turboLinux_White Box Enterprise Linux_Fedora Core_Red Hat Memo/NextCloud外部公開

Let's Encryptを利用して「NextCloud」を外部公開 †

Certbotのインストール †

# apt install certbot python3-certbot-nginx

apt update の Timeout 対策

• https://yamap55.hatenablog.com/entry/2020/02/27/212922
• https://tech.akat.info/?p=3862

証明書の取得 †

# certbot --nginx -d nextcloud.ism21.net
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices)
 (Enter 'c' to cancel): okada@ism21.net

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf. You must
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
(Y)es/(N)o: Y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web, 
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: N
Account registered.
Requesting a certificate for nextcloud.ism21.net

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
  Domain: nextcloud.ism21.net
  Type:   connection
  Detail: xx.xx.xx.181: Fetching http://nextcloud.ism21.net/.well-known/acme-challenge/oYprnslzHijsOL3PgwaW08JD6Lsxz5JQb9isCOv3_3U: \
Error getting validation data

Hint: The Certificate Authority failed to verify the temporary nginx 
\configuration changes made by Certbot. Ensure the listed domains point 
\to this nginx server and that it is accessible from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. 
\See the logfile /var/log/letsencrypt/letsencrypt.log or re-run \
Certbot with -v for more details.

エラー発生

• Port 80をオープンして再実行

# certbot --nginx -d nextcloud.ism21.net
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for nextcloud.ism21.net

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/nextcloud.ism21.net/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/nextcloud.ism21.net/privkey.pem
This certificate expires on 2023-02-12.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

Deploying certificate
Successfully deployed certificate for nextcloud.ism21.net to /etc/nginx/sites-enabled/default
Congratulations! You have successfully enabled HTTPS on https://nextcloud.ism21.net

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

証明書はnextcloudサーバで取得して、証明書をpoundサーバにコピーして使用する。

これでは更新時は手作業になる。（今は我慢）

       --------------        ----------------
  443  |            |     80 |              |
  ====>| Pound      |=======>| NextCloud    |
       |            |        |              |
       --------------        ----------------

certbotで証明書を受け取り後以下のファイルが書き換えられるので Port80のアクセス部を変更する（NextCloudサーバはPort80アクセスのため）

• /etc/nginx/sites-available/default/default

(文頭あたりに追加)

# Default server configuration
#
server {

## Add By JE2ISM

        listen 80 default_server;
        listen [::]:80 default_server;

################

(文末をコメントアウト)

## Delete By JE2ISM
#server {
#    if ($host = nextcloud.ism21.net) {
#        return 301 https://$host$request_uri;
#    } # managed by Certbot

#       listen 80 default_server;
#       listen [::]:80 default_server;
#       server_name nextcloud.ism21.net;
#    return 404; # managed by Certbot

#}

poundで利用のため証明書を一つにまとめる †

• letsencryptの証明書の場所の確認

# cd /etc/letsencrypt/live/nextcloud.ism21.net
# ls -l
total 4
lrwxrwxrwx 1 root root  47 Nov 14 16:02 cert.pem -> ../../archive/nextcloud.ootsuji-c.com/cert1.pem
lrwxrwxrwx 1 root root  48 Nov 14 16:02 chain.pem -> ../../archive/nextcloud.ootsuji-c.com/chain1.pem
lrwxrwxrwx 1 root root  52 Nov 14 16:02 fullchain.pem -> ../../archive/nextcloud.ootsuji-c.com/fullchain1.pem
lrwxrwxrwx 1 root root  50 Nov 14 16:02 privkey.pem -> ../../archive/nextcloud.ootsuji-c.com/privkey1.pem
-rw-r--r-- 1 root root 692 Nov 14 12:15 README

# cd /etc/pki/tls/certs
# mkdir letsencrypt
# cd letsencrypt
(nextcloudサーバの「/etc/letsencrypt/archive/nextcloud.ism21.net/」からfullchain1.pemとprivkey1.pemをコピーする)
# ls -l
合計 20
-rw-r--r-- 1 okada okada 5611 11月 14 12:15 fullchain1.pem
-rw------- 1 okada okada 1704 11月 14 12:15 privkey1.pem
# cat fullchain1.pem  privkey1.pem > server.pem

ls -l
合計 20
-rw-r--r-- 1 okada okada 5611 11月 14 12:15 fullchain1.pem
-rw------- 1 okada okada 1704 11月 14 12:15 privkey1.pem
-rw-r--r-- 1 root  root  7315 11月 14 15:37 server.pem

証明書を初回取得できたらPort80を閉じても証明書の更新はできそう。

(証明書変更後はPoundの再起動 # systemctl restart pound は必要そう)

pound.confの以下のPort80の個所をコメントアウトする。

##ListenHTTP
##    Address xx.xx.xx.181
##    Port 80
##  Service
##    BackEnd
##      Address 192.168.0.143
##      Port 80
##      Priority 9
##    End
##  End
##End

Port80のアクセスができないときは有効期限の3週間ほど前に以下のメールが届く †

件名  : Let's Encrypt certificate expiration notice for domain "nextcloud.ism21.net"
    (Tue, 04 Apr 2023 00:15:57 +0000)
送信者: Let's Encrypt Expiry Bot [expiry@letsencrypt.org]
宛先  : okada@ism21.net
---------------------------------------------------
Hello,

Your certificate (or certificates) for the names listed below will expire in \
19 days (on 2023-04-24). Please make sure to renew your certificate before \
then, or visitors to your web site will encounter errors.

(略)

強制的に証明書の更新を行い動作確認。 †

# cd /etc/letsencrypt/live/nextcloud.ism21.net

# certbot renew (--force-renew) ← 有効期限近くの時は不要
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/nextcloud.ism21.net.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Renewing an existing certificate for nextcloud.ism21.net
Reloading nginx server after certificate renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all renewals succeeded:
  /etc/letsencrypt/live/nextcloud.ism21.net/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# ls -l
total 4
lrwxrwxrwx 1 root root  47 Nov 14 15:57 cert.pem -> ../../archive/nextcloud.ism21.net/cert2.pem
lrwxrwxrwx 1 root root  48 Nov 14 15:57 chain.pem -> ../../archive/nextcloud.ism21.net/chain2.pem
lrwxrwxrwx 1 root root  52 Nov 14 15:57 fullchain.pem -> ../../archive/nextcloud.ism21.net/fullchain2.pem
lrwxrwxrwx 1 root root  50 Nov 14 15:57 privkey.pem -> ../../archive/nextcloud.ism21.net/privkey2.pem
-rw-r--r-- 1 root root 692 Nov 14 12:15 README

参考 †

• https://abillyz.com/mamezou/studies/145

• Poundサーバにcertbotをインストールする方法
  • https://tweenpath.net/lets-encrypt-service-with-pound-server/

• Let's Encrypt サーバー証明書の取得と自動更新設定メモ(Port80,443以外の指定方法)
  • https://blog.apar.jp/linux/3619/