EC2でもLet’s Encrypt!! Amazon Linux2での失敗をご紹介
こんにちは、TAMの石川です!
Let’s Encryptって便利ですよね。
便利なので、本日使おうとしたところAmazon Linux2では、Let’s Encrypt公式からインストール手順をたどり行きついたアナウンス(そもそもAmazonLinux2用のものは無い)のCentOS用を利用してもうまく入らず、あきらめたところAWS公式に案内があることが発覚しました!
本日は、その顛末を書いていきたいと思います。
なぜ今更、Let’s Encrypt?
「技術的にそんなに面白くないのに、なぜに今さらっ!??」と思われるかもしれません。
先日、AWS中国でCloudFrontの検証を進めていたのですが、CloudFrontでCNAMEを登録する際にその証明書をACMで作ろうとしたら、なんと!中国リージョンでは、IAMへ証明書を登録する方法しか対応していないようでした…。
でもACMで作ったら証明書・Keyを取り出すことはできないので…ということで、Let’s Encryptでサクッと作成することにしました。
中国リージョンでのCloudFront+S3を利用したWebサイト公開については、別の記事でご紹介します。
その前に、前提環境
利用環境はAmazonLinux2なのですが、私の場合、以下のインスタンスを起動させて使います。
インスタンスサイズ:
ほとんどがa1.medium(1vCPU、2Gメモリ)を使います。スポットで。
アーキテクチャ:
インスタンスサイズでお気づきの方もいると思いますが、armを利用してます。
ディスクサイズ:
8GB
リージョン:
オレゴン(全体的にインスタンス等の価格が一番安いため。)
中国国内でインスタンス立てると高そうなのでグローバルの方で立ててしまいました。
DNSは中国AWSのRoute53を利用していて、TXTレコードを登録してグローバル側で認証という構成で中国AWSで利用する証明書を発行しました。
当局から怒られないことを祈っております…
誤ったやり方
Let’s Encrypt公式から、Certbotのインストールへ誘導され、snapdをインストールするように促される。
「なるほど、EPEL入れてyumれば良いわけっすね。かんたんだ。まず、EPELはamazon-linux-extrasから入れて…
|
1 |
$ sudo amazon-linux-extras install epel -y |
使えるようになってることをチェックして・・・
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 |
$ yum repolist all Loaded plugins: extras_suggestions, langpacks, priorities, update-motd 215 packages excluded due to repository priority protections repo id repo name status amzn2-core/2/aarch64 Amazon Linux 2 core repository enabled: 20,786 amzn2-core-debuginfo/2/aarch64 Amazon Linux 2 core repository - debuginfo packages disabled amzn2-core-source/2 Amazon Linux 2 core repository - source packages disabled amzn2extra-docker/2/aarch64 Amazon Extras repo for docker enabled: 69 amzn2extra-docker-debuginfo/2/aarch64 Amazon Extras debuginfo repo for docker disabled amzn2extra-docker-source/2 Amazon Extras source repo for docker disabled amzn2extra-epel/2/aarch64 Amazon Extras repo for epel enabled: 1 amzn2extra-epel-debuginfo/2/aarch64 Amazon Extras debuginfo repo for epel disabled amzn2extra-epel-source/2 Amazon Extras source repo for epel disabled amzn2extra-kernel-5.10/2/aarch64 Amazon Extras repo for kernel-5.10 enabled: 222 amzn2extra-kernel-5.10-debuginfo/2/aarch64 Amazon Extras debuginfo repo for kernel-5.10 disabled amzn2extra-kernel-5.10-source/2 Amazon Extras source repo for kernel-5.10 disabled epel/aarch64 Extra Packages for Enterprise Linux 7 - aarch64 enabled: 12,773+215 epel-debuginfo/aarch64 Extra Packages for Enterprise Linux 7 - aarch64 - Debug disabled epel-source/aarch64 Extra Packages for Enterprise Linux 7 - aarch64 - Source disabled epel-testing/aarch64 Extra Packages for Enterprise Linux 7 - Testing - aarch64 disabled epel-testing-debuginfo/aarch64 Extra Packages for Enterprise Linux 7 - Testing - aarch64 - Debug disabled epel-testing-source/aarch64 Extra Packages for Enterprise Linux 7 - Testing - aarch64 - Source disabled repolist: 33,851 |
snapdをインストール♪
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 |
$ sudo yum install snapd Loaded plugins: extras_suggestions, langpacks, priorities, update-motd 215 packages excluded due to repository priority protections Resolving Dependencies --> Running transaction check ---> Package snapd.aarch64 0:2.39.2-1.el7 will be installed --> Processing Dependency: snap-confine(aarch-64) = 2.39.2-1.el7 for package: snapd-2.39.2-1.el7.aarch64 --> Processing Dependency: snapd-selinux = 2.39.2-1.el7 for package: snapd-2.39.2-1.el7.aarch64 --> Processing Dependency: fuse for package: snapd-2.39.2-1.el7.aarch64 --> Processing Dependency: squashfs-tools for package: snapd-2.39.2-1.el7.aarch64 --> Processing Dependency: squashfuse for package: snapd-2.39.2-1.el7.aarch64 --> Running transaction check ---> Package fuse.aarch64 0:2.9.2-11.amzn2 will be installed ---> Package snap-confine.aarch64 0:2.39.2-1.el7 will be installed ---> Package snapd-selinux.noarch 0:2.39.2-1.el7 will be installed --> Processing Dependency: selinux-policy-base >= 3.13.1-229.el7_6.12 for package: snapd-selinux-2.39.2-1.el7.noarch --> Processing Dependency: policycoreutils-python for package: snapd-selinux-2.39.2-1.el7.noarch ---> Package squashfs-tools.aarch64 0:4.3-0.21.gitaae0aff4.amzn2.0.1 will be installed --> Processing Dependency: liblzo2.so.2()(64bit) for package: squashfs-tools-4.3-0.21.gitaae0aff4.amzn2.0.1.aarch64 ---> Package squashfuse.aarch64 0:0.1.102-1.el7 will be installed --> Processing Dependency: squashfuse-libs(aarch-64) = 0.1.102-1.el7 for package: squashfuse-0.1.102-1.el7.aarch64 --> Processing Dependency: libfuseprivate.so.0()(64bit) for package: squashfuse-0.1.102-1.el7.aarch64 --> Processing Dependency: libsquashfuse.so.0()(64bit) for package: squashfuse-0.1.102-1.el7.aarch64 --> Processing Dependency: libzstd.so.1()(64bit) for package: squashfuse-0.1.102-1.el7.aarch64 --> Running transaction check ---> Package libzstd.aarch64 0:1.5.2-1.amzn2 will be installed ---> Package lzo.aarch64 0:2.06-8.amzn2.0.4 will be installed ---> Package policycoreutils-python.aarch64 0:2.5-22.amzn2 will be installed --> Processing Dependency: setools-libs >= 3.3.8-2 for package: policycoreutils-python-2.5-22.amzn2.aarch64 --> Processing Dependency: libsemanage-python >= 2.5-9 for package: policycoreutils-python-2.5-22.amzn2.aarch64 --> Processing Dependency: audit-libs-python >= 2.1.3-4 for package: policycoreutils-python-2.5-22.amzn2.aarch64 --> Processing Dependency: python-IPy for package: policycoreutils-python-2.5-22.amzn2.aarch64 --> Processing Dependency: libselinux-python for package: policycoreutils-python-2.5-22.amzn2.aarch64 --> Processing Dependency: libqpol.so.1(VERS_1.4)(64bit) for package: policycoreutils-python-2.5-22.amzn2.aarch64 --> Processing Dependency: libqpol.so.1(VERS_1.2)(64bit) for package: policycoreutils-python-2.5-22.amzn2.aarch64 --> Processing Dependency: libcgroup for package: policycoreutils-python-2.5-22.amzn2.aarch64 --> Processing Dependency: libapol.so.4(VERS_4.0)(64bit) for package: policycoreutils-python-2.5-22.amzn2.aarch64 --> Processing Dependency: checkpolicy for package: policycoreutils-python-2.5-22.amzn2.aarch64 --> Processing Dependency: libqpol.so.1()(64bit) for package: policycoreutils-python-2.5-22.amzn2.aarch64 --> Processing Dependency: libapol.so.4()(64bit) for package: policycoreutils-python-2.5-22.amzn2.aarch64 ---> Package snapd-selinux.noarch 0:2.39.2-1.el7 will be installed --> Processing Dependency: selinux-policy-base >= 3.13.1-229.el7_6.12 for package: snapd-selinux-2.39.2-1.el7.noarch ---> Package squashfuse-libs.aarch64 0:0.1.102-1.el7 will be installed --> Running transaction check ---> Package audit-libs-python.aarch64 0:2.8.1-3.amzn2.1 will be installed ---> Package checkpolicy.aarch64 0:2.5-6.amzn2 will be installed ---> Package libcgroup.aarch64 0:0.41-21.amzn2 will be installed ---> Package libselinux-python.aarch64 0:2.5-12.amzn2.0.2 will be installed ---> Package libsemanage-python.aarch64 0:2.5-11.amzn2 will be installed ---> Package python-IPy.noarch 0:0.75-6.amzn2.0.1 will be installed ---> Package setools-libs.aarch64 0:3.3.8-2.amzn2.0.2 will be installed ---> Package snapd-selinux.noarch 0:2.39.2-1.el7 will be installed --> Processing Dependency: selinux-policy-base >= 3.13.1-229.el7_6.12 for package: snapd-selinux-2.39.2-1.el7.noarch --> Finished Dependency Resolution Error: Package: snapd-selinux-2.39.2-1.el7.noarch (epel) Requires: selinux-policy-base >= 3.13.1-229.el7_6.12 Installed: selinux-policy-targeted-3.13.1-192.amzn2.6.8.noarch (installed) selinux-policy-base = 3.13.1-192.amzn2.6.8 Available: selinux-policy-minimum-3.13.1-166.amzn2.5.noarch (amzn2-core) selinux-policy-base = 3.13.1-166.amzn2.5 Available: selinux-policy-minimum-3.13.1-166.amzn2.9.noarch (amzn2-core) selinux-policy-base = 3.13.1-166.amzn2.9 Available: selinux-policy-minimum-3.13.1-192.amzn2.6.noarch (amzn2-core) selinux-policy-base = 3.13.1-192.amzn2.6 Available: selinux-policy-minimum-3.13.1-192.amzn2.6.1.noarch (amzn2-core) selinux-policy-base = 3.13.1-192.amzn2.6.1 Available: selinux-policy-minimum-3.13.1-192.amzn2.6.2.noarch (amzn2-core) selinux-policy-base = 3.13.1-192.amzn2.6.2 Available: selinux-policy-minimum-3.13.1-192.amzn2.6.3.noarch (amzn2-core) selinux-policy-base = 3.13.1-192.amzn2.6.3 Available: selinux-policy-minimum-3.13.1-192.amzn2.6.5.noarch (amzn2-core) selinux-policy-base = 3.13.1-192.amzn2.6.5 Available: selinux-policy-minimum-3.13.1-192.amzn2.6.7.noarch (amzn2-core) selinux-policy-base = 3.13.1-192.amzn2.6.7 Available: selinux-policy-minimum-3.13.1-192.amzn2.6.8.noarch (amzn2-core) selinux-policy-base = 3.13.1-192.amzn2.6.8 Available: selinux-policy-mls-3.13.1-166.amzn2.5.noarch (amzn2-core) selinux-policy-base = 3.13.1-166.amzn2.5 Available: selinux-policy-mls-3.13.1-166.amzn2.9.noarch (amzn2-core) selinux-policy-base = 3.13.1-166.amzn2.9 Available: selinux-policy-mls-3.13.1-192.amzn2.6.noarch (amzn2-core) selinux-policy-base = 3.13.1-192.amzn2.6 Available: selinux-policy-mls-3.13.1-192.amzn2.6.1.noarch (amzn2-core) selinux-policy-base = 3.13.1-192.amzn2.6.1 Available: selinux-policy-mls-3.13.1-192.amzn2.6.2.noarch (amzn2-core) selinux-policy-base = 3.13.1-192.amzn2.6.2 Available: selinux-policy-mls-3.13.1-192.amzn2.6.3.noarch (amzn2-core) selinux-policy-base = 3.13.1-192.amzn2.6.3 Available: selinux-policy-mls-3.13.1-192.amzn2.6.5.noarch (amzn2-core) selinux-policy-base = 3.13.1-192.amzn2.6.5 Available: selinux-policy-mls-3.13.1-192.amzn2.6.7.noarch (amzn2-core) selinux-policy-base = 3.13.1-192.amzn2.6.7 Available: selinux-policy-mls-3.13.1-192.amzn2.6.8.noarch (amzn2-core) selinux-policy-base = 3.13.1-192.amzn2.6.8 Available: selinux-policy-targeted-3.13.1-166.amzn2.5.noarch (amzn2-core) selinux-policy-base = 3.13.1-166.amzn2.5 Available: selinux-policy-targeted-3.13.1-166.amzn2.9.noarch (amzn2-core) selinux-policy-base = 3.13.1-166.amzn2.9 Available: selinux-policy-targeted-3.13.1-192.amzn2.6.noarch (amzn2-core) selinux-policy-base = 3.13.1-192.amzn2.6 Available: selinux-policy-targeted-3.13.1-192.amzn2.6.1.noarch (amzn2-core) selinux-policy-base = 3.13.1-192.amzn2.6.1 Available: selinux-policy-targeted-3.13.1-192.amzn2.6.2.noarch (amzn2-core) selinux-policy-base = 3.13.1-192.amzn2.6.2 Available: selinux-policy-targeted-3.13.1-192.amzn2.6.3.noarch (amzn2-core) selinux-policy-base = 3.13.1-192.amzn2.6.3 Available: selinux-policy-targeted-3.13.1-192.amzn2.6.5.noarch (amzn2-core) selinux-policy-base = 3.13.1-192.amzn2.6.5 Available: selinux-policy-targeted-3.13.1-192.amzn2.6.7.noarch (amzn2-core) selinux-policy-base = 3.13.1-192.amzn2.6.7 You could try using --skip-broken to work around the problem You could try running: rpm -Va --nofiles --nodigest |
ん?バージョン?いったん無視して入れてみました。
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 |
$ sudo yum install snapd --skip-broken Loaded plugins: extras_suggestions, langpacks, priorities, update-motd amzn2-core | 3.7 kB 00:00:00 215 packages excluded due to repository priority protections Resolving Dependencies --> Running transaction check ---> Package snapd.aarch64 0:2.39.2-1.el7 will be installed --> Processing Dependency: snap-confine(aarch-64) = 2.39.2-1.el7 for package: snapd-2.39.2-1.el7.aarch64 --> Processing Dependency: snapd-selinux = 2.39.2-1.el7 for package: snapd-2.39.2-1.el7.aarch64 --> Processing Dependency: fuse for package: snapd-2.39.2-1.el7.aarch64 --> Processing Dependency: squashfs-tools for package: snapd-2.39.2-1.el7.aarch64 --> Processing Dependency: squashfuse for package: snapd-2.39.2-1.el7.aarch64 --> Running transaction check ---> Package fuse.aarch64 0:2.9.2-11.amzn2 will be installed ---> Package snap-confine.aarch64 0:2.39.2-1.el7 will be installed ---> Package snapd-selinux.noarch 0:2.39.2-1.el7 will be installed --> Processing Dependency: selinux-policy-base >= 3.13.1-229.el7_6.12 for package: snapd-selinux-2.39.2-1.el7.noarch --> Processing Dependency: policycoreutils-python for package: snapd-selinux-2.39.2-1.el7.noarch ---> Package squashfs-tools.aarch64 0:4.3-0.21.gitaae0aff4.amzn2.0.1 will be installed --> Processing Dependency: liblzo2.so.2()(64bit) for package: squashfs-tools-4.3-0.21.gitaae0aff4.amzn2.0.1.aarch64 ---> Package squashfuse.aarch64 0:0.1.102-1.el7 will be installed --> Processing Dependency: squashfuse-libs(aarch-64) = 0.1.102-1.el7 for package: squashfuse-0.1.102-1.el7.aarch64 --> Processing Dependency: libfuseprivate.so.0()(64bit) for package: squashfuse-0.1.102-1.el7.aarch64 --> Processing Dependency: libsquashfuse.so.0()(64bit) for package: squashfuse-0.1.102-1.el7.aarch64 --> Processing Dependency: libzstd.so.1()(64bit) for package: squashfuse-0.1.102-1.el7.aarch64 --> Running transaction check ---> Package libzstd.aarch64 0:1.5.2-1.amzn2 will be installed ---> Package lzo.aarch64 0:2.06-8.amzn2.0.4 will be installed ---> Package policycoreutils-python.aarch64 0:2.5-22.amzn2 will be installed --> Processing Dependency: setools-libs >= 3.3.8-2 for package: policycoreutils-python-2.5-22.amzn2.aarch64 --> Processing Dependency: libsemanage-python >= 2.5-9 for package: policycoreutils-python-2.5-22.amzn2.aarch64 --> Processing Dependency: audit-libs-python >= 2.1.3-4 for package: policycoreutils-python-2.5-22.amzn2.aarch64 --> Processing Dependency: python-IPy for package: policycoreutils-python-2.5-22.amzn2.aarch64 --> Processing Dependency: libselinux-python for package: policycoreutils-python-2.5-22.amzn2.aarch64 --> Processing Dependency: libqpol.so.1(VERS_1.4)(64bit) for package: policycoreutils-python-2.5-22.amzn2.aarch64 --> Processing Dependency: libqpol.so.1(VERS_1.2)(64bit) for package: policycoreutils-python-2.5-22.amzn2.aarch64 --> Processing Dependency: libcgroup for package: policycoreutils-python-2.5-22.amzn2.aarch64 --> Processing Dependency: libapol.so.4(VERS_4.0)(64bit) for package: policycoreutils-python-2.5-22.amzn2.aarch64 --> Processing Dependency: checkpolicy for package: policycoreutils-python-2.5-22.amzn2.aarch64 --> Processing Dependency: libqpol.so.1()(64bit) for package: policycoreutils-python-2.5-22.amzn2.aarch64 --> Processing Dependency: libapol.so.4()(64bit) for package: policycoreutils-python-2.5-22.amzn2.aarch64 ---> Package snapd-selinux.noarch 0:2.39.2-1.el7 will be installed --> Processing Dependency: selinux-policy-base >= 3.13.1-229.el7_6.12 for package: snapd-selinux-2.39.2-1.el7.noarch ---> Package squashfuse-libs.aarch64 0:0.1.102-1.el7 will be installed --> Running transaction check ---> Package audit-libs-python.aarch64 0:2.8.1-3.amzn2.1 will be installed ---> Package checkpolicy.aarch64 0:2.5-6.amzn2 will be installed ---> Package libcgroup.aarch64 0:0.41-21.amzn2 will be installed ---> Package libselinux-python.aarch64 0:2.5-12.amzn2.0.2 will be installed ---> Package libsemanage-python.aarch64 0:2.5-11.amzn2 will be installed ---> Package python-IPy.noarch 0:0.75-6.amzn2.0.1 will be installed ---> Package setools-libs.aarch64 0:3.3.8-2.amzn2.0.2 will be installed ---> Package snapd-selinux.noarch 0:2.39.2-1.el7 will be installed --> Processing Dependency: selinux-policy-base >= 3.13.1-229.el7_6.12 for package: snapd-selinux-2.39.2-1.el7.noarch Packages skipped because of dependency problems: audit-libs-python-2.8.1-3.amzn2.1.aarch64 from amzn2-core checkpolicy-2.5-6.amzn2.aarch64 from amzn2-core fuse-2.9.2-11.amzn2.aarch64 from amzn2-core libcgroup-0.41-21.amzn2.aarch64 from amzn2-core libselinux-python-2.5-12.amzn2.0.2.aarch64 from amzn2-core libsemanage-python-2.5-11.amzn2.aarch64 from amzn2-core libzstd-1.5.2-1.amzn2.aarch64 from amzn2-core lzo-2.06-8.amzn2.0.4.aarch64 from amzn2-core policycoreutils-python-2.5-22.amzn2.aarch64 from amzn2-core python-IPy-0.75-6.amzn2.0.1.noarch from amzn2-core setools-libs-3.3.8-2.amzn2.0.2.aarch64 from amzn2-core snap-confine-2.39.2-1.el7.aarch64 from epel snapd-2.39.2-1.el7.aarch64 from epel snapd-selinux-2.39.2-1.el7.noarch from epel squashfs-tools-4.3-0.21.gitaae0aff4.amzn2.0.1.aarch64 from amzn2-core squashfuse-0.1.102-1.el7.aarch64 from epel squashfuse-libs-0.1.102-1.el7.aarch64 from epel |
依存のメッセージが増えてしまいました。
ということで、早々に撤退しました。
当初はarmの影響(以前、unboundのコンパイルができなかったので、それの類似)かと思っていたのですが、ちゃんと調べたらAmazon公式からインストール手順が出ており、確認したところインストールの手順がだいぶ省略されておりました。
なので、次はその方法でサクッとインストールしたいと思います。
正しいやり方
まずは、上記同様EPELをインストールします。
AWS公式はrpmパッケージを拾ってきてインストールを実施していますが、こちらは、amazon-linux-extrasを利用してインストールで問題ありません。
|
1 |
$ sudo amazon-linux-extras install epel -y |
インストール後の確認。
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 |
$ yum repolist all Loaded plugins: extras_suggestions, langpacks, priorities, update-motd 215 packages excluded due to repository priority protections repo id repo name status amzn2-core/2/aarch64 Amazon Linux 2 core repository enabled: 20,786 amzn2-core-debuginfo/2/aarch64 Amazon Linux 2 core repository - debuginfo packages disabled amzn2-core-source/2 Amazon Linux 2 core repository - source packages disabled amzn2extra-docker/2/aarch64 Amazon Extras repo for docker enabled: 69 amzn2extra-docker-debuginfo/2/aarch64 Amazon Extras debuginfo repo for docker disabled amzn2extra-docker-source/2 Amazon Extras source repo for docker disabled amzn2extra-epel/2/aarch64 Amazon Extras repo for epel enabled: 1 amzn2extra-epel-debuginfo/2/aarch64 Amazon Extras debuginfo repo for epel disabled amzn2extra-epel-source/2 Amazon Extras source repo for epel disabled amzn2extra-kernel-5.10/2/aarch64 Amazon Extras repo for kernel-5.10 enabled: 222 amzn2extra-kernel-5.10-debuginfo/2/aarch64 Amazon Extras debuginfo repo for kernel-5.10 disabled amzn2extra-kernel-5.10-source/2 Amazon Extras source repo for kernel-5.10 disabled epel/aarch64 Extra Packages for Enterprise Linux 7 - aarch64 enabled: 12,773+215 epel-debuginfo/aarch64 Extra Packages for Enterprise Linux 7 - aarch64 - Debug disabled epel-source/aarch64 Extra Packages for Enterprise Linux 7 - aarch64 - Source disabled epel-testing/aarch64 Extra Packages for Enterprise Linux 7 - Testing - aarch64 disabled epel-testing-debuginfo/aarch64 Extra Packages for Enterprise Linux 7 - Testing - aarch64 - Debug disabled epel-testing-source/aarch64 Extra Packages for Enterprise Linux 7 - Testing - aarch64 - Source disabled repolist: 33,851 |
AWS公式とも同じ結果が出てきます。
そして、ここでLet’s Encrypt公式(certbot公式?)にあるsnapdは飛ばして、certbotをインストールします。
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 |
$ sudo yum install -y certbot Loaded plugins: extras_suggestions, langpacks, priorities, update-motd amzn2-core | 3.7 kB 00:00:00 215 packages excluded due to repository priority protections Resolving Dependencies --> Running transaction check ---> Package certbot.noarch 0:0.38.0-1.el7 will be installed --> Processing Dependency: python2-certbot = 0.38.0-1.el7 for package: certbot-0.38.0-1.el7.noarch --> Processing Dependency: /usr/sbin/semanage for package: certbot-0.38.0-1.el7.noarch --> Running transaction check (長いので中略) Installed: certbot.noarch 0:0.38.0-1.el7 Dependency Installed: audit-libs-python.aarch64 0:2.8.1-3.amzn2.1 checkpolicy.aarch64 0:2.5-6.amzn2 libcgroup.aarch64 0:0.41-21.amzn2 libselinux-python.aarch64 0:2.5-12.amzn2.0.2 libsemanage-python.aarch64 0:2.5-11.amzn2 policycoreutils-python.aarch64 0:2.5-22.amzn2 pyOpenSSL.aarch64 0:0.13.1-3.amzn2.0.2 python-IPy.noarch 0:0.75-6.amzn2.0.1 python-ndg_httpsclient.noarch 0:0.3.2-1.el7 python-requests-toolbelt.noarch 0:0.8.0-1.el7 python-zope-component.noarch 1:4.1.0-5.el7 python-zope-event.noarch 0:4.0.3-2.el7 python-zope-interface.aarch64 0:4.0.5-4.amzn2.0.2 python2-acme.noarch 0:0.38.0-1.el7 python2-certbot.noarch 0:0.38.0-1.el7 python2-configargparse.noarch 0:0.11.0-1.el7 python2-distro.noarch 0:1.2.0-3.el7 python2-future.noarch 0:0.16.0-15.20181019gitbee0f3b.el7 python2-josepy.noarch 0:1.2.0-1.el7 python2-mock.noarch 0:1.0.1-10.el7 python2-parsedatetime.noarch 0:2.4-5.el7 python2-pyrfc3339.noarch 0:1.0-2.el7 pytz.noarch 0:2016.10-2.amzn2.0.1 setools-libs.aarch64 0:3.3.8-2.amzn2.0.2 Complete! |
・・・( ゚д゚)ポカーン
snapdいらんのかい ノ ̄□ ̄)ノ ~┻━┻ドガシャーン!!
結論、snapdがいらないことが発覚しましたが、ここまでがインストールとなります。
ドメイン認証でワイルドカード証明書を発行
ついでなので次はドメイン認証でワイルドカード証明書を発行してみたいと思います。
証明書の発行
certbotまでのインストールが完了したら、あとは、いつものLet’s Encryptを実行するだけです。
今回、ワイルドカード証明書を作りたかったのと、Route53の権限をもらっていたので、DNS認証で作成しました。
certbotコマンドをsudoで実行すると、EFFにメールアドレスを登録するかどうかを聞かれます。
特に不要なので、今回は「N」としていますが、必要に応じて登録をいただければと思います。
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 |
$ sudo certbot certonly --manual --preferred-challenges dns -d *.bjnetworks.cn --agree-tos --manual-public-ip-logging-ok -m <Mail Address> Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator manual, Installer None - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Would you be willing to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: N Obtaining a new certificate Performing the following challenges: dns-01 challenge for bjnetworks.cn - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please deploy a DNS TXT record under the name _acme-challenge.bjnetworks.cn with the following value: gfgFdGH684MdnBpIPcIwdfHXXXXXXXXXXXXXXXXXXXX Before continuing, verify the record is deployed. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Press Enter to Continue |
ここまでくると、AWSコンパネ(Route53)で以下のレコードを登録するように促されます。
登録レコード:_acme-challenge.bjnetworks.cn (bjnetworksはクララの中国でのパートナー会社の社名です。)
レコードタイプ:TXT
値:gfgFdGH684MdnBpIPcIwdfHXXXXXXXXXXXXXXXXXXXX
指示通り、Route53に登録します。
dig等で確認し、登録が確認できたら、certbotの続きに移ります。
※certbotを起動したプロンプトとは別のものや、端末を変えて確認をお願いします。
certbotを起動したプロンプトは「Press Enter to Continue」のまま、作業を止めておいてください。
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
$ dig _acme-challenge.bjnetworks.cn -t TXT ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.amzn2.5.2 <<>> _acme-challenge.bjnetworks.cn -t TXT ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51458 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;_acme-challenge.bjnetworks.cn. IN TXT ;; ANSWER SECTION: _acme-challenge.bjnetworks.cn. 300 IN TXT "gfgFdGH684MdnBpIPcIwdfHXXXXXXXXXXXXXXXXXXXX" ;; Query time: 258 msec ;; SERVER: 172.31.0.2#53(172.31.0.2) ;; WHEN: Tue Dec 13 15:34:52 UTC 2022 ;; MSG SIZE rcvd: 114 |
certbotを実行したプロンプトが「Press Enter to Continue」で入力待ちとなっているので、エンターキーを入力し、先に進めてください。
処理が進み、以下の出力があれば、正常に完了しています。
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 |
Waiting for verification... Cleaning up challenges IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/bjnetworks.cn/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/bjnetworks.cn/privkey.pem Your cert will expire on 2023-03-13. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le |
成功した場合、keyと証明書は以下の場所に設置されています。
証明書ファイル:/etc/letsencrypt/live/bjnetworks.cn/fullchain.pem
鍵ファイル :/etc/letsencrypt/live/bjnetworks.cn/privkey.pem
以上!
今回はEC2を使って、Let’s Encrypt証明書の発行を行う方法をメモ代わりに残してみました。
これがコンテナ化してEventBridgeでキックさせて…と自動で回るようになるとまた便利になりますが、それはまた別の機会にご紹介したいと思います!
