB 00:00
--------------------------------------------------------------------------------
Total 1.7 MB/s | 3.1 MB 00:01
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Installing : python3-zope-interface-5.4.0-5.el9.1.x86_64 1/17
Installing : python3-pyrfc3339-1.1-11.el9.noarch 2/17
Installing : python3-zope-event-4.5.0-1.el9~bootstrap.1.noarch 3/17
Installing : python3-zope-component-4.3.0-19.el9.noarch 4/17
Installing : python3-requests-toolbelt-0.9.1-16.el9.noarch 5/17
Installing : python3-parsedatetime-2.6-5.el9.noarch 6/17
Installing : python3-configargparse-1.5.3-1.el9.noarch 7/17
Installing : python-josepy-doc-1.13.0-1.el9.noarch 8/17
Installing : python3-ply-3.11-14.el9.noarch 9/17
Installing : python3-pycparser-2.20-6.el9.noarch 10/17
Installing : python3-cffi-1.14.5-5.el9.x86_64 11/17
Installing : python3-cryptography-36.0.1-2.el9.x86_64 12/17
Installing : python3-pyOpenSSL-21.0.0-1.el9.noarch 13/17
Installing : python3-josepy-1.13.0-1.el9.noarch 14/17
Installing : python3-acme-1.27.0-1.el9.noarch 15/17
Installing : python3-certbot-1.27.0-1.el9.noarch 16/17
Installing : certbot-1.27.0-1.el9.noarch 17/17
Running scriptlet: certbot-1.27.0-1.el9.noarch 17/17
Created symlink /etc/systemd/system/timers.target.wants/certbot-renew.timer → /usr/lib/systemd/system/certbot-renew.timer.
Verifying : python3-cffi-1.14.5-5.el9.x86_64 1/17
Verifying : python3-cryptography-36.0.1-2.el9.x86_64 2/17
Verifying : python3-ply-3.11-14.el9.noarch 3/17
Verifying : python3-pycparser-2.20-6.el9.noarch 4/17
Verifying : certbot-1.27.0-1.el9.noarch 5/17
Verifying : python-josepy-doc-1.13.0-1.el9.noarch 6/17
Verifying : python3-acme-1.27.0-1.el9.noarch 7/17
Verifying : python3-certbot-1.27.0-1.el9.noarch 8/17
Verifying : python3-configargparse-1.5.3-1.el9.noarch 9/17
Verifying : python3-josepy-1.13.0-1.el9.noarch 10/17
Verifying : python3-parsedatetime-2.6-5.el9.noarch 11/17
Verifying : python3-pyOpenSSL-21.0.0-1.el9.noarch 12/17
Verifying : python3-pyrfc3339-1.1-11.el9.noarch 13/17
Verifying : python3-requests-toolbelt-0.9.1-16.el9.noarch 14/17
Verifying : python3-zope-component-4.3.0-19.el9.noarch 15/17
Verifying : python3-zope-event-4.5.0-1.el9~bootstrap.1.noarch 16/17
Verifying : python3-zope-interface-5.4.0-5.el9.1.x86_64 17/17
Installed products updated.
Installed:
certbot-1.27.0-1.el9.noarch
python-josepy-doc-1.13.0-1.el9.noarch
python3-acme-1.27.0-1.el9.noarch
python3-certbot-1.27.0-1.el9.noarch
python3-cffi-1.14.5-5.el9.x86_64
python3-configargparse-1.5.3-1.el9.noarch
python3-cryptography-36.0.1-2.el9.x86_64
python3-josepy-1.13.0-1.el9.noarch
python3-parsedatetime-2.6-5.el9.noarch
python3-ply-3.11-14.el9.noarch
python3-pyOpenSSL-21.0.0-1.el9.noarch
python3-pycparser-2.20-6.el9.noarch
python3-pyrfc3339-1.1-11.el9.noarch
python3-requests-toolbelt-0.9.1-16.el9.noarch
python3-zope-component-4.3.0-19.el9.noarch
python3-zope-event-4.5.0-1.el9~bootstrap.1.noarch
python3-zope-interface-5.4.0-5.el9.1.x86_64
Complete!
最後にComplete!と表示されます。
certbotコマンドでSSL証明書を発行します。
certbot certonly --webroot -w [nginxのhtmlドキュメントルート] -d [運用サイトのドメイン] certbot certonly --webroot -w /usr/share/nginx/html -d demo.sei-simple.com
# certbot certonly --webroot -w /usr/share/nginx/html -d demo.sei-simple.com Saving debug log to /var/log/letsencrypt/letsencrypt.log Requesting a certificate for demo.sei-simple.com Successfully received certificate. Certificate is saved at: /etc/letsencrypt/live/demo.sei-simple.com/fullchain.pem //SSL証明書保存ディレクトリ Key is saved at: /etc/letsencrypt/live/demo.sei-simple.com/privkey.pem //秘密鍵保存ディレクトリ This certificate expires on 2022-09-04.//有効期限 These files will be updated when the certificate renews. Certbot has set up a scheduled task to automatically renew this certificate in the background. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - If you like Certbot, please consider supporting our work by: * Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate * Donating to EFF: https://eff.org/donate-le - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
発行されたSSL証明書と秘密鍵を「/etc/nginx/」にコピー
# cp -p /etc/letsencrypt/live/demo.sei-simple.com/fullchain.pem /etc/nginx/localhost.crt cp: overwrite '/etc/nginx/localhost.crt'? y [root@160-251-73-214 html]# cp -p /etc/letsencrypt/live/demo.sei-simple.com/privkey.pem /etc/nginx/localhost.key cp: overwrite '/etc/nginx/localhost.key'? y
「nginx.conf」を編集
# vi /etc/nginx/nginx.conf
server {
listen 443 ssl;#
listen [::]:443 ssl;#
server_name demo.sei-simple.com;
root /usr/share/nginx/html;
ssl_certificate /etc/nginx/localhost.crt;#
ssl_certificate_key /etc/nginx/localhost.key;#
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;#
ssl_ciphers HIGH:!aNULL:!MD5;#
ssl_session_tickets off;#
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
error_page 404 /404.html;
location = /404.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
httpリクエストをhttpsにリダイレクトする設定を「nginx.conf」に追記
server {
listen 80;
listen [::]:80;
server_name demo.sei-simple.com;
return 301 https://$host$request_uri;
}
nginxの再起動
# nginx -t nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful # systemctl restart nginx.service
参考サイト
CentOS Stream9へSSL証明書取得(Let’s Encrypt)
【CentOS stream】nginxでSSL証明書設定!
CentOS Stream 9 LAMPサーバインストールメモ【Apache2.4+MySQL8.0+PHP8.0】