Let's Encryptのインストールからnginxの設定まで

ツールをインストール

$ sudo curl https://dl.eff.org/certbot-auto -o /usr/bin/certbot-auto
$ sudo chmod 700 /usr/bin/certbot-auto

実行結果

$ sudo curl https://dl.eff.org/certbot-auto -o /usr/bin/certbot-auto
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 68023  100 68023    0     0  51134      0  0:00:01  0:00:01 --:--:-- 51106
$ sudo chmod 700 /usr/bin/certbot-auto

nginxの設定-初回

server {
    listen       80;
    server_name  www.example.com example.com;

    root         /var/www/example;
    index        index.html;

    location /.well-known {
      root         /var/www/example;
    }

    location / {
    }
}

rootである `/var/www/example` と、 `certbot-auto` の `-w` に設定するパスは同一でなければならない。

Linux - Let’s Encrypt の自動更新に失敗します｜teratail

証明書の取得

$ sudo certbot-auto certonly --webroot -w /path/to/web_public_folder -d www.domain.com --email example@gmail.com

実行結果

$ sudo certbot-auto certonly --webroot -w /path/to/web_public_folder -d www.domain.com -d domain.com --email example@gmail.com
Bootstrapping dependencies for RedHat-based OSes... (you can skip this with --no-bootstrap)
yum は /bin/yum です
yum はハッシュされています (/bin/yum)
読み込んだプラグイン:fastestmirror, langpacks
.
.
.
完了しました!
Creating virtual environment...
Installing Python packages...
Installation succeeded.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A # <= ★Aを入力

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y # <= ★Yを入力
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for www.domain.com
Using the webroot path /path/to/web_public_folder for all unmatched domains.
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/www.domain.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/www.domain.com/privkey.pem
   Your cert will expire on 2019-10-01. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again. To non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

インストールが開始されるが気にしない。

無料でHTTPS化できる「Let's Encrypt」をやってみた ※install.sh付き - Qiita

Host multiple domains with a single certificate - Help - Let’s Encrypt Community Support

nginxの設定-pemを取得後

# http->httpsへのリダイレクト用
server {
    listen 80;
    server_name domain.com www.domain.com;

    root         /var/www/example;
    index        index.html;

    return 301 https://$host$request_uri;
}

server {
    ssl on; # <= ★
    listen       443; # <= ★
    server_name domain.com www.domain.com;
    ssl_certificate /etc/letsencrypt/live/www.domain.com/fullchain.pem; # <= ★
    ssl_certificate_key /etc/letsencrypt/live/www.domain.com/privkey.pem; # <= ★

    #charset koi8-r;
    #access_log  /var/log/nginx/host.access.log  main;

    root /var/www/application; # アプリケーション名を記述

    try_files $uri/index.html $uri;
    # For rails
    location / {
        proxy_pass http://localhost:3000;
        proxy_redirect                         off;
        proxy_set_header Host                  $host;
        proxy_set_header X-Real-IP             $remote_addr;
        proxy_set_header X-Forwarded-Host      $host;
        proxy_set_header X-Forwarded-Server    $host;
        proxy_set_header X-Forwarded-For       $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto     $scheme;
    }
    .
    .
    .
}

★を付けた箇所が、SSL化に必要な設定