The following article was recently published.
Firefox blocks policy as China's largest certificate authority "WoSign" has falsified the certificate issuance date http://gigazine.net/news/20160928-wosign-firefox-block/
WoSign was convenient because it can issue SSL certificates for several years for free, but it was a falsification outbreak, which was a problem.
When I was looking for a place to issue a free SSL certificate at the beginning of last year, I chose it because there was only a remarkable place like WoSign, but when I investigated again, Let's Encrypt was 4 of this year. It was transitioning from beta to official service in April.
Leaving Beta, New Sponsors https://letsencrypt.org/2016/04/12/leaving-beta-new-sponsors.html
Good timing (laughs)
That's why I decided to give up on tampering and suspicious services.
The introduction method was automated to overturn the conventional wisdom. Until now, I used to get paid SSL certificates for business, but I was surprised that there was no procedure that was taken for granted at that time.
--Have domain rights --A web server that can be accessed in that domain is running
Since there are only these two conditions, I have already met. Or rather, it seems unlikely that you want an SSL certificate even though you don't have this condition.
Certificate acquisition is performed with a tool called certbot. The tool is on github, so it feels like pulling it with git and using it.
cd /usr/local
git clone https://github.com/certbot/certbot
cd certbot/
Since the server introduced this time was tied to the Vault repository of CentOS 6.2, it was necessary to temporarily enable base and updates in the subsequent steps.
vi /etc/yum.repos.d/CentOS-Base.repo
Then execute the following command.
./certbot-auto
The yum installation will start, so press "y" to proceed. After a while, the certificate creation started interactively with a blue screen, but I didn't have the domain name I wanted in the options, so I canceled it and ended it.
Then get the certificate with the following command.
./certbot-auto certonly --webroot \
-w /var/www/hogehoge -d www.example.com \
-m [email protected] \
--agree-tos
certonly is an option that only requires you to get a certificate. --webroot is an option to automatically put the authentication file in the document root. Next to -w is the PATH of the document root published in the domain. Next to -d is the domain name for which you want to get a certificate. Next to -m is the email address of the person in charge. It is for receiving contact when something happens. --agree-tos is a manifestation option that you agree to the terms of use.
The certificate is now obtained, but the following warning is displayed during execution.
/root/.local/share/letsencrypt/lib/python2.6/site-packages/cryptography/__init__.py:26: DeprecationWarning: Python 2.6 is no longer supported by the Python core team, please upgrade your Python. A future version of cryptography will drop support for Python 2.6
When I googled, there were many people who ran into Python version problems. There were various people who were through and those who were taking measures with SCL.
~~ I also tried putting 2.7 in SCL, but it didn't work out. ~~ If you look in the following PATH, which is entered when certbot is installed ...
ll /root/.local/share/letsencrypt/lib/python2.6/
Total 344
lrwxrwxrwx 1 root root 32 September 29 13:53 2016 UserDict.py -> /usr/lib64/python2.6/UserDict.py
-rw-r--r--1 root root 10062 September 29 13:53 2016 UserDict.pyc
lrwxrwxrwx 1 root root 31 September 29 13:53 2016 _abcoll.py -> /usr/lib64/python2.6/_abcoll.py
-rw-r--r--1 root root 24165 September 29 13:53 2016 _abcoll.pyc
lrwxrwxrwx 1 root root 27 September 29 13:53 2016 abc.py -> /usr/lib64/python2.6/abc.py
-rw-r--r--1 root root 6357 September 29 13:53 2016 abc.pyc
lrwxrwxrwx 1 root root 30 September 29 13:53 2016 codecs.py -> /usr/lib64/python2.6/codecs.py
-rw-r--r--1 root root 39165 September 29 13:53 2016 codecs.pyc
lrwxrwxrwx 1 root root 27 September 29 13:53 2016 config -> /usr/lib64/python2.6/config
lrwxrwxrwx 1 root root 32 September 29 13:53 2016 copy_reg.py -> /usr/lib64/python2.6/copy_reg.py
The following is omitted
A symbolic link was directly attached to Python 2.6 like this. So, no matter how much you start bash that can use 2.7, it seems that you will get a warning because 2.7 is not used and Python of 2.6 is forcibly used. ~~
~~ I have created the certificate itself, so Imaima will continue as it is, but someday it may not work completely. ~~
--The / root / .local / share / letsencrypt / folder is a cache, so delete it. --Run scl enable python27 bash again --Execute the certbot-auto command
With the above, the warning of 2.6 was not displayed and 2.7 was used. In this state, 2.7 cache was created below. /root/.local/share/letsencrypt/lib/python2.7
However, if you execute the certbot-auto command without scl enable python27 bash after that, it will be replaced with the 2.6 cache again, so be careful.
rm -rf /root/.local/share/letsencrypt
wget https://centos6.iuscommunity.org/ius-release.rpm
rpm -ivh ius-release.rpm
yum -y install python27 python27-devel python27-pip python27-setuptools python27-virtualenv
After completing the above installation, I logged on to the console again and ran certbot-auto, and it found python2.7 and used it without permission. Python2.7 is also saved in the cache. With this method, I'm happy because I don't make the mistake of accidentally forgetting scl enable and getting a 2.6 cache and getting a warning.
Write the following in the corresponding server settings in the apache conf file.
SSLCertificateFile /etc/letsencrypt/live/www.example.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.example.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/www.example.com/chain.pem
Then reload apache and you're done.
service httpd reload
Let's Encrypt has an expiration date of only 90 days. Therefore, it is troublesome for humans to process each time, and it seems to be forgotten.
So, put the settings in crontab so that it can be updated with a single command.
Added 2016/11/15 Add "source / opt / rh / python27 / enable;" to the beginning of the command
Added 2017/02/17 In the case of python2.7 installation method using ius repository, it is not necessary to add "source / opt / rh / python27 / enable;".
crontab -u root -e
00 03 01 * * source /opt/rh/python27/enable;/usr/local/certbot/certbot-auto renew --force-renew && /sbin/service httpd reload
The above is a command to forcibly renew the certificate at 3:00 am on the first day of every month. I can't say every 90 days in crontab, so I do it every month. Let's Encrypt has an upper limit on the update frequency, but it seems that there is no problem if it is once a month.
This time, I summarized the measures taken in the face of an emergency situation in which the SSL certificate had to be changed to another organization due to a scandal on the side of the certificate authority. ~~ It's a little regrettable that the Python version problem remains, but I'm glad I was able to solve it for the time being. ~~ I can't find any other service like Let's Encrypt, so I'm a little worried that it's only one, but I just hope that the service will continue forever.
Recommended Posts