2021年版 Ubuntu + certbot + Let's Encrypt でサーバ証明書設定

2021/07/04

Let's Encrypt の無料証明書を発行・管理する certbot-auto が Debian/Ubuntu OS で非対応になりました。certbot と python3-certbot-apache をインストールしてサーバ証明書の管理をします。

Apache の ServerName 設定

/etc/apache2/sites-available/000-default.conf ファイルで ServerName にドメインを設定します。


$ sudo vi /etc/apache2/sites-available/000-default.conf

        ServerName ドメイン
...

certbot と python3-certbot-apache のインストールと設定

certbot で Apache の設定を読み込んで実行し、各設問に答えて設定します。

更新通知のメールアドレスを入力します。


$ sudo certbot --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator apache, Installer apache Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel):メールアドレス

A を入力して同意します。


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must agree in order to register with the ACME server at https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
(A)gree/(C)ancel: A

Electronic Frontier Foundation からのお知らせを受けてとるか答えます。


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: N

対象のドメインを番号で選択します。


Which names would you like to activate HTTPS for?
 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
1: xxxxxxxxx
 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
Select the appropriate numbers separated by commas and/or spaces, or leave input blank to select all options shown (Enter 'c' to cancel):1

HTTP接続のときに HTTPSにリダイレクトするかを選択します。


Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
1: No redirect - Make no further changes to the webserver configuration. 
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for new sites, or if you're confident your site works on HTTPS. You can undo this change by editing your web server's configuration.
 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2

Congratulations! のメッセージが表示されれば設定完了です。


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
Congratulations! You have successfully enabled https://logicoya.com You should test your configuration at: https://www.ssllabs.com/ssltest/analyze.html?d=xxxx 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
...

サーバ証明書の有効期限更新を確認

今回の設定でサーバ証明書が自動更新されますが、certbot.timer でサーバ証明書の有効期限や次回更新日時を確認できます。


$ sudo systemctl status certbot.timer
● certbot.timer - Run certbot twice daily
     Loaded: loaded (/lib/systemd/system/certbot.timer; enabled; vendor preset: enabled)
     Active: active (waiting) since Sun 2021-07-04 15:06:16 JST; 44min ago
    Trigger: Mon 2021-07-05 09:59:24 JST; 18h left
   Triggers: ● certbot.service

Jul 04 15:06:16 xxxx systemd[1]: Started Run certbot twice daily.

サーバ証明書更新テスト

certbot でサーバ証明書の更新ができますが、 --dry-run でテストできます。


$ sudo certbot renew --dry-run