EC2とRailsとnginxのサイトをLet’s EncryptでSSL化
httpで動いてるとこからhttpsに変更する手順
準備
$ git clone https://github.com/letsencrypt/letsencrypt $ cd ./letsencrypt $ ./letsencrypt-auto --help --debug
最後に以下のようにでればOK
Complete! Creating virtual environment... Installing Python packages... Installation succeeded. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - letsencrypt-auto [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ... Certbot can obtain and install HTTPS/TLS/SSL certificates. By default, it will attempt to use a webserver both for obtaining and installing the certificate. The most common SUBCOMMANDS and flags are: obtain, install, and renew certificates: (default) run Obtain & install a certificate in your current webserver certonly Obtain or renew a certificate, but do not install it renew Renew all previously obtained certificates that are near expiry enhance Add security enhancements to your existing configuration -d DOMAINS Comma-separated list of domains to obtain a certificate for --apache Use the Apache plugin for authentication & installation --standalone Run a standalone webserver for authentication --nginx Use the Nginx plugin for authentication & installation --webroot Place files in a server's webroot folder for authentication --manual Obtain certificates interactively, or using shell script hooks -n Run non-interactively --test-cert Obtain a test certificate from a staging server --dry-run Test "renew" or "certonly" without saving any certificates to disk manage certificates: certificates Display information about certificates you have from Certbot revoke Revoke a certificate (supply --cert-path) delete Delete a certificate manage your account with Let's Encrypt: register Create a Let's Encrypt ACME account --agree-tos Agree to the ACME server's Subscriber Agreement -m EMAIL Email address for important account notifications More detailed help: -h, --help [TOPIC] print this message, or detailed help on a topic; the available TOPICS are: all, automation, commands, paths, security, testing, or any of the subcommands or plugins (certonly, renew, install, register, nginx, apache, standalone, webroot, etc.) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
nginxのconfigファイルを編集
server { listen 80 default; (省略) location /.well-known/ { root /home/user_name/app_name; } }
読み込み&再起動
$ sudo service nginx reload $ sudo service nginx restart
証明書作成
$ sudo ./letsencrypt-auto certonly --webroot -w ドキュメントルート -d ドメイン
Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel):
でメアド入力
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must agree in order to register with the ACME server at https://acme-v02.api.letsencrypt.org/directory - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (A)gree/(C)ancel: A
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Would you be willing to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: N
$ cd /etc/letsencrypt/
配下にドメインの名前のフォルダで作成される
Nginx
nginxに証明書の場所を設定
server { listen 443 ssl; server_name hogeohoge.com; ssl on; ssl_certificate /etc/letsencrypt/live/hogehoge.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/hogehoge.com/privkey.pem; (略) }
reload & restartして完了