# Amazon Lightsail に SSL 証明書設置 with Let's Encrypt (自動更新) ## Amazon Lightsail に SSL 証明書設置 with Let's Encrypt (自動更新) Amazon Lightsailの設定で、プラットフォームで Linux/Unix、設計図で WordPress を選択した場合における内容です。\ ロードバランサを利用し ACM を用いた方法でも可能ですが、ここではロードバランサを利用しないで Let's Encrypt による方法となります。 ## Let's Encrypt による SSL 証明書の導入 ``` $ sudo apt-get update $ sudo apt-get install software-properties-common $ sudo apt-add-repository ppa:certbot/certbot -y $ sudo apt-get update -y $ sudo apt-get install certbot -y $ wget https://github.com/joohoi/acme-dns-certbot-joohoi/raw/master/acme-dns-auth.py $ chmod +x acme-dns-auth.py $ vi acme-dns-auth.py $ sudo mv acme-dns-auth.py /etc/letsencrypt/ $ sudo certbot certonly --manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth.py --preferred-challenges dn s --debug-challenges -d hayashier.com $ sudo cp /etc/letsencrypt/live/hayashier.com/fullchain.pem /opt/bitnami/apache2/conf/server.crt $ sudo cp /etc/letsencrypt/live/hayashier.com/privkey.pem /opt/bitnami/apache2/conf/server.key $ sudo /opt/bitnami/ctlscript.sh restart apache ``` 更新時には、以下のコマンドを実行すると、DNS検証で必要なレコードがCNAMEレコードとして表示されますので、これを登録し、以降`--dry-run`を抜いた形でrenewコマンドを実行するのみで問題ありません。 ``` $ sudo certbot renew --manual-public-ip-logging-ok --dry-run ``` #### SSL 証明書の自動更新設定 cron 処理により更新します。 ``` # crontab -e ``` 以下設定内容 ``` 1 1 1 * * certbot renew --manual-public-ip-logging-ok 2 1 1 * * cp /etc/letsencrypt/live/hayashier.com/privkey.pem /opt/bitnami/apache2/conf/server.key 3 1 1 * * cp /etc/letsencrypt/live/hayashier.com/fullchain.pem /opt/bitnami/apache2/conf/server.crt 4 1 1 * * /opt/bitnami/ctlscript.sh restart apache ``` ### 以前の方法 `letsencrypt-auto`のよる方法ですが、バージョン0.6.0以降、certbotが独立したレポジトリに移動し、`certbot-auto`というコマンドに変更されました。しかしながら、certbot-autoのコマンドは現在以下の通りインストールができない状態となっております。 ``` To learn how to fix them, visit https://community.letsencrypt.org/t/certbot-auto-deployment-best-practices/91979/ Your system is not supported by certbot-auto anymore. Certbot cannot be installed. ``` 詳細は、下記URLをご参照ください。 * [Certbot-auto no longer works on Debian based systems](https://community.letsencrypt.org/t/certbot-auto-no-longer-works-on-debian-based-systems/139702/7) letsencrypt-autoによる方法は以下の通りとなります。 ``` $ sudo su # apt-get install -y git # git clone https://github.com/letsencrypt/letsencrypt # cd letsencrypt # ./letsencrypt-auto certonly --webroot -w /opt/bitnami/apps/wordpress/htdocs/ -d hayashier.com # cp /etc/letsencrypt/live/hayashier.com/fullchain.pem /opt/bitnami/apache2/conf/server.crt # cp /etc/letsencrypt/live/hayashier.com/privkey.pem /opt/bitnami/apache2/conf/server.key # /opt/bitnami/ctlscript.sh restart apache ``` #### SSL 証明書の自動更新設定 cron 処理により更新します。 ``` # crontab -e ``` 以下設定内容 ``` 1 1 1 * * /tmp/letsencrypt/letsencrypt-auto renew 2 1 1 * * cp /etc/letsencrypt/live/hayashier.com/privkey.pem /opt/bitnami/apache2/conf/server.key 3 1 1 * * cp /etc/letsencrypt/live/hayashier.com/fullchain.pem /opt/bitnami/apache2/conf/server.crt 4 1 1 * * /opt/bitnami/ctlscript.sh restart apache ``` ここまでの設定だけでは、以下のようなログ(`/var/log/letsencrypt/letsencrypt.log`)が表示されて、更新がうまくいきません。 ``` 2021-11-28 06:06:29,692:WARNING:certbot.renewal:Attempting to renew cert (hayashier.com) from /etc/letsencrypt/renewal/hayashier.com.conf produced an unexpected error: Missing command line flag or config entry for this setting: NOTE: The IP of this machine will be publicly logged as having requested this certificate. If you're running certbot in manual mode on a machine that is not your server, please ensure you're okay with that. Are you OK with your IP being logged? (You can set this with the --manual-public-ip-logging-ok flag). Skipping. ``` 以下のファイルの末尾に設定内容を追加しておきましょう。 ``` $ vim /etc/letsencrypt/renewal/hayashier.com.conf ``` ``` [[webroot_map]] hayashier.com = /opt/bitnami/apache2/htdocs/ www.hayashier.com = /opt/bitnami/apache2/htdocs/ ``` Dry runして正しく更新できることを確認しておきましょう。 ``` $ sudo certbot renew --dry-run Saving debug log to /var/log/letsencrypt/letsencrypt.log - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Processing /etc/letsencrypt/renewal/hayashier.com.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Cert not due for renewal, but simulating renewal for dry run Plugins selected: Authenticator manual, Installer None Renewing an existing certificate - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - new certificate deployed without reload, fullchain is /etc/letsencrypt/live/hayashier.com/fullchain.pem - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ** DRY RUN: simulating 'certbot renew' close to cert expiry ** (The test certificates below have not been saved.) Congratulations, all renewals succeeded. The following certs have been renewed: /etc/letsencrypt/live/hayashier.com/fullchain.pem (success) ** DRY RUN: simulating 'certbot renew' close to cert expiry ** (The test certificates above have not been saved.) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ``` ### 動作確認 正常に設定が行えていることを確認 ``` $ curl -svo /dev/null https://hayashier.com * Rebuilt URL to: https://hayashier.com/ * Trying 34.225.220.198... * TCP_NODELAY set * Connected to hayashier.com (34.225.220.198) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH * successfully set certificate verify locations: CAfile: /usr/local/etc/openssl/cert.pem CApath: /usr/local/etc/openssl/certs * TLSv1.2 (OUT), TLS header, Certificate Status (22): } [5 bytes data] * TLSv1.2 (OUT), TLS handshake, Client hello (1): } [512 bytes data] * TLSv1.2 (IN), TLS handshake, Server hello (2): { [109 bytes data] * TLSv1.2 (IN), TLS handshake, Certificate (11): { [2731 bytes data] * TLSv1.2 (IN), TLS handshake, Server key exchange (12): { [333 bytes data] * TLSv1.2 (IN), TLS handshake, Server finished (14): { [4 bytes data] * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): } [70 bytes data] * TLSv1.2 (OUT), TLS change cipher, Client hello (1): } [1 bytes data] * TLSv1.2 (OUT), TLS handshake, Finished (20): } [16 bytes data] * TLSv1.2 (IN), TLS change cipher, Client hello (1): { [1 bytes data] * TLSv1.2 (IN), TLS handshake, Finished (20): { [16 bytes data] * SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384 * ALPN, server accepted to use http/1.1 * Server certificate: * subject: CN=hayashier.com * start date: Aug 30 00:49:36 2018 GMT * expire date: Nov 28 00:49:36 2018 GMT * subjectAltName: host "hayashier.com" matched cert's "hayashier.com" * issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3 * SSL certificate verify ok. } [5 bytes data] ``` ### httpsへ強制 ``` sudo vim /opt/bitnami/apache2/conf/bitnami/bitnami.conf ``` ``以下に以下を追加 ``` RewriteEngine On RewriteCond %{HTTP} .* RewriteRule ^/(.*) https://hayashier.com/$1 [R=301,L] ``` 再起動して設定変更の読み込み ``` sudo /opt/bitnami/ctlscript.sh restart apache ``` ### 数ヶ月に1回程度落ちる メモリ不足が原因です。3.5ドルプランだとメモリが512MBしかありません。5ドルのプランに変えてメモリー量が大きいタイプに変更すればよい。 類似事例 * [\[AWS\] Lightsail 上の WordPress が反応しなくなる](https://unscrupulous-business-firm.com/2022/09/25/aws-lightsail-上の-wordpress-が反応しなくなる/) * [LightsailのWordPressは3.5ドルプランだと落ちまくる件](https://can.ne.jp/2021/08/12/lightsailのwordpressは3-5ドルプランだと落ちまくる件/#1GB) * [【AWS】Amazon Lightsailのインスタンスが落ちまくるのでなんとかしたい](https://kirarico.net/memo/1905/) * References * [チュートリアル: のWordPressインスタンスで Let's Encrypt の SSL 証明書を使用する Amazon Lightsail](https://lightsail.aws.amazon.com/ls/docs/ja_jp/articles/amazon-lightsail-using-lets-encrypt-certificates-with-wordpress) * [How To Acquire a Let's Encrypt Certificate Using DNS Validation with acme-dns-certbot on Ubuntu 18.04](https://www.digitalocean.com/community/tutorials/how-to-acquire-a-let-s-encrypt-certificate-using-dns-validation-with-acme-dns-certbot-on-ubuntu-18-04) * [Let’s Encryptの自動更新エラーは設定ファイルを見直す](https://www.maison-du-velo-lausanne.ch/post103) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://hayashier.gitbook.io/article/aws/lightsail-letsencrypt-get-started.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.