プログラミングを完全に理解したエンジニアのメモ

チラ裏レベルのことしか書いてないインターネットの藻屑

EC2とRailsとnginxのサイトをLet’s EncryptでSSL化

httpで動いてるとこからhttpsに変更する手順

準備

$ git clone https://github.com/letsencrypt/letsencrypt
$ cd ./letsencrypt
$ ./letsencrypt-auto --help --debug

最後に以下のようにでればOK

Complete!
Creating virtual environment...
Installing Python packages...
Installation succeeded.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  letsencrypt-auto [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...

Certbot can obtain and install HTTPS/TLS/SSL certificates.  By default,
it will attempt to use a webserver both for obtaining and installing the
certificate. The most common SUBCOMMANDS and flags are:

obtain, install, and renew certificates:
    (default) run   Obtain & install a certificate in your current webserver
    certonly        Obtain or renew a certificate, but do not install it
    renew           Renew all previously obtained certificates that are near
expiry
    enhance         Add security enhancements to your existing configuration
   -d DOMAINS       Comma-separated list of domains to obtain a certificate for

  --apache          Use the Apache plugin for authentication & installation
  --standalone      Run a standalone webserver for authentication
  --nginx           Use the Nginx plugin for authentication & installation
  --webroot         Place files in a server's webroot folder for authentication
  --manual          Obtain certificates interactively, or using shell script
hooks

   -n               Run non-interactively
  --test-cert       Obtain a test certificate from a staging server
  --dry-run         Test "renew" or "certonly" without saving any certificates
to disk

manage certificates:
    certificates    Display information about certificates you have from Certbot
    revoke          Revoke a certificate (supply --cert-path)
    delete          Delete a certificate

manage your account with Let's Encrypt:
    register        Create a Let's Encrypt ACME account
  --agree-tos       Agree to the ACME server's Subscriber Agreement
   -m EMAIL         Email address for important account notifications

More detailed help:

  -h, --help [TOPIC]    print this message, or detailed help on a topic;
                        the available TOPICS are:

   all, automation, commands, paths, security, testing, or any of the
   subcommands or plugins (certonly, renew, install, register, nginx,
   apache, standalone, webroot, etc.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

nginxのconfigファイルを編集

server {
  listen 80 default;
  (省略)
  location /.well-known/ {
    root /home/user_name/app_name;
  }
}

読み込み&再起動

$ sudo service nginx reload
$ sudo service nginx restart

証明書作成

$ sudo ./letsencrypt-auto certonly --webroot -w ドキュメントルート -d ドメイン
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel):

でメアド入力

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: N
$ cd /etc/letsencrypt/

配下にドメインの名前のフォルダで作成される

Nginx

nginxに証明書の場所を設定

server {
  listen 443 ssl;
  server_name hogeohoge.com;

  ssl on;
  ssl_certificate      /etc/letsencrypt/live/hogehoge.com/fullchain.pem;
  ssl_certificate_key  /etc/letsencrypt/live/hogehoge.com/privkey.pem;
  (略)
}

reload & restartして完了

参考サイト

qiita.com

knowledge.sakura.ad.jp