WebソスTソス[ソスoソス[ソスヤ通信ソスソスソスeソステ搾ソスソスソスソスiApache+mod_SSL+Certbotソスj

ソスナ終ソスXソスVソスソスソスF 2023.02.23

ソスソスソスTソスv

ソスソスソス[ソスUソス[ソスソスソスソスpソスXソスソスソス[ソスhソスソスソスフ機ソスソスソスソスソスソスWebソスuソスソスソスEソスUソスソスソスソスソスソスヘゑソスソスソス鼾ソスAソスソスソスン鯉ソスソスソスソスソス驪ーソス黷ェソスソスソス驍スソス゚、WebソスTソス[ソスoソス[ソスヤの通信ソスソスソスeソスソスソステ搾ソスソスソスソスソスソスソスB
ソスソスソスソスソスナは、WebソスTソス[ソスoソス[ソスソスmod_sslソス導難ソスソスソスソスト、URLソスソスhttp://ソス`ソスナはなゑソスソスAhttps://ソス`ソスナアソスNソスZソスXソスソスソス驍アソスニにゑソスソスソスト、WebソスTソス[ソスoソス[ソスヤの通信ソスソスソスeソスソスソステ搾ソスソスソスソスソスソスソス謔、ソスノゑソスソスソスB
ソスワゑソスソスAWebソスTソス[ソスoソス[ソスニの通信ソスソスソスeソスソスソステ搾ソスソスソスソスソスソスソスノは、ソスTソス[ソスoソス[ソスリ厄ソスソスソスソス発行ソスソスソスソスKソスvソスソスソスソスソス驍ェソスAソスソスソスしソスソスソスTソス[ソスoソス[ソスリ厄ソスソスソスソスナはクソスソスソスCソスAソスソスソスgソスソスソスハ信ソスソスソスsソスソスソスソスソスム(WebソスuソスソスソスEソスUソスNソスソスソスソスソスjソスノセソスLソスソスソスソスソスeソスBソスフ警ソスソスソスソスソス\ソスソスソスソスソスソストゑソスソスワゑソスソスBソスホ擾ソスソスニゑソスソストは、ソスLソスソスソスフサソス[ソスoソス[ソスリ厄ソスソスソスソス発行ソスソスソス驍ゥソスAソスソスソスソスTソス[ソスoソス[ソスリ厄ソスソスソスソス発行ソスソスソスト各ソスNソスソスソスCソスAソスソスソスgソスノイソスソスソス|ソス[ソスgソスソスソスソスホよいソスソスソスAソスLソスソスソスフサソス[ソスoソス[ソスリ厄ソスソスソスソスヘ搾ソスソスzソスソスソスツ年ソスPソスハに継ソスソスソスソスソスト費ソスpソスソスソスソスソスソスソスソスAソスソスソスソスTソス[ソスoソス[ソスリ厄ソスソスソスソスフイソスソスソス|ソス[ソスgソスヘ不ソスソスソス闡スソスソスソスフゑソスソスラての暦ソスソスpソスメに対ゑソスソストサソス[ソスoソス[ソスリ厄ソスソスソスソスソスソスCソスソスソス|ソス[ソスgソスソスソスソスソスソスフは鯉ソスソスソスソスIソスナはなゑソスソスソスソスニゑソスソスソスAソスソスソスソスソスナは、Certbotソスフ厄ソスソスソスソスTソス[ソスoソス[ソスリ厄ソスソスソスソス導難ソスソスソスソスAソスソスソスソスソスナセソスLソスソスソスソスソスeソスBソスフ警ソスソスソスソスソス\ソスソスソスソスソス黷クソスノ暗搾ソスソスソスソスハ信ソスソスソスsソスソスソスソスソス謔、ソスノゑソスソスソスB

ソスyCertbotソスフ難ソスソスソスソスz
ソスEソスTソス[ソスoソス[ソスリ厄ソスソスソスソス無暦ソスソスナ費ソスソスsソスナゑソスソスソス
ソスEソスTソス[ソスoソス[ソスリ厄ソスソスソスソスフ取得ソスソスソスRソス}ソスソスソスhソスフみで行ソスソスソスソスiWebソスoソスRソスAソスソスソス[ソスソスソスoソスRソスソスソスナの煩わしソスソスソス闡アソスソスソスソスソスソスソスネゑソスソスj
ソスEソスTソス[ソスoソス[ソスリ厄ソスソスソスソスフ更ソスVソスソスソスRソス}ソスソスソスhソスフみで行ソスソスソスソスiソスロ趣ソスソスソスソスTソス[ソスoソス[ソスリ厄ソスソスソスソスフ更ソスVソス^ソスソスソスソスソスヨゑソスソスソスソスソスソスSソスソスソスソスソスソスソスj


ソスソスCertbotソスNソスソスソスCソスAソスソスソスgソスCソスソスソスXソスgソス[ソスソス

[root@centos ~]# yum -y install epel-releaseソス@ソスソスソス@yumソスpEPELソスソスソス|ソスWソスgソスソスソスCソスソスソスXソスgソス[ソスソス

[root@centos ~]# yum -y install snapdソス@ソスソスソス@snapdソスCソスソスソスXソスgソス[ソスソス

[root@centos ~]# systemctl enable --now snapd.socketソス@ソスソスソス@snapd.socketソスLソスソスソスソス

[root@centos ~]# ln -s /var/lib/snapd/snap /snapソス@ソスソスソス@/var/lib/snapd/snapソスソスソスソス/snapソスヨソスソスソスソスNソス張ゑソス

[root@centos ~]# snap install --classic certbotソス@ソスソスソス@certbotソスCソスソスソスXソスgソス[ソスソス

[root@centos ~]# ln -s /snap/bin/certbot /usr/bin/certbotソス@ソスソスソス@/snap/bin/certbotソスソスソスソス/usr/bin/certbotソスヨソスソスソスソスNソス張ゑソス

ソスソスソスTソス[ソスoソス[ソスリ厄ソスソスソスソス謫セ

[root@centos ~]# certbot certonly --webroot -w ソスhソスLソスソスソスソスソスソスソスgソスソスソス[ソスg -m ソスソスソス[ソスソスソスAソスhソスソスソスX -d WebソスTソス[ソスoソス[ソスソス --agree-tosソス@ソスソスソス@ソスTソス[ソスoソス[ソスリ厄ソスソスソスソス謫セ


ソス|ソス|ソスpソスソスソスソスソス[ソス^ソスwソスソスソス|ソス|
ソスhソスLソスソスソスソスソスソスソスgソスソスソス[ソスgソスソス/var/www/html/centos/
ソスソスソス[ソスソスソスAソスhソスソスソスXソスヒ任ソスモのソスソス[ソスソスソスAソスhソスソスソスX
WebソスTソス[ソスoソス[ソスソスソスソスcentossrv.com


Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for centossrv.com

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/centossrv.com/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/centossrv.com/privkey.pem
This certificate expires on 2023-01-14.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -


ソスソスmod_sslソスCソスソスソスXソスgソス[ソスソス

[root@centos ~]# yum -y install mod_sslソス@ソスソスソス@mod_sslソスCソスソスソスXソスgソス[ソスソス

ソスソスApacheソスン抵ソス

ソスiソスPソスjApacheソスン抵ソスiCertbotソスホ会ソスソスj
[root@centos ~]# vi /etc/httpd/conf.d/ssl.confソス@ソスソスソス@SSLソスン抵ソスtソス@ソスCソスソスソスメ集
#   Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate.  If
# the certificate is encrypted, then you will be prompted for a
# pass phrase.  Note that a kill -HUP will prompt again.  A new
# certificate can be generated using the genkey(1) command.
SSLCertificateFile /etc/letsencrypt/live/centossrv.com/cert.pemソス@ソスソスソス@ソスソスソスJソスソスソスwソスソス

#   Server Private Key:
#   If the key is not combined with the certificate, use this
#   directive to point at the key file.  Keep in mind that if
#   you've both a RSA and a DSA private key you can configure
#   both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile /etc/letsencrypt/live/centossrv.com/privkey.pemソス@ソスソスソス@ソス髢ァソスソスソスwソスソス

#   Server Certificate Chain:
#   Point SSLCertificateChainFile at a file containing the
#   concatenation of PEM encoded CA certificates which form the
#   certificate chain for the server certificate. Alternatively
#   the referenced file can be the same as SSLCertificateFile
#   when the CA certificates are directly appended to the server
#   certificate for convinience.
SSLCertificateChainFile /etc/letsencrypt/live/centossrv.com/chain.pemソス@ソスソスソス@ソスソスソスヤ証厄ソスソスソスソスwソスソス

ソスiソスQソスjApacheソスン抵ソスiSSL Server Testソスホ会ソスソスj
SSL Server TestソスソスA+ソス]ソスソスソス得るたソス゚の設抵ソスソスソスsソスソスソスB
[root@centos ~]# vi /etc/httpd/conf.d/ssl.confソス@ソスソスソス@SSLソスン抵ソスtソス@ソスCソスソスソスメ集
#   SSL Protocol support:
# List the enable protocol levels with which clients will be able to
# connect.  Disable SSLv2 access by default:
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1ソス@ソスソスソス@TLS 1.2ソスフみ有ソスソス

#   Speed-optimized SSL Cipher configuration:
#   If speed is your main concern (on busy HTTPS servers e.g.),
#   you might want to force clients to specific, performance
#   optimized ciphers. In this case, prepend those ciphers
#   to the SSLCipherSuite list, and enable SSLHonorCipherOrder.
#   Caveat: by giving precedence to RC4-SHA and AES128-SHA
#   (as in the example below), most connections will no longer
#   have perfect forward secrecy - if the server's key is
#   compromised, captures of past or future traffic must be
#   considered compromised, too.
#SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5
#SSLHonorCipherOrder on
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSSソス@ソスソスソス@ソスヌ会ソスソスiソスgソスpソスソスソスソステ搾ソスソスソスソスソスソス@ソスj
SSLHonorCipherOrder onソス@ソスソスソス@ソスヌ会ソスソスiソステ搾ソスソスソスソスソスソス@ソスソスソスTソス[ソスoソス[ソスソスソスナ鯉ソスソスソスj

Header always set Strict-Transport-Security "max-age=15768000"ソス@ソスソスソス@ソスヌ会ソスソスiHSTSソスソスソス時HTTPSソスAソスNソスZソスXソスフ有ソスソスソスソスソスj
</VirtualHost>

ソスiソスRソスjApacheソスン抵ソスiAWStatsソスホ会ソスソスj
ApacheソスAソスNソスZソスXソスソスソスOソスソスソス(AWStats)ソスナ会ソスヘでゑソスソスソス謔、ソスソスhttpsソスAソスNソスZソスXソスソスソスOソスソスhttpソスAソスNソスZソスXソスソスソスOソスニ難ソスソスソスソスtソス@ソスCソスソスソスノ難ソスソスソスソスtソスHソス[ソス}ソスbソスgソスナ出ソスヘゑソスソスソス謔、ソスノゑソスソスソスB
[root@centos ~]# vi /etc/httpd/conf.d/ssl.confソス@ソスソスソス@SSLソスン抵ソスtソス@ソスCソスソスソスメ集
# Use separate log files for the SSL virtual host; note that LogLevel
# is not inherited from httpd.conf.
ErrorLog logs/error_logソス@ソスソスソス@ソスソスソスOソスtソス@ソスCソスソスソスソスソスマ更
CustomLog logs/access_log combined env=!no_logソス@ソスソスソス@ソスソスソスOソス謫セソスfソスBソスソスソスNソスeソスBソスuソスニソスソスOソスtソス@ソスCソスソスソスソスソスマ更
LogLevel warn

ソスソスApacheソスン定反ソスf

ソスiソスPソスjApacheソスン定反ソスf
[root@centos ~]# systemctl reload httpdソス@ソスソスソス@Apacheソスン定反ソスf

ソスiソスQソスjTCP443ソスヤポソス[ソスgソスJソスソス
ソスyソスソスソス[ソス^ソス[ソスz
ソスソスソス[ソス^ソス[ソスソスソスフ設抵ソスナ、TCP443ソスヤポソス[ソスgソスヨのアソスNソスZソスXソスソスソスTソス[ソスoソス[ソスノ転ソスソスソスソスソスソス謔、ソスノゑソスソスソスB
ソスソスソスソスソス[ソス^ソス[ソスフ設抵ソスヘ各ソスソスソス[ソス^ソス[ソスフマソスjソスソスソスAソスソスソスワゑソスソスソスソスソスソス[ソスJソス[ソスハソスソス[ソス^ソス[ソス|ソス[ソスgソスJソスソスソス闖ソスソスソスQソスソス

ソスyソスtソス@ソスCソスAソスEソスHソス[ソスソスソスz
ソスTソス[ソスoソス[ソスソスソスフフソス@ソスCソスAソスEソスHソス[ソスソスソスン抵ソスナ、TCP443ソスヤポソス[ソスgソスヨのアソスNソスZソスXソスソスソスソスソスツゑソスソスソス謔、ソスノゑソスソスソスB
ソスソスソスtソス@ソスCソスAソスEソスHソス[ソスソスソスン抵ソスヘゑソスソスソスソスソスソスソスQソスソス

Portソス`ソスFソスbソスNソスeソスXソスgソスyソスOソスソスソスソスソスソスソスPortソスJソスソスソスmソスFソスzソスナ「ソスzソスXソスgソスソス(FQDN) ソスワゑソスソスソス ソスOソスソスソス[ソスoソスソスIPソスAソスhソスソスソスXソスvソスノサソス[ソスoソス[ソスソス(ソスソス:centossrv.com)ソスAソスuソス`ソスFソスbソスNソス|ソス[ソスgソスヤ搾ソスソスvソスソス443ソスニ難ソスソスヘ、ソスuソスソスソスソスソスモ・ソスソスソス事搾ソスソスvソスソスソスmソスFソス`ソスFソスbソスNソスソスソスト「Portソス`ソスFソスbソスNソスソスソスsソスvソス{ソス^ソスソスソスソスソスソスソスソスソスソスソスA
ソスzソスXソスg:centossrv.com
ソス|ソス[ソスg:443
ソスノアソスNソスZソスXソスナゑソスソスワゑソスソスソス
ソスニ表ソスソスソスソスソスソス驍アソスニゑソスソスmソスFソスB

ソスソスApacheソスmソスF

WebソスuソスソスソスEソスUソスソスhttps://WebソスTソス[ソスoソス[ソスソスソスiソスソス:https://centossrv.comソスjソスヨアソスNソスZソスXソスソスソストセソスLソスソスソスソスソスeソスBソスフ警ソスソスソスソスソス\ソスソスソスソスソスソスネゑソスソスソスソスソス

SSL Server TestソスソスA+ソス]ソスソスソスニなるこソスニゑソスソスmソスFソスB

ソスソスソスTソス[ソスoソス[ソスリ厄ソスソスソスソスソスソスソスソスXソスVソスン抵ソス

Certbotソスフサソス[ソスoソス[ソスリ厄ソスソスソスソスフ有ソスソスソスソスソスヤゑソス3ソスソスソスソスソスフゑソスソス゚、ソスソスソスソスソスソスソスソスソスナサソス[ソスoソス[ソスリ厄ソスソスソスソスソスソスXソスVソスソスソスソス謔、ソスノゑソスソスソスB
[root@centos ~]# vi /etc/cron.monthly/certbotソス@ソスソスソス@ソスTソス[ソスoソス[ソスリ厄ソスソスソスソスソスソスソスソスXソスVソスXソスNソスソスソスvソスgソス成
#!/bin/bash
log=`mktemp`
code=0

which certbot > /dev/null 2>&1
if [ $? -eq 0 ]; then
    CERTBOT=`which certbot`
else
    CERTBOT=`which certbot-auto`
fi

#
# ソスリ厄ソスソスソスソスXソスV
#
for conf in `ls /etc/letsencrypt/renewal/`
do
    # ソスhソスソスソスCソスソスソスソスソス謫セ
    domain=`echo ${conf}|sed -e 's/\([^ ]*\)\.conf/\1/p' -e d`

    # ソスFソスリ包ソスソスソスソス謫セ
    authenticator=`grep authenticator /etc/letsencrypt/renewal/${conf}|awk '{print $3}'`

    if [ ${authenticator} = 'webroot' ]; then
        # WebソスFソスリの場合

        # ソスhソスLソスソスソスソスソスソスソスgソスソスソス[ソスgソス謫セ
        webroot=`grep webroot_path /etc/letsencrypt/renewal/${conf}|grep =|awk '{print $3}'|awk -F '[,]' '{print $1}'`

        # ソスリ厄ソスソスソスソスXソスV
        ${CERTBOT} certonly --webroot \
        -w ${webroot} -d ${domain} --renew-by-default >> ${log} 2>&1
        [ $? -ne 0 ] && cat ${log}
    else
        # ソスXソス^ソスソスソスhソスAソスソスソスソスソスFソスリの場合

        # ソスリ厄ソスソスソスソスXソスV
        lsof -i:80 > /dev/null 2>&1
        if [ $? -eq 0 ]; then
            echo 'WebソスTソス[ソスoソス[ソスメ難ソスソスソスソスフゑソスソス゚スソス^ソスソスソスhソスAソスソスソスソスソスFソスリ不ソスソス'
        else
            ${CERTBOT} certonly -a standalone \
            -d ${domain} --renew-by-default >> ${log} 2>&1
            [ $? -ne 0 ] && cat ${log}
        fi
    fi
    
    # ソステゑソスソスリ厄ソスソスソスソスソスソス除
    find /etc/letsencrypt/archive/${domain}/ -mtime +30 -delete
    
done

#
# ソスリ厄ソスソスソスソスXソスVソスソスソスf
#

# WebソスTソス[ソスoソス[ソスン抵ソスト読搾ソスソスソス
lsof -i:443 > /dev/null 2>&1
if [ $? -eq 0 ]; then
    rpm -q systemd > /dev/null 2>&1
    if [ $? -eq 0 ]; then
        systemctl reload httpd
    else
        /etc/rc.d/init.d/httpd reload > /dev/null 2>&1
    fi
fi

# SMTPソスTソス[ソスoソス[ソスン抵ソスト読搾ソスソスソス
lsof -i:465 > /dev/null 2>&1
if [ $? -eq 0 ]; then
    rpm -q systemd > /dev/null 2>&1
    if [ $? -eq 0 ]; then
        systemctl reload postfix
    else
        /etc/rc.d/init.d/postfix reload > /dev/null 2>&1
    fi
fi

# IMAPソスTソス[ソスoソス[ソスン抵ソスト読搾ソスソスソス
lsof -i:995 > /dev/null 2>&1
if [ $? -eq 0 ]; then
    rpm -q systemd > /dev/null 2>&1
    if [ $? -eq 0 ]; then
        systemctl reload dovecot
    else
        /etc/rc.d/init.d/dovecot reload > /dev/null 2>&1
    fi
fi

#
# ソスソスソスOソスソスsyslogソスヨ出ソスヘ鯉ソス除
#
cat ${log}|logger -t `basename ${0}` ; rm -f ${log}

[root@centos ~]# chmod +x /etc/cron.monthly/certbotソス@ソスソスソス@ソスTソス[ソスoソス[ソスリ厄ソスソスソスソスソスソスソスソスXソスVソスXソスNソスソスソスvソスgソスヨ趣ソスソスsソスソスソスソスソスtソスソス


ソスソスソスヨ連ソスRソスソスソスeソスソスソスc

<!ソス\ソスeソスLソスXソスgソスフみゑソス4ソスsソス\ソスソスソスノ追会ソスソスソスCソスソスソスソスソスソス\>



ソスソスソスソスソスフペソス[ソスWソスフトソスbソスvソスヨ戻ゑソス

ソスvソスソスソスCソスoソスVソス[ソス|ソスソスソスVソス[
centossrv.com