CentOS7 Let’s EncryptでSSL(HTTPS)化自己証明無効化

2018年7月28日2018年7月29日

CentOS7のWebサーバーをSSL対応させました。

【トラブル】取得したSSL証明書が有効にならずhttps://アクセスで警告メッセージが出る。
Let’s Encryptで無料のSSL証明書を取得したのはいいが、いざ、https://でアクセスすると、証明書に問題があるとか、保護されていないとか警告メッセージが出てしまう。
・「このWebサイトのセキュリティ証明書には問題があります」
・「このサイトは安全ではありません」
・「この接続ではプライバシーが保護されません」
・「安全な接続ではありません」

【原因】ssl.confファイルに書かれているlocalhostのファイルが有効になっていた。
ブラウザの警告の詳細を見てみると、期限の切れている自己証明書が認識されていた。原因は、mod_sslをインストールしたときに作成される/etc/httpd/conf.d/ssl.confファイルに書かれている証明書の方が有効になっていることが原因だった。

# Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
# pass phrase. Note that a kill -HUP will prompt again. A new
# certificate can be generated using the genkey(1) command.
SSLCertificateFile /etc/pki/tls/certs/localhost.crt　←★

# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you’ve both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key　←★

# Server Certificate Chain:
# Point SSLCertificateChainFile at a file containing the
# concatenation of PEM encoded CA certificates which form the
# certificate chain for the server certificate. Alternatively
# the referenced file can be the same as SSLCertificateFile
# when the CA certificates are directly appended to the server
# certificate for convinience.
SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt　←★

【対策】/etc/httpd/conf.d/ssl.confを修正して取得した証明書に差し替える。
Let’s Encryptのインストールで生成される/etc/httpd/conf/httpd-le-ssl.confだけではこの中に記載されている証明書が有効にならなかった。/etc/httpd/conf.d/ssl.confの上の★印部分をhttpd-le-ssl.confに書かれているファイルに置き換えることで有効になった。

****************************************************************
SSL化手順
****************************************************************
■Certbot パッケージをインストール前の準備
◇仮想ホストポート80を追加しておく
【トラブル】最初の立ち上げで%>sudo certbot だけで実行したときに出ました。
※また、ポート80で仮想ホストを見つけられなかったので追加してくださいというメッセージが出てしまいました。

No names were found in your configuration files. Please enter in your domain
name(s) (comma and/or space separated) (Enter 'c’ to cancel):　ホスト名を入力してEnter

例）name(s) (comma and/or space separated) (Enter 'c’ to cancel): hobby.mydns.jp
Obtaining a new certificate
Resetting dropped connection: acme-v01.api.letsencrypt.org
Performing the following challenges:
http-01 challenge for hobby.mydns.jp
Cleaning up challenges
Unable to find a virtual host listening on port 80 which is currently needed for Certbot to prove to the CA that you control your domain. Please add a virtual host for port 80.　←★

IMPORTANT NOTES:
– Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.

【対策】/etc/httpd/conf/httpd.confの文末に下記を挿入
——————
~~NameVirtualHost *:80~~　←　/var/log/messagesで意味なしという「AH00548:」メッセージが出るので削除しました
<VirtualHost *:80>
ServerAdmin root@hobby.mydns.jp
DocumentRoot /var/www/html
ServerName hobby.mydns.jp
</VirtualHost>
——————

■Certbot パッケージをインストール
%>sudo yum install epel-release
%>sudo yum install certbot python-certbot-apache

■ssl証明書の取得
%>sudo certbot run -d ドメイン名
例）%>sudo certbot run -d hobby.mydns.jp

◇初回メールアドレスの問い合わせが出ます。
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Enter email address (used for urgent renewal and security notices) (Enter 'c’ tocancel):メールアドレスを入力してEnter

◇規約に同意する
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org

——————————————————————————-
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v01.api.letsencrypt.org/directory
——————————————————————————-
(A)gree/(C)ancel: aを入力してEnter

◇SSL証明書を利用するだけならnを選択
——————————————————————————-
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let’s Encrypt project and the non-profit
organization that develops Certbot? We’d like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
——————————————————————————-
(Y)es/(N)o: nを入力してEnter

◇HTTPS化したいサイトのホスト名が表示されるので、該当する番号を選択
Which names would you like to activate HTTPS for?
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
1: hobby.mydns.jp
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c’ to cancel): 1

◇証明書の発行手続きがされ、/etc/httpd/conf.d/httpd-le-ssl.confが自動的に作成される。
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for hobby.mydns.jp
Waiting for verification…
Cleaning up challenges
Created an SSL vhost at /etc/httpd/conf/httpd-le-ssl.conf
Deploying Certificate to VirtualHost /etc/httpd/conf/httpd-le-ssl.conf
Enabling site /etc/httpd/conf/httpd-le-ssl.conf by adding Include to root configuration

◇HTTPへのアクセスをHTTPSにリダイレクトするか尋ねられる
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
1: No redirect – Make no further changes to the webserver configuration.
2: Redirect – Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you’re confident your site works on HTTPS. You can undo this
change by editing your web server’s configuration.
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
Select the appropriate number [1-2] then [enter] (press 'c’ to cancel): 1を選択して手動で設定してみる。

◇証明書発行完了
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
Congratulations! You have successfully enabled https://hobby.mydns.jp

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=hobby.mydns.jp
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
↑ここにアクセスしてみると、httpsアクセスできていればGrade欄に「B」とか記号が出てきて詳細が見られる。
IMPORTANT NOTES:
– Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/hobby.mydns.jp/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/hobby.mydns.jp/privkey.pem
Your cert will expire on 2018-10-24. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again with the “certonly" option. To non-interactively renew *all*
of your certificates, run “certbot-auto renew"
– If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

↑証明書の保存場所は/etc/letsencrypt/live/[ホスト名]/にあることと、有効期限が2018-10-24であることが書かれている。

◇設定ファイルの確認
・/etc/httpd/conf/httpd-le-ssl.conf　が作成され、中に証明書のパスが切られています。
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin root@hobby.mydns.jp
DocumentRoot /var/www/html
ServerName hobby.mydns.jp
SSLCertificateFile /etc/letsencrypt/live/hobby.mydns.jp/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/hobby.mydns.jp/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateChainFile /etc/letsencrypt/live/hobby.mydns.jp/chain.pem
</VirtualHost>
</IfModule>

・/etc/httpd/conf/httpd.conf　が更新され、文末に下記が追加されている。
Include /etc/httpd/conf/httpd-le-ssl.conf

◇/etc/httpd/conf.d/ssl.conf　の修正
ページの先頭に記述したトラブル対策として、★印を無効化して、☆印を設定する。
# Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
# pass phrase. Note that a kill -HUP will prompt again. A new
# certificate can be generated using the genkey(1) command.
#SSLCertificateFile /etc/pki/tls/certs/localhost.crt　←★
SSLCertificateFile /etc/letsencrypt/live/hobby.mydns.jp/cert.pem　←☆

# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you’ve both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
#SSLCertificateKeyFile /etc/pki/tls/private/localhost.key　←★
SSLCertificateKeyFile /etc/letsencrypt/live/hobby.mydns.jp/privkey.pem　←☆

# Server Certificate Chain:
# Point SSLCertificateChainFile at a file containing the
# concatenation of PEM encoded CA certificates which form the
# certificate chain for the server certificate. Alternatively
# the referenced file can be the same as SSLCertificateFile
# when the CA certificates are directly appended to the server
# certificate for convinience.
#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt　←★
SSLCertificateChainFile /etc/letsencrypt/live/hobby.mydns.jp/chain.pem　←☆

◇httpd再起動
%>systemctl restart httpd.service

■httpからhttpsへの301リダイレクト
「http://～」と「https://～」が同じコンテンツでもGoogleは別のページと認識する可能性があるそうで評価を引き継ぐ必要がある場合は、下記のように301リダイレクトが必要。
【対策】/etc/httpd/conf/httpd.confの文末に下記の太文字を挿入
——————
~~NameVirtualHost *:80~~　←　/var/log/messagesで意味なしという「AH00548:」メッセージが出るので削除しました
<VirtualHost *:80>
ServerAdmin root@hobby.mydns.jp
DocumentRoot /var/www/html
ServerName hobby.mydns.jp
RewriteEngine on
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://hobby.mydns.jp/$1 [R=301,L]
</VirtualHost>
——————
◇httpd再起動
%>systemctl restart httpd.service

◇Let’s Encrypt（HTTPS）が90日で期限切れになる対策！毎月1日、午前5時に更新確認
/etc/crontabに下記を追加。※crontab -eでの設定はしないで直接ファイルに記載。
~~0 5 1 * * root certbot renew –quiet~~
↓　httpdの再起動も必要らしいので設定変更
※更に証明書の更新結果をメールで受け取る方法に変更
00 05 01 * * certbot renew –dry-run 2>&1 | mail -s “Let’s Encrypt update information" myname@mydomain.com && systemctl restart httpd

–dry-runオプションを付けてシミュレーションモードでの更新テスト実行した受信メールの結果
※更新に成功した旨が記述されている。
———- Forwarded message ———
From: root <root@mydomain.com>
Date: 2018年9月1日(土) 8:30
Subject: Let’s Encrypt update information
To: <myname@mydomain.com>
Saving debug log to /var/log/letsencrypt/letsencrypt.log
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
Processing /etc/letsencrypt/renewal/hobby.mydns.jp.conf
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for hobby.mydns.jp
Waiting for verification…
Cleaning up challenges
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/hobby.mydns.jp/fullchain.pem
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
** DRY RUN: simulating 'certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)
Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/hobby.mydns.jp/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

vi /var/log/messagesでhttpdの再起動ができていることも確認できました。
Starting The Apache HTTP Server…

–dry-runオプションを外して本番の実行した受信メールの結果
※証明書の期限切れにまだ余裕があるので下記のメッセージが出た
———- Forwarded message ———
From: root <root@mydomain.com>
Date: 2018年9月1日(土) 8:43
Subject: Let’s Encrypt update information
To: <myname@mydomain.com>
Saving debug log to /var/log/letsencrypt/letsencrypt.log
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
Processing /etc/letsencrypt/renewal/hobby.mydns.jp.conf
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
Cert not yet due for renewal
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
The following certs are not due for renewal yet:
/etc/letsencrypt/live/hobby.mydns.jp/fullchain.pem expires on 2018-11-23 (skipped)
No renewals were attempted.
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

****************************************************************
備考
****************************************************************
■Let’s Encryptで証明書の削除
/etc/letsencrypt/live/の[ドメイン名]ディレクトリが丸ごと削除される。
%>certbot revoke –cert-path /etc/letsencrypt/live/[ドメイン名]/cert.pem

——————————————————————————-
Would you like to delete the cert(s) you just revoked?
——————————————————————————-
(Y)es (recommended)/(N)o: yを選択してEnter

UNIX

Posted by 伊藤輝樹