Let's Encryptのインストールからnginxの設定まで

ツールをインストール

$ sudo curl https://dl.eff.org/certbot-auto -o /usr/bin/certbot-auto $ sudo chmod 700 /usr/bin/certbot-auto

実行結果

$ sudo curl https://dl.eff.org/certbot-auto -o /usr/bin/certbot-auto % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 68023 100 68023 0 0 51134 0 0:00:01 0:00:01 --:--:-- 51106 $ sudo chmod 700 /usr/bin/certbot-auto

nginxの設定-初回

server {
    listen       80;
    server_name  www.example.com example.com;

    root         /var/www/example;
    index        index.html;

    location /.well-known {
      root         /var/www/example;
    }

    location / {
    }
}

rootである `/var/www/example` と、 `certbot-auto` の `-w` に設定するパスは同一でなければならない。

Linux - Let’s Encrypt の自動更新に失敗します｜teratail

証明書の取得

$ sudo certbot-auto certonly --webroot -w /path/to/web_public_folder -d www.domain.com --email example@gmail.com

実行結果

$ sudo certbot-auto certonly --webroot -w /path/to/web_public_folder -d www.domain.com -d domain.com --email example@gmail.com Bootstrapping dependencies for RedHat-based OSes... (you can skip this with --no-bootstrap) yum は /bin/yum です yum はハッシュされています (/bin/yum) 読み込んだプラグイン:fastestmirror, langpacks . . . 完了しました! Creating virtual environment... Installing Python packages... Installation succeeded. Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator webroot, Installer None - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must agree in order to register with the ACME server at https://acme-v02.api.letsencrypt.org/directory - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (A)gree/(C)ancel: A # <= ★Aを入力 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Would you be willing to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: Y # <= ★Yを入力 Obtaining a new certificate Performing the following challenges: http-01 challenge for www.domain.com Using the webroot path /path/to/web_public_folder for all unmatched domains. Waiting for verification... Cleaning up challenges IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/www.domain.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/www.domain.com/privkey.pem Your cert will expire on 2019-10-01. To obtain a new or tweaked version of this certificate in the future, simply run certbot-auto again. To non-interactively renew *all* of your certificates, run "certbot-auto renew" - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le

インストールが開始されるが気にしない。

無料でHTTPS化できる「Let's Encrypt」をやってみた ※install.sh付き - Qiita

Host multiple domains with a single certificate - Help - Let’s Encrypt Community Support

nginxの設定-pemを取得後

# http->httpsへのリダイレクト用 server { listen 80; server_name domain.com www.domain.com; root /var/www/example; index index.html; return 301 https://$host$request_uri; } server { ssl on; # <= ★ listen 443; # <= ★ server_name domain.com www.domain.com; ssl_certificate /etc/letsencrypt/live/www.domain.com/fullchain.pem; # <= ★ ssl_certificate_key /etc/letsencrypt/live/www.domain.com/privkey.pem; # <= ★ #charset koi8-r; #access_log /var/log/nginx/host.access.log main; root /var/www/application; # アプリケーション名を記述 try_files $uri/index.html $uri; # For rails location / { proxy_pass http://localhost:3000; proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } . . . }

★を付けた箇所が、SSL化に必要な設定