ブログをcertbotでHTTPS対応する【しきぶろぐ開設の道筋(4)】

投稿者: | 2022年5月20日

現代のウェブサイトはSSLによって通信内容を暗号化するHTTPSがスタンダードになりつつあり、Chromeなんかだとhttpサイトに対して「保護されていない通信」とメッセージを出してきます。そこで本ブログもHTTPS対応を施しました。

【重要】SiteGuard WP などの、ログインURLを変更できるプラグインを導入する場合、HTTPS対応より前に導入してくださいひどい目にあいました

これも先人の受け売りです。https://qiita.com/HO_Pollyanna/items/aee45b25e2318d39157b ほぼそのままですが、メモしておきます。

certbot の導入

SSL証明書を簡単にセットアップできるサービスらしいです(不勉強なのでちゃんと説明できません)。

sudo apt install certbot
sudo apt install python3-certbot-apache

証明書発行

sudo certbot --apache certonly

対話形式で色々聞かれるので答えていきます。

Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2

Plugins selected: Authenticator apache, Installer apache
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): [E-mail address]

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y

Please enter in your domain name(s) (comma and/or space separated)  (Enter 'c' to cancel): shikiblog.link

Obtaining a new certificate
Performing the following challenges:
http-01 challenge for shikiblog.link
Enabled Apache rewrite module
Waiting for verification...
Cleaning up challenges

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Enabled Apache rewrite module

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://shikiblog.link

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=shikiblog.link
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/shikiblog.link/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/shikiblog.link/privkey.pem
   Your cert will expire on 2022-08-15. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

 - We were unable to subscribe you the EFF mailing list because your
   e-mail address appears to be invalid. You can try again later by
   visiting https://act.eff.org.

Apache での SSL 有効化

Apache の設定で SSL を有効化します。

sudo a2enmod ssl
sudo a2ensite default-ssl

続いて設定ファイル /etc/apache2/sites-available/default-ssl.conf に鍵の情報を記載します。なお、このファイルの冒頭付近にある DocumentRoot が /var/www/html になっていることも確認してください。

#   SSL Engine Switch:
#   Enable/Disable SSL for this virtual host.
SSLEngine on

#   A self-signed (snakeoil) certificate can be created by installing
#   the ssl-cert package. See
#   /usr/share/doc/apache2/README.Debian.gz for more info.
#   If both key and certificate are stored in the same file, only the
#   SSLCertificateFile directive is needed.
#SSLCertificateFile     /etc/ssl/certs/ssl-cert-snakeoil.pem
#SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
SSLCertificateFile      /etc/letsencrypt/live/shikiblog.link/fullchain.pem  #fullchain.pemへのパス
SSLCertificateKeyFile /etc/letsencrypt/live//shikiblog.link/privkey.pem     #privkey.pemへのパス

#   Server Certificate Chain:
#   Point SSLCertificateChainFile at a file containing the
#   concatenation of PEM encoded CA certificates which form the
#   certificate chain for the server certificate. Alternatively
#   the referenced file can be the same as SSLCertificateFile
#   when the CA certificates are directly appended to the server
#   certificate for convinience.
#SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt
SSLCertificateChainFile /etc/letsencrypt/live//shikiblog.link/chain.pem     #chain.pemへのパス

Apache2 を再起動して設定を反映します。

sudo systemctl restart apache2

WordPress 側でのサイトリンク設定

WordPressダッシュボード > 設定 > 一般 の「WordPress アドレス (URL)」「サイトアドレス (URL)」を、https://shikiblog.link に書き換えて完了です。

定期的に証明書を更新する設定

取得した証明書の有効期限は3か月なので、毎月1日の朝5時に自動更新コマンド sudo certbot renew を実行するようにしています。crontab に以下を追加しました。

0 5 1 * * sudo certbot renew

参考にしたサイト

コメントを残す

メールアドレスが公開されることはありません。