VPSでAlmaLinux (14) WebサーバのSSL化

前回は、ACMEクライアントのインストールを行った。
今回は、WebサーバのSSL化を行う。

NginxにCertbotの設定

次のコマンドでCertbotが設定してくれる。

$ sudo certbot --nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address or hit Enter to skip.
(Enter 'c' to cancel): name@your.domain

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at:
https://letsencrypt.org/documents/LE-SA-v1.5-February-24-2025.pdf
You must agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: N
Account registered.

Which names would you like to activate HTTPS for?
We recommend selecting either all domains, or all domains in a VirtualHost/server block.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: sub.your.domain
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):
Requesting a certificate for sub.your.domain

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/sub.your.domain/fullchain.pem
Key is saved at: /etc/letsencrypt/live/sub.your.domain/privkey.pem
This certificate expires on 2025-06-20.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

Deploying certificate
Successfully deployed certificate for sub.your.domain to /etc/nginx/nginx.conf
Congratulations! You have successfully enabled HTTPS on https://sub.your.domain

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
* Donating to EFF: https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

完了した時点で、SSLでのWeb表示が可能になっている。

証明書の更新確認

手動で証明書の更新をテスト。

$ sudo certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/sub.your.domain.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Account registered.
Simulating renewal of an existing certificate for sub.your.domain

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all simulated renewals succeeded:
/etc/letsencrypt/live/sub.your.domain/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Certbotの証明書更新のためのタイマーを確認。

$ systemctl list-timers *certbot*
NEXT LEFT LAST PASSED UNIT ACTIVATES
Sun 2025-03-23 00:57:00 JST 1h 13min left Sat 2025-03-22 23:18:13 JST 25min ago snap.certbot.renew.timer snap.certbot.renew.service

1 timers listed.
Pass --all to see loaded but inactive timers, too.

タイマーの設定を確認。

$ cat /etc/systemd/system/timers.target.wants/snap.certbot.renew.timer
[Unit]
# Auto-generated, DO NOT EDIT
Description=Timer renew for snap application certbot.renew
Requires=var-lib-snapd-snap-certbot-4482.mount
After=var-lib-snapd-snap-certbot-4482.mount
X-Snappy=yes

[Timer]
Unit=snap.certbot.renew.service
OnCalendar=*-*-* 00:57
OnCalendar=*-*-* 23:18

[Install]
WantedBy=timers.target

次回は、WordPressを導入する。

お友達紹介プログラムを利用して契約すると10%OFFになるそうなので、
もしよろしければ次の画像をクリックしてみてください。

投稿一覧はこちら→「VPSでAlmaLinux

コメントを残す

メールアドレスが公開されることはありません。 が付いている欄は必須項目です