目次
連載 しきぶろぐ開設の道筋
- v6プラス(DS-Lite)環境下でIPv4/IPv6両対応の自宅サーバーを公開する
- ラズパイにWordPressを導入する
- AWS Route53 でドメインを取得し、DDNS っぽく運用する
- ブログをcertbotでHTTPS対応する
現代のウェブサイトはSSLによって通信内容を暗号化するHTTPSがスタンダードになりつつあり、Chromeなんかだとhttpサイトに対して「保護されていない通信」とメッセージを出してきます。そこで本ブログもHTTPS対応を施しました。
【重要】SiteGuard WP などの、ログインURLを変更できるプラグインを導入する場合、HTTPS対応より前に導入してください。ひどい目にあいました。
これも先人の受け売りです。https://qiita.com/HO_Pollyanna/items/aee45b25e2318d39157b ほぼそのままですが、メモしておきます。
certbot の導入
SSL証明書を簡単にセットアップできるサービスらしいです(不勉強なのでちゃんと説明できません)。
sudo apt install certbot sudo apt install python3-certbot-apache
証明書発行
sudo certbot --apache certonly
対話形式で色々聞かれるので答えていきます。
Saving debug log to /var/log/letsencrypt/letsencrypt.log How would you like to authenticate with the ACME CA? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: Spin up a temporary webserver (standalone) 2: Place files in webroot directory (webroot) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2 Plugins selected: Authenticator apache, Installer apache Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): [E-mail address] - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must agree in order to register with the ACME server at https://acme-v02.api.letsencrypt.org/directory - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (A)gree/(C)ancel: A - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Would you be willing to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: Y Please enter in your domain name(s) (comma and/or space separated) (Enter 'c' to cancel): shikiblog.link Obtaining a new certificate Performing the following challenges: http-01 challenge for shikiblog.link Enabled Apache rewrite module Waiting for verification... Cleaning up challenges Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: No redirect - Make no further changes to the webserver configuration. 2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for new sites, or if you're confident your site works on HTTPS. You can undo this change by editing your web server's configuration. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2 Enabled Apache rewrite module - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Congratulations! You have successfully enabled https://shikiblog.link You should test your configuration at: https://www.ssllabs.com/ssltest/analyze.html?d=shikiblog.link - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/shikiblog.link/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/shikiblog.link/privkey.pem Your cert will expire on 2022-08-15. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option. To non-interactively renew *all* of your certificates, run "certbot renew" - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le - We were unable to subscribe you the EFF mailing list because your e-mail address appears to be invalid. You can try again later by visiting https://act.eff.org.
Apache での SSL 有効化
Apache の設定で SSL を有効化します。
sudo a2enmod ssl sudo a2ensite default-ssl
続いて設定ファイル /etc/apache2/sites-available/default-ssl.conf に鍵の情報を記載します。なお、このファイルの冒頭付近にある DocumentRoot が /var/www/html になっていることも確認してください。
# SSL Engine Switch: # Enable/Disable SSL for this virtual host. SSLEngine on # A self-signed (snakeoil) certificate can be created by installing # the ssl-cert package. See # /usr/share/doc/apache2/README.Debian.gz for more info. # If both key and certificate are stored in the same file, only the # SSLCertificateFile directive is needed. #SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem #SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key SSLCertificateFile /etc/letsencrypt/live/shikiblog.link/fullchain.pem #fullchain.pemへのパス SSLCertificateKeyFile /etc/letsencrypt/live//shikiblog.link/privkey.pem #privkey.pemへのパス # Server Certificate Chain: # Point SSLCertificateChainFile at a file containing the # concatenation of PEM encoded CA certificates which form the # certificate chain for the server certificate. Alternatively # the referenced file can be the same as SSLCertificateFile # when the CA certificates are directly appended to the server # certificate for convinience. #SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt SSLCertificateChainFile /etc/letsencrypt/live//shikiblog.link/chain.pem #chain.pemへのパス
Apache2 を再起動して設定を反映します。
sudo systemctl restart apache2
WordPress 側でのサイトリンク設定
WordPressダッシュボード > 設定 > 一般 の「WordPress アドレス (URL)」「サイトアドレス (URL)」を、https://shikiblog.link に書き換えて完了です。
定期的に証明書を更新する設定
取得した証明書の有効期限は3か月なので、毎月1日の朝5時に自動更新コマンド sudo certbot renew を実行するようにしています。crontab に以下を追加しました。
0 5 1 * * sudo certbot renew