Ubuntu 16.04サーバーにLet’s Encryptでサーバ証明書を導入する。 手順は Let’s Encrypt の使い方 - Let’s Encrypt 総合ポータルに記述されるとおり。

1. インストール

arimasou16@ubuntu:~$ git clone https://github.com/letsencrypt/letsencrypt
arimasou16@ubuntu:~$ cd letsencrypt/

2. 確認

arimasou16@ubuntu:~/letsencrypt$ ./letsencrypt-auto --help

3. Let’s Encrypt
クライアント実行の前にルータやファイヤーウォールのhttp(80)、https(443)のポートを開けておく

4. 前の項でポートを開けておかないと以下のコマンドを実行したときに

arimasou16@ubuntu:~/letsencrypt$ ./letsencrypt-auto certonly -a standalone -d mydomain.com

エラーのケース

Checking for new version...
Requesting root privileges to run letsencrypt...
   sudo /home/arimasou16/.local/share/letsencrypt/bin/letsencrypt certonly -a standalone -d mydomain.com
Failed authorization procedure. mydomain.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to host for DVSNI challenge
IMPORTANT NOTES:
 - The following errors were reported by the server:
   Domain: mydomain.com
   Type:   connection
   Detail: Failed to connect to host for DVSNI challenge
   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

成功のケース

Checking for new version...
Requesting root privileges to run letsencrypt...
   sudo /home/arimasou16/.local/share/letsencrypt/bin/letsencrypt certonly -a standalone -d mydomain.com
IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/mydomain.com/fullchain.pem. Your cert
   will expire on 2016-07-25. To obtain a new version of the
   certificate in the future, simply run Let's Encrypt again.
 - If you like Let's Encrypt, please consider supporting our work by:
   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

5. ApacheのSSLの設定をする

arimasou16@ubuntu:~/letsencrypt$ sudo vi /etc/apache2/sites-available/default-ssl.conf 

取得した証明書のリンクパスを指定するのでファイルの内容は↓のような感じになる。

# mod 2016/04/26 start
#SSLCertificateFile     /etc/ssl/certs/ssl-cert-snakeoil.pem
#SSLCertificateKeyFile  /etc/ssl/private/ssl-cert-snakeoil.key
        SSLCertificateFile      /etc/letsencrypt/live/mydomain.com/cert.pem
        SSLCertificateKeyFile   /etc/letsencrypt/live/mydomain.com/privkey.pem
        SSLCertificateChainFile /etc/letsencrypt/live/mydomain.com/chain.pem
# mod 2016/04/26 end

ここらへんの設定でミスると、/var/log/apache2/error.logに

[Tue Apr 26 02:10:45.608 2016] AH00016: Configuration Failed
[Tue Apr 26 02:10:45.608 2016] [Tue Apr 26 02:10:20.923912 2016] [ssl:warn] [pid 30377] AH01906: bogus_host_without_reverse_dns:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Tue Apr 26 02:10:45.608 2016] [Tue Apr 26 02:10:20.923945 2016] [ssl:warn] [pid 30377] AH01909: bogus_host_without_reverse_dns:443:0 server certificate does NOT include an ID which matches the server name
[Tue Apr 26 02:10:45.608 2016] [Tue Apr 26 02:10:20.924227 2016] [ssl:emerg] [pid 30377] AH02572: Failed to configure at least one certificate and key for 127.0.1.1:443
[Tue Apr 26 02:10:45.608 2016] [Tue Apr 26 02:10:20.924255 2016] [ssl:emerg] [pid 30377] SSL Library Error: error:0906D06C:PEM routines:PEM_read_bio:no start line (Expecting: DH PARAMETERS) -- Bad file contents or format - or even just a forgotten SSLCertificateKeyFile?
[Tue Apr 26 02:10:45.608 2016] [Tue Apr 26 02:10:20.924274 2016] [ssl:emerg] [pid 30377] SSL Library Error: error:0906D06C:PEM routines:PEM_read_bio:no start line (Expecting: EC PARAMETERS) -- Bad file contents or format - or even just a forgotten SSLCertificateKeyFile?
[Tue Apr 26 02:10:45.608 2016] [Tue Apr 26 02:10:20.924317 2016] [ssl:emerg] [pid 30377] SSL Library Error: error:140A80B1:SSL routines:SSL_CTX_check_private_key:no certificate assigned
[Tue Apr 26 02:10:45.608 2016] [Tue Apr 26 02:10:20.924329 2016] [ssl:emerg] [pid 30377] AH02311: Fatal error initialising mod_ssl, exiting. See /var/log/apache2/error.log for more information

みたいなエラーメッセージが出る。

6. 成功すれば、オレオレ証明書と違って警告画面が表示されない。まあ、同LAN内の場合はhostsを書き換えるなどして、プライベートアドレスをドメインと書きかえる必要があるが…