カテゴリー別アーカイブ: fedora

Let’s Encrypt で、SSL/TLS証明書を取得


とりあえずやったログ

$ git clone https://github.com/letsencrypt/letsencrypt
Cloning into ‘letsencrypt’…
remote: Counting objects: 25463, done.
remote: Compressing objects: 100% (4/4), done.
remote: Total 25463 (delta 0), reused 0 (delta 0), pack-reused 25459
Receiving objects: 100% (25463/25463), 6.69 MiB | 2.66 MiB/s, done.
Resolving deltas: 100% (17848/17848), done.
Checking connectivity… done.
$ cd letsencrypt/
$ ./letsencrypt-auto –help
Bootstrapping dependencies for RedHat-based OSes…
[sudo] password for xxxx
yum は /bin/yum です

なんか色々インストールされます。なんか怖いなぁ。

完了しました!
Creating virtual environment…
Updating letsencrypt and virtual environment dependencies……/home/xxxx/.local/share/letsencrypt/lib/python2.7/site-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:90: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
InsecurePlatformWarning
.
Running with virtualenv: sudo /home/xxxx/.local/share/letsencrypt/bin/letsencrypt –help

letsencrypt [SUBCOMMAND] [options] [-d domain] [-d domain] …

The Let’s Encrypt agent can obtain and install HTTPS/TLS/SSL certificates. By
default, it will attempt to use a webserver both for obtaining and installing
the cert. Major SUBCOMMANDS are:

(default) run Obtain & install a cert in your current webserver
certonly Obtain cert, but do not install it (aka “auth”)
install Install a previously obtained cert in a server
revoke Revoke a previously obtained certificate
rollback Rollback server configuration changes made during install
config_changes Show changes made to server config during installation
plugins Display information about installed plugins

Choice of server plugins for obtaining and installing cert:

–apache Use the Apache plugin for authentication & installation
–standalone Run a standalone webserver for authentication
(nginx support is experimental, buggy, and not installed by default)
–webroot Place files in a server’s webroot folder for authentication

OR use different plugins to obtain (authenticate) the cert and then install it:

–authenticator standalone –installer apache

More detailed help:

-h, –help [topic] print this message, or detailed help on a topic;
the available topics are:

all, automation, paths, security, testing, or any of the subcommands or
plugins (certonly, install, nginx, apache, standalone, webroot, etc)

$ ./letsencrypt-auto certonly –webroot -d xxxx.xx –webroot-path /www/
Updating letsencrypt and virtual environment dependencies…….
Running with virtualenv: sudo /home/xxxx/.local/share/letsencrypt/bin/letsencrypt certonly –webroot -d xxxx.xxx –webroot-path /www/

┌──────────────────────────────────────────────────────────────────────┐
│ Enter email address (used for urgent notices and lost key recovery) │
│ ┌──────────────────────────────────────────────────────────────────┐ │
│ │xxxx@xxxx.xx │ │
│ └──────────────────────────────────────────────────────────────────┘ │
├──────────────────────────────────────────────────────────────────────┤
│ < 了解 > < 取消 > │
└──────────────────────────────────────────────────────────────────────┘

┌──────────────────────────────────────────────────────────────────────┐
│ Please read the Terms of Service at │
│ https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf. You │
│ must agree in order to register with the ACME server at │
│ https://acme-v01.api.letsencrypt.org/directory │
│ │
│ │
│ │
│ │
│ │
│ │
│ │
│ │
│ │
│ │
│ │
│ │
├──────────────────────────────────────────────────────────────────────┤

└──────────────────────────────────────────────────────────────────────┘

IMPORTANT NOTES:
– If you lose your account credentials, you can recover through
e-mails sent to xxxx@xxxx.xx.
– Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/lowom.com/fullchain.pem. Your cert will
expire on 2016-03-10. To obtain a new version of the certificate in
the future, simply run Let’s Encrypt again.
– Your account credentials have been saved in your Let’s Encrypt
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Let’s
Encrypt so making regular backups of this folder is ideal.
– If like Let’s Encrypt, please consider supporting our work by:

Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

有効期限が90日っぽいので、自動化して60日単位とかで更新するのが良いのかな。
その辺考えて、ちょっと組んで見たいと思うけど、その辺はまた今度。

こういうの出てくるってことは、そのうちほぼ全てがSSL通信がデフォルトになってきたりするのかな


yumからdnfにパッケージ管理変わったらしい。


長らく使っていたRedHat系のパッケージマネージャといえばYumでしたが、
Fedora22からDNFとか言うのに変わっていたらしい。

最近はほとんどCentOSを使っていたので、こんな大きめの情報も入ってこないぐらい
全然情報を仕入れていなかったんだなぁと思い、反省しなければいけない。。

まずDNFって名前が覚えづらい。

Dandified Yum(ダンディファイドヤム)最後にYumって付いてるので、ベースはYumなんだろうと思いますが、
やはり、Yumをフォークして開発されていたみたいです。

コマンドにおいてもYumで出来ることはほとんど出来るみたいですね。

# dnf
You need to give some command
usage: dnf [options] COMMAND

List of Main Commands

autoremove
check-update              Check for available package upgrades
clean                     Remove cached data
distro-sync               Synchronize installed packages to the latest available versions
downgrade                 downgrade a package
group                     Display, or use, the groups information
help                      Display a helpful usage message
history                   Display, or use, the transaction history
info                      Display details about a package or group of packages
install                   Install a package or packages on your system
list                      List a package or groups of packages
makecache                 Generate the metadata cache
provides                  Find what package provides the given value
reinstall                 reinstall a package
remove                    Remove a package or packages from your system
repolist                  Display the configured software repositories
repository-packages       Run commands on top of all packages in given repository
search                    Search package details for the given string
updateinfo                Display advisories about packages
upgrade                   Upgrade a package or packages on your system
upgrade-to                Upgrade a package on your system to the specified version

List of Plugin Commands

migrate                   migrate yum's history, group and yumdb data to dnf

両方入っていたらどうなるのかとか、Yumからの切り替え方法とかは別途調べないと行けないけど、CentOSが完全にYumからDNFに切り替わるのは
当分先って情報をちらほら見ますが、早ければ、CentOS8のタイミングで変わってくると思いますので、
今のうちからなれて置かなければって思った。

ネットワークコマンドとかも変わってきたりと、再度覚えなければいろいろ増えてきて楽しい半面、大変。。。

公式サイト:DNF | Dandefined Yum