AWS EC2にLet's EncryptでSSLを導入しようと思ったらはまったので記録します。
一度上手くできたことがあるので、同じ手順で別のサブドメインにSSLを導入しようとしたらエラーになってしまいました。
ドキュメントルートを`var/www/html/sample/public`として、certbot-autoコマンドを用いてサーバー証明書を取得します。
ドメインは伏せています。
$ sudo certbot-auto certonly --webroot -w /var/www/html/sample/public -d [ドメイン名] --email [メールアドレス] --debug Error: couldn't get currently installed version for /opt/eff.org/certbot/venv/bin/letsencrypt: Traceback (most recent call last): File "/opt/eff.org/certbot/venv/bin/letsencrypt", line 7, in <module> from certbot.main import main File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/certbot/main.py", line 10, in <module> import josepy as jose File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/josepy/__init__.py", line 44, in <module> from josepy.interfaces import JSONDeSerializable File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/josepy/interfaces.py", line 8, in <module> from josepy import errors, util File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/josepy/util.py", line 4, in <module> import OpenSSL File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/OpenSSL/__init__.py", line 8, in <module> from OpenSSL import rand, crypto, SSL File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/OpenSSL/rand.py", line 12, in <module> from OpenSSL._util import ( File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/OpenSSL/_util.py", line 6, in <module> from cryptography.hazmat.bindings.openssl.binding import Binding ImportError: No module named cryptography.hazmat.bindings.openssl.binding
さて、エラーがいろいろ出ました。
1行目から見ていきます。
「Error: couldn't get currently installed version for /opt/eff.org/certbot/venv/bin/letsencrypt:」
↓翻訳
「エラー:現在インストールされている/opt/eff.org/certbot/venv/bin/letsencryptのバージョンを取得できませんでした:」
以下のサイトを参考にしてみた。
Let's Encrypt 証明書更新時のエラー対処 Amazon Linux AMI - とうふの雑記帳
$ unset PYTHON_INSTALL_LAYOUT $ sudo /opt/eff.org/certbot/venv/local/bin/pip install --upgrade certbot $ sudo certbot-auto certonly --webroot -w /var/www/html/sample/public -d [ドメイン名] --email [メールアドレス] --debug Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator webroot, Installer None Obtaining a new certificate Performing the following challenges: http-01 challenge for [ドメイン名] Using the webroot path /var/www/html/sample/public for all unmatched domains. Waiting for verification... Cleaning up challenges Exiting abnormally: Traceback (most recent call last): File "/opt/eff.org/certbot/venv/bin/letsencrypt", line 11, in <module> sys.exit(main()) File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/certbot/main.py", line 1364, in main return config.func(config, plugins) File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/certbot/main.py", line 1254, in certonly lineage = _get_and_save_cert(le_client, config, domains, certname, lineage) File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/certbot/main.py", line 120, in _get_and_save_cert lineage = le_client.obtain_and_enroll_certificate(domains, certname) File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/certbot/client.py", line 391, in obtain_and_enroll_certificate cert, chain, key, _ = self.obtain_certificate(domains) File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/certbot/client.py", line 334, in obtain_certificate orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names) File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/certbot/client.py", line 370, in _get_order_and_authorizations authzr = self.auth_handler.handle_authorizations(orderr, best_effort) File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/certbot/auth_handler.py", line 82, in handle_authorizations self._respond(aauthzrs, resp, best_effort) File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/certbot/auth_handler.py", line 155, in _respond self._poll_challenges(aauthzrs, chall_update, best_effort) File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/certbot/auth_handler.py", line 226, in _poll_challenges raise errors.FailedChallenges(all_failed_achalls) FailedChallenges: Failed authorization procedure. [ドメイン名] (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://[ドメイン名].well-known/acme-challenge/4GI-mJ7X3j7mLzhWUNU5NPD8omMfeGF2czMnaRWHQQs: "<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <meta http-equiv="X-UA-Compatible" content="I" Please see the logfiles in /var/log/letsencrypt for more details. IMPORTANT NOTES: - The following errors were reported by the server: Domain: [ドメイン名] Type: unauthorized Detail: Invalid response from http://[ドメイン名]/.well-known/acme-challenge/4GI-mJ7X3j7mLzhWUNU5NPD8omMfeGF2czMnaRWHQQs: "<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <meta http-equiv="X-UA-Compatible" content="I" To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address.
途中までうまくいったがドメイン設定のエラーが出てしまった。
これはLet's Encryptとかとは関係なく、バーチャルホストの設定のミスでした。
「http://[ドメイン名]/」に正しくアクセスできるようにしておきましょう。
そんでもう一回試したらうまくいった。
$ sudo certbot-auto certonly --webroot -w /var/www/html/sample/public -d [ドメイン名] --email mrkmyki@gamil.com --debug Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator webroot, Installer None Obtaining a new certificate Performing the following challenges: http-01 challenge for [ドメイン名] Using the webroot path /var/www/html/sample/public for all unmatched domains. Waiting for verification... Cleaning up challenges IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/[ドメイン名]/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/[ドメイン名]/privkey.pem Your cert will expire on 2018-10-12. To obtain a new or tweaked version of this certificate in the future, simply run certbot-auto again. To non-interactively renew *all* of your certificates, run "certbot-auto renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
あとはhttpdのほうで設定しましょう。
おしまい。