こんにちは、TAMの石川です!
Let’s Encryptって便利ですよね。
便利なので、本日使おうとしたところAmazon Linux2では、Let’s Encrypt公式からインストール手順をたどり行きついたアナウンス(そもそもAmazonLinux2用のものは無い)のCentOS用を利用してもうまく入らず、あきらめたところAWS公式に案内があることが発覚しました!
本日は、その顛末を書いていきたいと思います。
目次
なぜ今更、Let’s Encrypt?
「技術的にそんなに面白くないのに、なぜに今さらっ!??」と思われるかもしれません。
先日、AWS中国でCloudFrontの検証を進めていたのですが、CloudFrontでCNAMEを登録する際にその証明書をACMで作ろうとしたら、なんと!中国リージョンでは、IAMへ証明書を登録する方法しか対応していないようでした…。
でもACMで作ったら証明書・Keyを取り出すことはできないので…ということで、Let’s Encryptでサクッと作成することにしました。
中国リージョンでのCloudFront+S3を利用したWebサイト公開については、別の記事でご紹介します。
その前に、前提環境
利用環境はAmazonLinux2なのですが、私の場合、以下のインスタンスを起動させて使います。
インスタンスサイズ:
ほとんどがa1.medium(1vCPU、2Gメモリ)を使います。スポットで。
アーキテクチャ:
インスタンスサイズでお気づきの方もいると思いますが、armを利用してます。
ディスクサイズ:
8GB
リージョン:
オレゴン(全体的にインスタンス等の価格が一番安いため。)
中国国内でインスタンス立てると高そうなのでグローバルの方で立ててしまいました。
DNSは中国AWSのRoute53を利用していて、TXTレコードを登録してグローバル側で認証という構成で中国AWSで利用する証明書を発行しました。
当局から怒られないことを祈っております…
誤ったやり方
Let’s Encrypt公式から、Certbotのインストールへ誘導され、snapdをインストールするように促される。
「なるほど、EPEL入れてyumれば良いわけっすね。かんたんだ。まず、EPELはamazon-linux-extrasから入れて…
$ sudo amazon-linux-extras install epel -y
$ sudo amazon-linux-extras install epel -y使えるようになってることをチェックして・・・
$ yum repolist all
Loaded plugins: extras_suggestions, langpacks, priorities, update-motd
215 packages excluded due to repository priority protections
repo id repo name status
amzn2-core/2/aarch64 Amazon Linux 2 core repository enabled: 20,786
amzn2-core-debuginfo/2/aarch64 Amazon Linux 2 core repository - debuginfo packages disabled
amzn2-core-source/2 Amazon Linux 2 core repository - source packages disabled
amzn2extra-docker/2/aarch64 Amazon Extras repo for docker enabled: 69
amzn2extra-docker-debuginfo/2/aarch64 Amazon Extras debuginfo repo for docker disabled
amzn2extra-docker-source/2 Amazon Extras source repo for docker disabled
amzn2extra-epel/2/aarch64 Amazon Extras repo for epel enabled: 1
amzn2extra-epel-debuginfo/2/aarch64 Amazon Extras debuginfo repo for epel disabled
amzn2extra-epel-source/2 Amazon Extras source repo for epel disabled
amzn2extra-kernel-5.10/2/aarch64 Amazon Extras repo for kernel-5.10 enabled: 222
amzn2extra-kernel-5.10-debuginfo/2/aarch64 Amazon Extras debuginfo repo for kernel-5.10 disabled
amzn2extra-kernel-5.10-source/2 Amazon Extras source repo for kernel-5.10 disabled
epel/aarch64 Extra Packages for Enterprise Linux 7 - aarch64 enabled: 12,773+215
epel-debuginfo/aarch64 Extra Packages for Enterprise Linux 7 - aarch64 - Debug disabled
epel-source/aarch64 Extra Packages for Enterprise Linux 7 - aarch64 - Source disabled
epel-testing/aarch64 Extra Packages for Enterprise Linux 7 - Testing - aarch64 disabled
epel-testing-debuginfo/aarch64 Extra Packages for Enterprise Linux 7 - Testing - aarch64 - Debug disabled
epel-testing-source/aarch64 Extra Packages for Enterprise Linux 7 - Testing - aarch64 - Source disabled
repolist: 33,851snapdをインストール♪
$ sudo yum install snapd
Loaded plugins: extras_suggestions, langpacks, priorities, update-motd
215 packages excluded due to repository priority protections
Resolving Dependencies
--> Running transaction check
---> Package snapd.aarch64 0:2.39.2-1.el7 will be installed
--> Processing Dependency: snap-confine(aarch-64) = 2.39.2-1.el7 for package: snapd-2.39.2-1.el7.aarch64
--> Processing Dependency: snapd-selinux = 2.39.2-1.el7 for package: snapd-2.39.2-1.el7.aarch64
--> Processing Dependency: fuse for package: snapd-2.39.2-1.el7.aarch64
--> Processing Dependency: squashfs-tools for package: snapd-2.39.2-1.el7.aarch64
--> Processing Dependency: squashfuse for package: snapd-2.39.2-1.el7.aarch64
--> Running transaction check
---> Package fuse.aarch64 0:2.9.2-11.amzn2 will be installed
---> Package snap-confine.aarch64 0:2.39.2-1.el7 will be installed
---> Package snapd-selinux.noarch 0:2.39.2-1.el7 will be installed
--> Processing Dependency: selinux-policy-base >= 3.13.1-229.el7_6.12 for package: snapd-selinux-2.39.2-1.el7.noarch
--> Processing Dependency: policycoreutils-python for package: snapd-selinux-2.39.2-1.el7.noarch
---> Package squashfs-tools.aarch64 0:4.3-0.21.gitaae0aff4.amzn2.0.1 will be installed
--> Processing Dependency: liblzo2.so.2()(64bit) for package: squashfs-tools-4.3-0.21.gitaae0aff4.amzn2.0.1.aarch64
---> Package squashfuse.aarch64 0:0.1.102-1.el7 will be installed
--> Processing Dependency: squashfuse-libs(aarch-64) = 0.1.102-1.el7 for package: squashfuse-0.1.102-1.el7.aarch64
--> Processing Dependency: libfuseprivate.so.0()(64bit) for package: squashfuse-0.1.102-1.el7.aarch64
--> Processing Dependency: libsquashfuse.so.0()(64bit) for package: squashfuse-0.1.102-1.el7.aarch64
--> Processing Dependency: libzstd.so.1()(64bit) for package: squashfuse-0.1.102-1.el7.aarch64
--> Running transaction check
---> Package libzstd.aarch64 0:1.5.2-1.amzn2 will be installed
---> Package lzo.aarch64 0:2.06-8.amzn2.0.4 will be installed
---> Package policycoreutils-python.aarch64 0:2.5-22.amzn2 will be installed
--> Processing Dependency: setools-libs >= 3.3.8-2 for package: policycoreutils-python-2.5-22.amzn2.aarch64
--> Processing Dependency: libsemanage-python >= 2.5-9 for package: policycoreutils-python-2.5-22.amzn2.aarch64
--> Processing Dependency: audit-libs-python >= 2.1.3-4 for package: policycoreutils-python-2.5-22.amzn2.aarch64
--> Processing Dependency: python-IPy for package: policycoreutils-python-2.5-22.amzn2.aarch64
--> Processing Dependency: libselinux-python for package: policycoreutils-python-2.5-22.amzn2.aarch64
--> Processing Dependency: libqpol.so.1(VERS_1.4)(64bit) for package: policycoreutils-python-2.5-22.amzn2.aarch64
--> Processing Dependency: libqpol.so.1(VERS_1.2)(64bit) for package: policycoreutils-python-2.5-22.amzn2.aarch64
--> Processing Dependency: libcgroup for package: policycoreutils-python-2.5-22.amzn2.aarch64
--> Processing Dependency: libapol.so.4(VERS_4.0)(64bit) for package: policycoreutils-python-2.5-22.amzn2.aarch64
--> Processing Dependency: checkpolicy for package: policycoreutils-python-2.5-22.amzn2.aarch64
--> Processing Dependency: libqpol.so.1()(64bit) for package: policycoreutils-python-2.5-22.amzn2.aarch64
--> Processing Dependency: libapol.so.4()(64bit) for package: policycoreutils-python-2.5-22.amzn2.aarch64
---> Package snapd-selinux.noarch 0:2.39.2-1.el7 will be installed
--> Processing Dependency: selinux-policy-base >= 3.13.1-229.el7_6.12 for package: snapd-selinux-2.39.2-1.el7.noarch
---> Package squashfuse-libs.aarch64 0:0.1.102-1.el7 will be installed
--> Running transaction check
---> Package audit-libs-python.aarch64 0:2.8.1-3.amzn2.1 will be installed
---> Package checkpolicy.aarch64 0:2.5-6.amzn2 will be installed
---> Package libcgroup.aarch64 0:0.41-21.amzn2 will be installed
---> Package libselinux-python.aarch64 0:2.5-12.amzn2.0.2 will be installed
---> Package libsemanage-python.aarch64 0:2.5-11.amzn2 will be installed
---> Package python-IPy.noarch 0:0.75-6.amzn2.0.1 will be installed
---> Package setools-libs.aarch64 0:3.3.8-2.amzn2.0.2 will be installed
---> Package snapd-selinux.noarch 0:2.39.2-1.el7 will be installed
--> Processing Dependency: selinux-policy-base >= 3.13.1-229.el7_6.12 for package: snapd-selinux-2.39.2-1.el7.noarch
--> Finished Dependency Resolution
Error: Package: snapd-selinux-2.39.2-1.el7.noarch (epel)
Requires: selinux-policy-base >= 3.13.1-229.el7_6.12
Installed: selinux-policy-targeted-3.13.1-192.amzn2.6.8.noarch (installed)
selinux-policy-base = 3.13.1-192.amzn2.6.8
Available: selinux-policy-minimum-3.13.1-166.amzn2.5.noarch (amzn2-core)
selinux-policy-base = 3.13.1-166.amzn2.5
Available: selinux-policy-minimum-3.13.1-166.amzn2.9.noarch (amzn2-core)
selinux-policy-base = 3.13.1-166.amzn2.9
Available: selinux-policy-minimum-3.13.1-192.amzn2.6.noarch (amzn2-core)
selinux-policy-base = 3.13.1-192.amzn2.6
Available: selinux-policy-minimum-3.13.1-192.amzn2.6.1.noarch (amzn2-core)
selinux-policy-base = 3.13.1-192.amzn2.6.1
Available: selinux-policy-minimum-3.13.1-192.amzn2.6.2.noarch (amzn2-core)
selinux-policy-base = 3.13.1-192.amzn2.6.2
Available: selinux-policy-minimum-3.13.1-192.amzn2.6.3.noarch (amzn2-core)
selinux-policy-base = 3.13.1-192.amzn2.6.3
Available: selinux-policy-minimum-3.13.1-192.amzn2.6.5.noarch (amzn2-core)
selinux-policy-base = 3.13.1-192.amzn2.6.5
Available: selinux-policy-minimum-3.13.1-192.amzn2.6.7.noarch (amzn2-core)
selinux-policy-base = 3.13.1-192.amzn2.6.7
Available: selinux-policy-minimum-3.13.1-192.amzn2.6.8.noarch (amzn2-core)
selinux-policy-base = 3.13.1-192.amzn2.6.8
Available: selinux-policy-mls-3.13.1-166.amzn2.5.noarch (amzn2-core)
selinux-policy-base = 3.13.1-166.amzn2.5
Available: selinux-policy-mls-3.13.1-166.amzn2.9.noarch (amzn2-core)
selinux-policy-base = 3.13.1-166.amzn2.9
Available: selinux-policy-mls-3.13.1-192.amzn2.6.noarch (amzn2-core)
selinux-policy-base = 3.13.1-192.amzn2.6
Available: selinux-policy-mls-3.13.1-192.amzn2.6.1.noarch (amzn2-core)
selinux-policy-base = 3.13.1-192.amzn2.6.1
Available: selinux-policy-mls-3.13.1-192.amzn2.6.2.noarch (amzn2-core)
selinux-policy-base = 3.13.1-192.amzn2.6.2
Available: selinux-policy-mls-3.13.1-192.amzn2.6.3.noarch (amzn2-core)
selinux-policy-base = 3.13.1-192.amzn2.6.3
Available: selinux-policy-mls-3.13.1-192.amzn2.6.5.noarch (amzn2-core)
selinux-policy-base = 3.13.1-192.amzn2.6.5
Available: selinux-policy-mls-3.13.1-192.amzn2.6.7.noarch (amzn2-core)
selinux-policy-base = 3.13.1-192.amzn2.6.7
Available: selinux-policy-mls-3.13.1-192.amzn2.6.8.noarch (amzn2-core)
selinux-policy-base = 3.13.1-192.amzn2.6.8
Available: selinux-policy-targeted-3.13.1-166.amzn2.5.noarch (amzn2-core)
selinux-policy-base = 3.13.1-166.amzn2.5
Available: selinux-policy-targeted-3.13.1-166.amzn2.9.noarch (amzn2-core)
selinux-policy-base = 3.13.1-166.amzn2.9
Available: selinux-policy-targeted-3.13.1-192.amzn2.6.noarch (amzn2-core)
selinux-policy-base = 3.13.1-192.amzn2.6
Available: selinux-policy-targeted-3.13.1-192.amzn2.6.1.noarch (amzn2-core)
selinux-policy-base = 3.13.1-192.amzn2.6.1
Available: selinux-policy-targeted-3.13.1-192.amzn2.6.2.noarch (amzn2-core)
selinux-policy-base = 3.13.1-192.amzn2.6.2
Available: selinux-policy-targeted-3.13.1-192.amzn2.6.3.noarch (amzn2-core)
selinux-policy-base = 3.13.1-192.amzn2.6.3
Available: selinux-policy-targeted-3.13.1-192.amzn2.6.5.noarch (amzn2-core)
selinux-policy-base = 3.13.1-192.amzn2.6.5
Available: selinux-policy-targeted-3.13.1-192.amzn2.6.7.noarch (amzn2-core)
selinux-policy-base = 3.13.1-192.amzn2.6.7
You could try using --skip-broken to work around the problem
You could try running: rpm -Va --nofiles --nodigestん?バージョン?いったん無視して入れてみました。
$ sudo yum install snapd --skip-broken
Loaded plugins: extras_suggestions, langpacks, priorities, update-motd
amzn2-core | 3.7 kB 00:00:00
215 packages excluded due to repository priority protections
Resolving Dependencies
--> Running transaction check
---> Package snapd.aarch64 0:2.39.2-1.el7 will be installed
--> Processing Dependency: snap-confine(aarch-64) = 2.39.2-1.el7 for package: snapd-2.39.2-1.el7.aarch64
--> Processing Dependency: snapd-selinux = 2.39.2-1.el7 for package: snapd-2.39.2-1.el7.aarch64
--> Processing Dependency: fuse for package: snapd-2.39.2-1.el7.aarch64
--> Processing Dependency: squashfs-tools for package: snapd-2.39.2-1.el7.aarch64
--> Processing Dependency: squashfuse for package: snapd-2.39.2-1.el7.aarch64
--> Running transaction check
---> Package fuse.aarch64 0:2.9.2-11.amzn2 will be installed
---> Package snap-confine.aarch64 0:2.39.2-1.el7 will be installed
---> Package snapd-selinux.noarch 0:2.39.2-1.el7 will be installed
--> Processing Dependency: selinux-policy-base >= 3.13.1-229.el7_6.12 for package: snapd-selinux-2.39.2-1.el7.noarch
--> Processing Dependency: policycoreutils-python for package: snapd-selinux-2.39.2-1.el7.noarch
---> Package squashfs-tools.aarch64 0:4.3-0.21.gitaae0aff4.amzn2.0.1 will be installed
--> Processing Dependency: liblzo2.so.2()(64bit) for package: squashfs-tools-4.3-0.21.gitaae0aff4.amzn2.0.1.aarch64
---> Package squashfuse.aarch64 0:0.1.102-1.el7 will be installed
--> Processing Dependency: squashfuse-libs(aarch-64) = 0.1.102-1.el7 for package: squashfuse-0.1.102-1.el7.aarch64
--> Processing Dependency: libfuseprivate.so.0()(64bit) for package: squashfuse-0.1.102-1.el7.aarch64
--> Processing Dependency: libsquashfuse.so.0()(64bit) for package: squashfuse-0.1.102-1.el7.aarch64
--> Processing Dependency: libzstd.so.1()(64bit) for package: squashfuse-0.1.102-1.el7.aarch64
--> Running transaction check
---> Package libzstd.aarch64 0:1.5.2-1.amzn2 will be installed
---> Package lzo.aarch64 0:2.06-8.amzn2.0.4 will be installed
---> Package policycoreutils-python.aarch64 0:2.5-22.amzn2 will be installed
--> Processing Dependency: setools-libs >= 3.3.8-2 for package: policycoreutils-python-2.5-22.amzn2.aarch64
--> Processing Dependency: libsemanage-python >= 2.5-9 for package: policycoreutils-python-2.5-22.amzn2.aarch64
--> Processing Dependency: audit-libs-python >= 2.1.3-4 for package: policycoreutils-python-2.5-22.amzn2.aarch64
--> Processing Dependency: python-IPy for package: policycoreutils-python-2.5-22.amzn2.aarch64
--> Processing Dependency: libselinux-python for package: policycoreutils-python-2.5-22.amzn2.aarch64
--> Processing Dependency: libqpol.so.1(VERS_1.4)(64bit) for package: policycoreutils-python-2.5-22.amzn2.aarch64
--> Processing Dependency: libqpol.so.1(VERS_1.2)(64bit) for package: policycoreutils-python-2.5-22.amzn2.aarch64
--> Processing Dependency: libcgroup for package: policycoreutils-python-2.5-22.amzn2.aarch64
--> Processing Dependency: libapol.so.4(VERS_4.0)(64bit) for package: policycoreutils-python-2.5-22.amzn2.aarch64
--> Processing Dependency: checkpolicy for package: policycoreutils-python-2.5-22.amzn2.aarch64
--> Processing Dependency: libqpol.so.1()(64bit) for package: policycoreutils-python-2.5-22.amzn2.aarch64
--> Processing Dependency: libapol.so.4()(64bit) for package: policycoreutils-python-2.5-22.amzn2.aarch64
---> Package snapd-selinux.noarch 0:2.39.2-1.el7 will be installed
--> Processing Dependency: selinux-policy-base >= 3.13.1-229.el7_6.12 for package: snapd-selinux-2.39.2-1.el7.noarch
---> Package squashfuse-libs.aarch64 0:0.1.102-1.el7 will be installed
--> Running transaction check
---> Package audit-libs-python.aarch64 0:2.8.1-3.amzn2.1 will be installed
---> Package checkpolicy.aarch64 0:2.5-6.amzn2 will be installed
---> Package libcgroup.aarch64 0:0.41-21.amzn2 will be installed
---> Package libselinux-python.aarch64 0:2.5-12.amzn2.0.2 will be installed
---> Package libsemanage-python.aarch64 0:2.5-11.amzn2 will be installed
---> Package python-IPy.noarch 0:0.75-6.amzn2.0.1 will be installed
---> Package setools-libs.aarch64 0:3.3.8-2.amzn2.0.2 will be installed
---> Package snapd-selinux.noarch 0:2.39.2-1.el7 will be installed
--> Processing Dependency: selinux-policy-base >= 3.13.1-229.el7_6.12 for package: snapd-selinux-2.39.2-1.el7.noarch
Packages skipped because of dependency problems:
audit-libs-python-2.8.1-3.amzn2.1.aarch64 from amzn2-core
checkpolicy-2.5-6.amzn2.aarch64 from amzn2-core
fuse-2.9.2-11.amzn2.aarch64 from amzn2-core
libcgroup-0.41-21.amzn2.aarch64 from amzn2-core
libselinux-python-2.5-12.amzn2.0.2.aarch64 from amzn2-core
libsemanage-python-2.5-11.amzn2.aarch64 from amzn2-core
libzstd-1.5.2-1.amzn2.aarch64 from amzn2-core
lzo-2.06-8.amzn2.0.4.aarch64 from amzn2-core
policycoreutils-python-2.5-22.amzn2.aarch64 from amzn2-core
python-IPy-0.75-6.amzn2.0.1.noarch from amzn2-core
setools-libs-3.3.8-2.amzn2.0.2.aarch64 from amzn2-core
snap-confine-2.39.2-1.el7.aarch64 from epel
snapd-2.39.2-1.el7.aarch64 from epel
snapd-selinux-2.39.2-1.el7.noarch from epel
squashfs-tools-4.3-0.21.gitaae0aff4.amzn2.0.1.aarch64 from amzn2-core
squashfuse-0.1.102-1.el7.aarch64 from epel
squashfuse-libs-0.1.102-1.el7.aarch64 from epel依存のメッセージが増えてしまいました。
ということで、早々に撤退しました。
当初はarmの影響(以前、unboundのコンパイルができなかったので、それの類似)かと思っていたのですが、ちゃんと調べたらAmazon公式からインストール手順が出ており、確認したところインストールの手順がだいぶ省略されておりました。
なので、次はその方法でサクッとインストールしたいと思います。
正しいやり方
まずは、上記同様EPELをインストールします。
AWS公式はrpmパッケージを拾ってきてインストールを実施していますが、こちらは、amazon-linux-extrasを利用してインストールで問題ありません。
$ sudo amazon-linux-extras install epel -yインストール後の確認。
$ yum repolist all
Loaded plugins: extras_suggestions, langpacks, priorities, update-motd
215 packages excluded due to repository priority protections
repo id repo name status
amzn2-core/2/aarch64 Amazon Linux 2 core repository enabled: 20,786
amzn2-core-debuginfo/2/aarch64 Amazon Linux 2 core repository - debuginfo packages disabled
amzn2-core-source/2 Amazon Linux 2 core repository - source packages disabled
amzn2extra-docker/2/aarch64 Amazon Extras repo for docker enabled: 69
amzn2extra-docker-debuginfo/2/aarch64 Amazon Extras debuginfo repo for docker disabled
amzn2extra-docker-source/2 Amazon Extras source repo for docker disabled
amzn2extra-epel/2/aarch64 Amazon Extras repo for epel enabled: 1
amzn2extra-epel-debuginfo/2/aarch64 Amazon Extras debuginfo repo for epel disabled
amzn2extra-epel-source/2 Amazon Extras source repo for epel disabled
amzn2extra-kernel-5.10/2/aarch64 Amazon Extras repo for kernel-5.10 enabled: 222
amzn2extra-kernel-5.10-debuginfo/2/aarch64 Amazon Extras debuginfo repo for kernel-5.10 disabled
amzn2extra-kernel-5.10-source/2 Amazon Extras source repo for kernel-5.10 disabled
epel/aarch64 Extra Packages for Enterprise Linux 7 - aarch64 enabled: 12,773+215
epel-debuginfo/aarch64 Extra Packages for Enterprise Linux 7 - aarch64 - Debug disabled
epel-source/aarch64 Extra Packages for Enterprise Linux 7 - aarch64 - Source disabled
epel-testing/aarch64 Extra Packages for Enterprise Linux 7 - Testing - aarch64 disabled
epel-testing-debuginfo/aarch64 Extra Packages for Enterprise Linux 7 - Testing - aarch64 - Debug disabled
epel-testing-source/aarch64 Extra Packages for Enterprise Linux 7 - Testing - aarch64 - Source disabled
repolist: 33,851AWS公式とも同じ結果が出てきます。
そして、ここでLet’s Encrypt公式(certbot公式?)にあるsnapdは飛ばして、certbotをインストールします。
$ sudo yum install -y certbot
Loaded plugins: extras_suggestions, langpacks, priorities, update-motd
amzn2-core | 3.7 kB 00:00:00
215 packages excluded due to repository priority protections
Resolving Dependencies
--> Running transaction check
---> Package certbot.noarch 0:0.38.0-1.el7 will be installed
--> Processing Dependency: python2-certbot = 0.38.0-1.el7 for package: certbot-0.38.0-1.el7.noarch
--> Processing Dependency: /usr/sbin/semanage for package: certbot-0.38.0-1.el7.noarch
--> Running transaction check
(長いので中略)
Installed:
certbot.noarch 0:0.38.0-1.el7
Dependency Installed:
audit-libs-python.aarch64 0:2.8.1-3.amzn2.1 checkpolicy.aarch64 0:2.5-6.amzn2
libcgroup.aarch64 0:0.41-21.amzn2 libselinux-python.aarch64 0:2.5-12.amzn2.0.2
libsemanage-python.aarch64 0:2.5-11.amzn2 policycoreutils-python.aarch64 0:2.5-22.amzn2
pyOpenSSL.aarch64 0:0.13.1-3.amzn2.0.2 python-IPy.noarch 0:0.75-6.amzn2.0.1
python-ndg_httpsclient.noarch 0:0.3.2-1.el7 python-requests-toolbelt.noarch 0:0.8.0-1.el7
python-zope-component.noarch 1:4.1.0-5.el7 python-zope-event.noarch 0:4.0.3-2.el7
python-zope-interface.aarch64 0:4.0.5-4.amzn2.0.2 python2-acme.noarch 0:0.38.0-1.el7
python2-certbot.noarch 0:0.38.0-1.el7 python2-configargparse.noarch 0:0.11.0-1.el7
python2-distro.noarch 0:1.2.0-3.el7 python2-future.noarch 0:0.16.0-15.20181019gitbee0f3b.el7
python2-josepy.noarch 0:1.2.0-1.el7 python2-mock.noarch 0:1.0.1-10.el7
python2-parsedatetime.noarch 0:2.4-5.el7 python2-pyrfc3339.noarch 0:1.0-2.el7
pytz.noarch 0:2016.10-2.amzn2.0.1 setools-libs.aarch64 0:3.3.8-2.amzn2.0.2
Complete!・・・( ゚д゚)ポカーン
snapdいらんのかい ノ ̄□ ̄)ノ ~┻━┻ドガシャーン!!
結論、snapdがいらないことが発覚しましたが、ここまでがインストールとなります。
ドメイン認証でワイルドカード証明書を発行
ついでなので次はドメイン認証でワイルドカード証明書を発行してみたいと思います。
証明書の発行
certbotまでのインストールが完了したら、あとは、いつものLet’s Encryptを実行するだけです。
今回、ワイルドカード証明書を作りたかったのと、Route53の権限をもらっていたので、DNS認証で作成しました。
certbotコマンドをsudoで実行すると、EFFにメールアドレスを登録するかどうかを聞かれます。
特に不要なので、今回は「N」としていますが、必要に応じて登録をいただければと思います。
$ sudo certbot certonly --manual --preferred-challenges dns -d *.bjnetworks.cn --agree-tos --manual-public-ip-logging-ok -m <Mail Address>
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: N
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for bjnetworks.cn
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.bjnetworks.cn with the following value:
gfgFdGH684MdnBpIPcIwdfHXXXXXXXXXXXXXXXXXXXX
Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continueここまでくると、AWSコンパネ(Route53)で以下のレコードを登録するように促されます。
登録レコード:_acme-challenge.bjnetworks.cn (bjnetworksはクララの中国でのパートナー会社の社名です。)
レコードタイプ:TXT
値:gfgFdGH684MdnBpIPcIwdfHXXXXXXXXXXXXXXXXXXXX
指示通り、Route53に登録します。
dig等で確認し、登録が確認できたら、certbotの続きに移ります。
※certbotを起動したプロンプトとは別のものや、端末を変えて確認をお願いします。
certbotを起動したプロンプトは「Press Enter to Continue」のまま、作業を止めておいてください。
$ dig _acme-challenge.bjnetworks.cn -t TXT
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.amzn2.5.2 <<>> _acme-challenge.bjnetworks.cn -t TXT
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51458
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;_acme-challenge.bjnetworks.cn. IN TXT
;; ANSWER SECTION:
_acme-challenge.bjnetworks.cn. 300 IN TXT "gfgFdGH684MdnBpIPcIwdfHXXXXXXXXXXXXXXXXXXXX"
;; Query time: 258 msec
;; SERVER: 172.31.0.2#53(172.31.0.2)
;; WHEN: Tue Dec 13 15:34:52 UTC 2022
;; MSG SIZE rcvd: 114certbotを実行したプロンプトが「Press Enter to Continue」で入力待ちとなっているので、エンターキーを入力し、先に進めてください。
処理が進み、以下の出力があれば、正常に完了しています。
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/bjnetworks.cn/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/bjnetworks.cn/privkey.pem
Your cert will expire on 2023-03-13. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le成功した場合、keyと証明書は以下の場所に設置されています。
証明書ファイル:/etc/letsencrypt/live/bjnetworks.cn/fullchain.pem
鍵ファイル :/etc/letsencrypt/live/bjnetworks.cn/privkey.pem
以上!
今回はEC2を使って、Let’s Encrypt証明書の発行を行う方法をメモ代わりに残してみました。
これがコンテナ化してEventBridgeでキックさせて…と自動で回るようになるとまた便利になりますが、それはまた別の機会にご紹介したいと思います!
