Let's Encryptを利用して「NextCloud」を外部公開 †更新日2023-04-06 (木) 09:58:59
作成日:2022年11月14日
Certbotのインストール †# apt install certbot python3-certbot-nginx apt update の Timeout 対策 証明書の取得 †# certbot --nginx -d nextcloud.ism21.net Saving debug log to /var/log/letsencrypt/letsencrypt.log Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): okada@ism21.net - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf. You must agree in order to register with the ACME server. Do you agree? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: Y - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Would you be willing, once your first certificate is successfully issued, to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: N Account registered. Requesting a certificate for nextcloud.ism21.net Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems: Domain: nextcloud.ism21.net Type: connection Detail: xx.xx.xx.181: Fetching http://nextcloud.ism21.net/.well-known/acme-challenge/oYprnslzHijsOL3PgwaW08JD6Lsxz5JQb9isCOv3_3U: \ Error getting validation data Hint: The Certificate Authority failed to verify the temporary nginx \configuration changes made by Certbot. Ensure the listed domains point \to this nginx server and that it is accessible from the internet. Some challenges have failed. Ask for help or search for solutions at https://community.letsencrypt.org. \See the logfile /var/log/letsencrypt/letsencrypt.log or re-run \ Certbot with -v for more details. エラー発生
# certbot --nginx -d nextcloud.ism21.net Saving debug log to /var/log/letsencrypt/letsencrypt.log Requesting a certificate for nextcloud.ism21.net Successfully received certificate. Certificate is saved at: /etc/letsencrypt/live/nextcloud.ism21.net/fullchain.pem Key is saved at: /etc/letsencrypt/live/nextcloud.ism21.net/privkey.pem This certificate expires on 2023-02-12. These files will be updated when the certificate renews. Certbot has set up a scheduled task to automatically renew this certificate in the background. Deploying certificate Successfully deployed certificate for nextcloud.ism21.net to /etc/nginx/sites-enabled/default Congratulations! You have successfully enabled HTTPS on https://nextcloud.ism21.net - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - If you like Certbot, please consider supporting our work by: * Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate * Donating to EFF: https://eff.org/donate-le - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 証明書はnextcloudサーバで取得して、証明書をpoundサーバにコピーして使用する。 これでは更新時は手作業になる。(今は我慢) -------------- ---------------- 443 | | 80 | | ====>| Pound |=======>| NextCloud | | | | | -------------- ---------------- certbotで証明書を受け取り後以下のファイルが書き換えられるので Port80のアクセス部を変更する(NextCloudサーバはPort80アクセスのため)
(文頭あたりに追加) # Default server configuration # server { ## Add By JE2ISM listen 80 default_server; listen [::]:80 default_server; ################ (文末をコメントアウト) ## Delete By JE2ISM #server { # if ($host = nextcloud.ism21.net) { # return 301 https://$host$request_uri; # } # managed by Certbot # listen 80 default_server; # listen [::]:80 default_server; # server_name nextcloud.ism21.net; # return 404; # managed by Certbot #} poundで利用のため証明書を一つにまとめる †
# cd /etc/letsencrypt/live/nextcloud.ism21.net # ls -l total 4 lrwxrwxrwx 1 root root 47 Nov 14 16:02 cert.pem -> ../../archive/nextcloud.ootsuji-c.com/cert1.pem lrwxrwxrwx 1 root root 48 Nov 14 16:02 chain.pem -> ../../archive/nextcloud.ootsuji-c.com/chain1.pem lrwxrwxrwx 1 root root 52 Nov 14 16:02 fullchain.pem -> ../../archive/nextcloud.ootsuji-c.com/fullchain1.pem lrwxrwxrwx 1 root root 50 Nov 14 16:02 privkey.pem -> ../../archive/nextcloud.ootsuji-c.com/privkey1.pem -rw-r--r-- 1 root root 692 Nov 14 12:15 README # cd /etc/pki/tls/certs # mkdir letsencrypt # cd letsencrypt (nextcloudサーバの「/etc/letsencrypt/archive/nextcloud.ism21.net/」からfullchain1.pemとprivkey1.pemをコピーする) # ls -l 合計 20 -rw-r--r-- 1 okada okada 5611 11月 14 12:15 fullchain1.pem -rw------- 1 okada okada 1704 11月 14 12:15 privkey1.pem # cat fullchain1.pem privkey1.pem > server.pem ls -l 合計 20 -rw-r--r-- 1 okada okada 5611 11月 14 12:15 fullchain1.pem -rw------- 1 okada okada 1704 11月 14 12:15 privkey1.pem -rw-r--r-- 1 root root 7315 11月 14 15:37 server.pem
(証明書変更後はPoundの再起動 # systemctl restart pound は必要そう) pound.confの以下のPort80の個所をコメントアウトする。 ##ListenHTTP ## Address xx.xx.xx.181 ## Port 80 ## Service ## BackEnd ## Address 192.168.0.143 ## Port 80 ## Priority 9 ## End ## End ##End Port80のアクセスができないときは有効期限の3週間ほど前に以下のメールが届く †件名 : Let's Encrypt certificate expiration notice for domain "nextcloud.ism21.net" (Tue, 04 Apr 2023 00:15:57 +0000) 送信者: Let's Encrypt Expiry Bot [expiry@letsencrypt.org] 宛先 : okada@ism21.net --------------------------------------------------- Hello, Your certificate (or certificates) for the names listed below will expire in \ 19 days (on 2023-04-24). Please make sure to renew your certificate before \ then, or visitors to your web site will encounter errors. (略) 強制的に証明書の更新を行い動作確認。 †# cd /etc/letsencrypt/live/nextcloud.ism21.net # certbot renew (--force-renew) ← 有効期限近くの時は不要 Saving debug log to /var/log/letsencrypt/letsencrypt.log - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Processing /etc/letsencrypt/renewal/nextcloud.ism21.net.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Renewing an existing certificate for nextcloud.ism21.net Reloading nginx server after certificate renewal - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Congratulations, all renewals succeeded: /etc/letsencrypt/live/nextcloud.ism21.net/fullchain.pem (success) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - # ls -l total 4 lrwxrwxrwx 1 root root 47 Nov 14 15:57 cert.pem -> ../../archive/nextcloud.ism21.net/cert2.pem lrwxrwxrwx 1 root root 48 Nov 14 15:57 chain.pem -> ../../archive/nextcloud.ism21.net/chain2.pem lrwxrwxrwx 1 root root 52 Nov 14 15:57 fullchain.pem -> ../../archive/nextcloud.ism21.net/fullchain2.pem lrwxrwxrwx 1 root root 50 Nov 14 15:57 privkey.pem -> ../../archive/nextcloud.ism21.net/privkey2.pem -rw-r--r-- 1 root root 692 Nov 14 12:15 README 参考 †
|