GCPにhttpsサーバー
certbotのnginx pluginを使うと設定も更新してくれるので簡単
VMの追加
VMを追加するterraformのモジュールは, google_compute_instance
- region = "us-central1"
- zone = "us-central1-c"
- machine_type = "e2-micro". #無料枠なので
- boot_disk.initialize_params.image = "ubuntu-os-cloud/ubuntu-2004-lts"
google_compute_firewallで, direction=INGRESSにprotocolとportのallowを設定する。
packageのインストール
gcloud auth login --project __YOUR_GCP_PROJECT_ID__ gcloud compute ssh __YOUR_COMPUTE_INSTANCE__
nginxとcertbot他をインストールする。certbot-nginx pluginも入れておくと、自動で設定してくれるので便利。
sudo apt update sudo apt install -y nginx curl certbot python3-certbot-nginx
この時点でアクセスできるのはhttpのみ。デフォルトのトップページ /var/www/html/index.nginx-debian.html に以下を追加しておくと, 動作確認で開いた時にページのURLが表示される。
<script>document.write(document.URL + "</br>");</script>
DNSの設定
ネットワーキング > Cloud DNS API を有効化する
取得したドメインのゾーンを追加する。SOAとNSレコードは自動で追加される。
VMの外部IPをAレコード www.<取得したドメイン> と <取得したドメイン> で追加する
registrarの設定でネームサーバーをCloud DNSのサーバー(NSレコードの内容)に変更する
- お名前.comだとネームサーバーの設定(タブ) > ネームサーバーの設定 の 2.ネームサーバーの選択のその他タブでその他ネームサーバーを使うに入力して、確認ボタンで更新
certbot設定
以下のコマンドで、SSLを設定する。nginx pluginで設定も同時に更新できる。redirect HTTP traffic to HTTPSは2を選ぶ。
$ sudo certbot --nginx -d www.__YOUR_DOMAIN__ -d __YOUR_DOMAIN__ Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator nginx, Installer nginx Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): __YOUR_EMAIL__ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must agree in order to register with the ACME server at https://acme-v02.api.letsencrypt.org/directory - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (A)gree/(C)ancel: A - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Would you be willing to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: N Obtaining a new certificate Performing the following challenges: http-01 challenge for __your_domain__ http-01 challenge for www.__your_domain__ Waiting for verification... Cleaning up challenges Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/default Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/default Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: No redirect - Make no further changes to the webserver configuration. 2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for new sites, or if you're confident your site works on HTTPS. You can undo this change by editing your web server's configuration. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
certbot 実行結果の続き...
Redirecting all traffic on port 80 to ssl in /etc/nginx/sites-enabled/default Redirecting all traffic on port 80 to ssl in /etc/nginx/sites-enabled/default - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Congratulations! You have successfully enabled https://www.__your_domain__ and https://__your_domain__ You should test your configuration at: https://www.ssllabs.com/ssltest/analyze.html?d=www.__your_domain__ https://www.ssllabs.com/ssltest/analyze.html?d=__your_domain__ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/www.__your_domain__/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/www.__your_domain__/privkey.pem Your cert will expire on 2021-11-20. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
自動更新の確認
certbot.timerを確認すると、1日に2回の更新チェックが設定されている。
$ sudo systemctl status certbot.timer ● certbot.timer - Run certbot twice daily Loaded: loaded (/lib/systemd/system/certbot.timer; enabled; vendor preset: enabled) Active: active (waiting) since Sun 2021-08-22 07:27:31 UTC; 41min ago Trigger: Sun 2021-08-22 12:31:40 UTC; 4h 23min left Triggers: ● certbot.service Aug 22 07:27:31 __hostname__ systemd[1]: Started Run certbot twice daily.
TODO nginxが自動再起動されるか、更新された時にもう一度確認する。