FreeBSD 11にて、Apache + SSL(Let's Encrypt) + HTTP/2を動かす。以下が手順です。まず必要なパッケージをインストールします。
http://blog.goo.ne.jp/low-electric-mouse/e/912c459b71887d3ca025509f7ea9897b
Let's Encrypt Closed Betaのメモ
http://www.fkimura.com/letsencrypt-a0.html
$ sudo pkg install certbot次に証明書を取り込みます。
…
$
$ sudo /usr/local/etc/rc.d/apache24 statusこれをhttpdに読み込むように設定します。最初にhttp.conf。
パスワード:
apache24 is running as pid 19178.
dandelion$ sudo /usr/local/etc/rc.d/apache24 stop
パスワード:
Stopping apache24.
Waiting for PIDS: 19178.
dandelion$ sudo certbot certonly
パスワード:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
How would you like to authenticate with the ACME CA?
-----------------------------------------------------------------
1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)
-----------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Plugins selected: Authenticator standalone, Installer None
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): admin@example.com
-----------------------------------------------------------------
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf. You must agree
in order to register with the ACME server at
https://acme-v01.api.letsencrypt.org/directory
-----------------------------------------------------------------
(A)gree/(C)ancel: A
-----------------------------------------------------------------
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about EFF and
our work to encrypt the web, protect its users and defend digital rights.
-----------------------------------------------------------------
(Y)es/(N)o: N
Please enter in your domain name(s) (comma and/or space separated) (Enter 'c'
to cancel): www.example.com
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for www.example.com
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/usr/local/etc/letsencrypt/live/www.example.com/fullchain.pem
Your key file has been saved at:
/usr/local/etc/letsencrypt/live/www.example.com/privkey.pem
Your cert will expire on 2018-01-08. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- Your account credentials have been saved in your Certbot
configuration directory at /usr/local/etc/letsencrypt. You should
make a secure backup of this folder now. This configuration
directory will also contain certificates and private keys obtained
by Certbot so making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
$
$ sudo vi http.conf次にextra/httpd-ssl.conf。
…
LoadModule socache_shmcb_module libexec/apache24/mod_socache_shmcb.so
LoadModule ssl_module libexec/apache24/mod_ssl.so
…
# Secure (SSL/TLS) connections
Include etc/apache24/extra/httpd-ssl.conf
…
$
sudo vi extra/httpd-ssl.conf
…
DocumentRoot "/usr/local/www/apache24/data"
ServerName www.example.com:443
ServerAdmin admin@www.example.com
…
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
SSLCertificateFile "/usr/local/etc/letsencrypt/live/www.example.com/cert.pem"
SSLCertificateKeyFile "/usr/local/etc/letsencrypt/live/www.example.com/privkey.pem"
SSLCertificateChainFile "/usr/local/etc/letsencrypt/live/www.example.com/chain.pem"
…そしてhttpへのアクセスをhttpsに書き換えてしまうようにします。
$
$ sudo vi http.conf
…
LoadModule rewrite_module libexec/apache24/mod_rewrite.so
…
$ sudo vi Includes/mod_rewrite.conf
…
<IfModule mod_rewrite.c>
RewriteEngine On
LogLevel alert rewrite:trace3
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [L,R]
</IfModule>
…
$そしてhttpdを再起動して動作を確かめます。
次に、証明書の自動更新を設定します。まずは--dry-runで動作を確認します。
$ sudo certbot renew --webroot -w /usr/local/www/apache24/data/ --renew-by-default --dry-run次に実際に証明書を更新してみます。
パスワード:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
-----------------------------------------------------------------
Processing /usr/local/etc/letsencrypt/renewal/www.example.com.conf
-----------------------------------------------------------------
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.example.com
Using the webroot path /usr/local/www/apache24/data for all unmatched domains.
Waiting for verification...
Cleaning up challenges
-----------------------------------------------------------------
new certificate deployed without reload, fullchain is
/usr/local/etc/letsencrypt/live/www.example.com/fullchain.pem
-----------------------------------------------------------------
-----------------------------------------------------------------
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)
Congratulations, all renewals succeeded. The following certs have been renewed:
/usr/local/etc/letsencrypt/live/www.example.com/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)
-----------------------------------------------------------------
IMPORTANT NOTES:
- Your account credentials have been saved in your Certbot
configuration directory at /usr/local/etc/letsencrypt. You should
make a secure backup of this folder now. This configuration
directory will also contain certificates and private keys obtained
by Certbot so making regular backups of this folder is ideal.
$ sudo certbot renew --webroot -w /usr/local/www/apache24/data/ --renew-by-default証明書のファイルを見ると日付が今日になっています。
パスワード:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
-----------------------------------------------------------------
Processing /usr/local/etc/letsencrypt/renewal/www.example.com.conf
-----------------------------------------------------------------
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.example.com
Using the webroot path /usr/local/www/apache24/data for all unmatched domains.
Waiting for verification...
Cleaning up challenges
-----------------------------------------------------------------
new certificate deployed without reload, fullchain is
/usr/local/etc/letsencrypt/live/www.example.com/fullchain.pem
-----------------------------------------------------------------
-----------------------------------------------------------------
Congratulations, all renewals succeeded. The following certs have been renewed:
/usr/local/etc/letsencrypt/live/blog.iot.ipsj.or.jp/fullchain.pem (success)
-----------------------------------------------------------------
$
$ sudo ls -lR /usr/local/etc/letsencrypt/live/動作することがわかったので、cronで定期的に、たとえば1日に1回ほど、以下のシェルスクリプトを実行することにします。
パスワード:
total 17
drwxr-xr-x 2 root wheel 7 10月 11 11:11 www.example.com
/usr/local/etc/letsencrypt/live/www.example.com:
total 13
lrwxr-xr-x 1 root wheel 43 10月 11 11:11 cert.pem -> ../../archive/www.example.com/cert2.pem
lrwxr-xr-x 1 root wheel 44 10月 11 11:11 chain.pem -> ../../archive/www.example.com/chain2.pem
lrwxr-xr-x 1 root wheel 48 10月 11 11:11 fullchain.pem -> ../../archive/www.example.com/fullchain2.pem
lrwxr-xr-x 1 root wheel 46 10月 11 11:11 privkey.pem -> ../../archive/www.example.com/privkey2.pem
-rw-r--r-- 1 root wheel 543 10月 10 16:18 README
$
$ cat /usr/local/sbin/renew-letsencrypt.sh
#!/bin/sh
export LANG=C
(date; \
/usr/local/bin/certbot renew --webroot -w /usr/local/www/apache24/data/ \
--renew-by-default ; \
/usr/local/etc/rc.d/apache24 reload) 2>&1 | \
mailx -s "Renew the certifcate" admin@example.com
$
