【毎日改善3日目】HTTPS化
投稿者: urumos
作成日: 2022年5月28日22:39
更新日: 2022年5月29日23:28
カテゴリ: Django
タグ:
これはページ移動時のポップアップアラートの実装が必要だな、、😢
内容思い出してもう一回ざっくり書くか・・・
ーーーー
毎日更新とかいって、ここ最近本業・プライベート共に忙しく、
1か月更新できていなかった。
今日は倉庫や机も整理整頓してすっきり気分なので、気を取り直してまた頑張っていく!
Let’s Encryptを使って無料でやる
参考記事
https://tomato-develop.com/django-ubuntu-python-nginx-gunicorn-postgresql/
①letsencryptをインストール
sudo apt install letsencrypt
(※記事ではapt-getだったが、aptのほうが上位互換なそうなのでこちらでやる)
②letsencryptがport80を使用するので、一旦nginxを停止する
sudo systemctl stop nginx
③証明書を取得
$ sudo letsencrypt certonly --standalone -d XXX.com
すると下記のように出た。
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel):
メールアドレスを入力
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel:
Aを入力
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o:
Nを入力
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for hasesinc.com
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/XXX.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/XXX.com/privkey.pem
Your cert will expire on 2022-08-26. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
無事できたっぽい!
ちなみにここでもし下記のエラーが出た場合は「レート制限」とやらにかかっている状態らしいので、
その場合は1週間待ってから再度行うと良いとのこと。
④Nginxの設定ファイルを編集
sudo vim /etc/nginx/sites-available/DjangoMyBlog
下記のように変更
# http wwwなしからのリダイレクト
server {
listen 80;
listen [::]:80;
server_name XXX.com;
return 301 https://$host$request_uri;
}
# http https wwwありからのリダイレクト
server {
listen 80;
listen 443 ssl;
server_name www.XXX.com;
ssl_certificate /etc/letsencrypt/live/XXX.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/XXX.com/privkey.pem;
return 301 https://XXX.com$request_uri;
}
# リダイレクトを流される側の設定
server {
listen 443 ssl default_server;
server_name XXX.com;
ssl on;
ssl_certificate /etc/letsencrypt/live/XXX.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/XXX.com/privkey.pem;
location =/fabicon.ico {access_log off; log_not_found off;}
location /static/{
root /home/XXX/pyprojects/DjangoMyBlog;
}
location /{
include proxy_params;
proxy_pass http://unix:/home/XXX/pyprojects/DjangoMyBlog/config.sock;
}
}
⑤nginxの起動
sudo service nginx start
⑥gunicornの再起動
sudo systemctl restart gunicorn
⑦ブラウザでサイトを開き、https対応になっているかを確認
できた!!
⑧letsencryptの証明書更新の自動化
letsencryptの証明書は3ヶ月ごとに更新する必要がある。
自動で更新を行うためにバッジ処理の設定を追加する。
まずは下記コマンド
sudo crontab -e
すると下記が表示される
no crontab for root - using an empty one
Select an editor. To change later, run 'select-editor'.
1. /bin/nano <---- easiest
2. /usr/bin/vim.basic
3. /usr/bin/vim.tiny
4. /bin/ed
Choose 1-4 [1]:
1でエンター
するとnanoエディタで下記の編集画面が開く
GNU nano 4.8 /tmp/crontab.J0XdNU/crontab
# Edit this file to introduce tasks to be run by cron.
#
# Each task to run has to be defined through a single line
# indicating with different fields when the task will be run
# and what command to run for the task
#
# To define the time you can provide concrete values for
# minute (m), hour (h), day of month (dom), month (mon),
# and day of week (dow) or use '*' in these fields (for 'any').
#
# Notice that tasks will be started based on the cron's system
# daemon's notion of time and timezones.
#
# Output of the crontab jobs (including errors) is sent through
# email to the user the crontab file belongs to (unless redirected).
#
# For example, you can run a backup of all your user accounts
# at 5 a.m every week with:
# 0 5 * * 1 tar -zcf /var/backups/home.tgz /home/
#
# For more information see the manual pages of crontab(5) and cron(8)
#
# m h dom mon dow command
ここの最後に下記を追記
00 05 01 * * sudo systemctl stop nginx; sudo letsencrypt renew; sudo systemctl start nginx
これで毎月1日の朝5時に更新される
具体的にはnginxの停止➡letsencrypt証明書の更新➡nginnxの開始を行うという設定
⑨nginxの再起動
最後に再起動しておしまい。
sudo service nginx restart
ーーーーーーーーーー
2回同じ記事書くの疲れた、、笑