ラック
Home > ブログ > 記事 > 2018年7月 > CentOS6にLet’s Encryptをインストール

CentOS6にLet’s Encryptをインストール

カテゴリ: サーバ

背景

7月のChromeのアップデートにより、最新バージョンのChromeではhttpsでないサイトはインフォメーションを表示するようになった。10月にはこの表示が警告に変わる予定のため、常時SSL対応が急がれる状態です。

前回CentOS7ではOKだったので、今回はCentOS6でのテストを実施しました。

主な検証項目は

  • CentOS6でLet's Encryptの証明書を発行し、動作するか
  • マルチドメイン対応できるか

といったところです。そのため、

  • ssl1.example.com
  • ssl2.example.com

という2つのサブドメインをサーバに仮想サイトとして作成し、検証を行いました。

バージョン確認

# cat /etc/redhat-release
CentOS release 6.7 (Final)

# python --version
Python 2.6.6

留意点

CentOS7と同じやり方はできないとのこと。CentOS6の場合は「その他のUnix系OS」のやり方でインストールを実施します。

ちなみに、CentOS7と同じ手順を実行すると以下のような感じになります。

# sudo yum install epel-release
読み込んだプラグイン:fastestmirror
インストール処理の設定をしています

## 略

パッケージ epel-release-6-8.noarch はインストール済みか最新バージョンです
何もしません

これはOK。

# sudo yum install certbot python-certbot-apache
読み込んだプラグイン:fastestmirror
インストール処理の設定をしています

## 略

パッケージ certbot は利用できません。
パッケージ python-certbot-apache は利用できません。
エラー: 何もしません

こんなエラーで止まりました。

参考

インストール

インストールすると依存関係もチェックしてインストールし、発行まで自動的に進みます。

ただし、途中で名前解決できないとしてエラーになってしまいました。原因は、DMZの出口のルータで、このサーバへの80および443が開いていなかったためという凡ミスでした。

# wget https://dl.eff.org/certbot-auto
--2018-08-02 09:41:52--  https://dl.eff.org/certbot-auto
dl.eff.org をDNSに問いあわせています... 151.101.72.201, 2a04:4e42:11::201
dl.eff.org|151.101.72.201|:443 に接続しています... 接続しました。
HTTP による接続要求を送信しました、応答を待っています... 200 OK

## 略

完了しました!
Creating virtual environment...
Installing Python packages...
Installation succeeded.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): test@example.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: hoge.example.com
2: ssl1.example.com
3: ssl2.example.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 2
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for ssl1.example.com
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. ssl1.example.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://ssl1.example.com/.well-known/acme-challenge/jpXXXXXXXXXXXXXXXXXXXX-YYYYYYYYYYYYYYYYYY: Timeout during connect (likely firewall problem)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: ssl1.example.com
   Type:   connection
   Detail: Fetching
   http://ssl1.example.com/.well-known/acme-challenge/jpXXXXXXXXXXXXXXXXXXXX-YYYYYYYYYYYYYYYYYY:
   Timeout during connect (likely firewall problem)

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.

参考: エラーログの参照

# less /var/log/letsencrypt/letsencrypt.log

2018-08-02 09:52:50,307:DEBUG:certbot.error_handler:Calling registered functions
2018-08-02 09:52:50,307:INFO:certbot.auth_handler:Cleaning up challenges
2018-08-02 09:52:50,782:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
  File "/opt/eff.org/certbot/venv/bin/letsencrypt", line 11, in <module>
    load_entry_point('letsencrypt==0.7.0', 'console_scripts', 'letsencrypt')()
  File "/opt/eff.org/certbot/venv/lib64/python3.4/site-packages/certbot/main.py", line 1364, in main
    return config.func(config, plugins)
  File "/opt/eff.org/certbot/venv/lib64/python3.4/site-packages/certbot/main.py", line 1124, in run
    certname, lineage)
  File "/opt/eff.org/certbot/venv/lib64/python3.4/site-packages/certbot/main.py", line 120, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/opt/eff.org/certbot/venv/lib64/python3.4/site-packages/certbot/client.py", line 391, in obtain_and_enroll_certificate
    cert, chain, key, _ = self.obtain_certificate(domains)
  File "/opt/eff.org/certbot/venv/lib64/python3.4/site-packages/certbot/client.py", line 334, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/opt/eff.org/certbot/venv/lib64/python3.4/site-packages/certbot/client.py", line 370, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
  File "/opt/eff.org/certbot/venv/lib64/python3.4/site-packages/certbot/auth_handler.py", line 82, in handle_authorizations
    self._respond(aauthzrs, resp, best_effort)
  File "/opt/eff.org/certbot/venv/lib64/python3.4/site-packages/certbot/auth_handler.py", line 155, in _respond
    self._poll_challenges(aauthzrs, chall_update, best_effort)
  File "/opt/eff.org/certbot/venv/lib64/python3.4/site-packages/certbot/auth_handler.py", line 226, in _poll_challenges
    raise errors.FailedChallenges(all_failed_achalls)
certbot.errors.FailedChallenges: Failed authorization procedure. ssl1.example.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://ssl1.example.com/.well-known/acme-challenge/jpXXXXXXXXXXXXXXXXXXXX-YYYYYYYYYYYYYYYYYY: Timeout during connect (likely firewall problem)

エラーの内容と同様に、ドメインの認証で80での通信を試みた際に失敗していることが分かります。

ルータの設定を見直して再度挑戦。

# ./certbot-auto
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: hoge.example.com
2: ssl1.example.com
3: ssl2.example.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 2
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for ssl1.example.com
Waiting for verification...
Cleaning up challenges
Created an SSL vhost at /etc/httpd/conf/vhosts/siteX-le-ssl.conf
Deploying Certificate to VirtualHost /etc/httpd/conf/vhosts/siteX-le-ssl.conf
Enabling site /etc/httpd/conf/vhosts/siteX-le-ssl.conf by adding Include to root configuration

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Added an HTTP->HTTPS rewrite in addition to other RewriteRules; you may wish to check for overall consistency.
Redirecting vhost in /etc/httpd/conf/vhosts/siteX to ssl vhost in /etc/httpd/conf/vhosts/siteX-le-ssl.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://ssl1.example.com

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=ssl1.example.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/ssl1.example.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/ssl1.example.com/privkey.pem
   Your cert will expire on 2018-10-31. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again with the "certonly" option. To non-interactively renew *all*
   of your certificates, run "certbot-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

インストールできたようです。リダイレクトも成功しました。また、443用の仮想サイトを作成していなくても、自動的に設定してくれます。

ということで、2つ目の(サブ)ドメインも実施。

# ./certbot-auto
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: hoge.example.com
2: ssl1.example.com
3: ssl2.example.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 3
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for  ssl2.example.com
Waiting for verification...
Cleaning up challenges
Created an SSL vhost at /etc/httpd/conf/vhosts/siteY-le-ssl.conf
Deploying Certificate to VirtualHost /etc/httpd/conf/vhosts/siteY-le-ssl.conf
Enabling site /etc/httpd/conf/vhosts/siteY-le-ssl.conf by adding Include to root configuration

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Added an HTTP->HTTPS rewrite in addition to other RewriteRules; you may wish to check for overall consistency.
Redirecting vhost in /etc/httpd/conf/vhosts/siteY to ssl vhost in /etc/httpd/conf/vhosts/siteY-le-ssl.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://ssl2.example.com

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=ssl2.example.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/ssl2.example.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/ssl2.example.com/privkey.pem
   Your cert will expire on 2018-10-31. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again with the "certonly" option. To non-interactively renew *all*
   of your certificates, run "certbot-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

大丈夫ですね。

タグ: サーバ環境・構築,手順

 



関連する記事一覧