WordPress SSL化

Let’s Encrypt で取得した証明書をインストールする。

SSLCertificateFile /etc/letsencrypt/live/upper-ricefield.net/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/upper-ricefield.net/privkey.pem

DB更新とパッケージ更新

sudo yum install --enablerepo=remi-php74 php php-xmlrpc php-gd php-pdo php-mysqlnd php-pecl-mysql php-pecl-zip php-pecl-apc php-imagick

Webサーバで必要な設定

sudo nano /etc/httpd/conf/httpd.conf

Options All -Indexes +SymLinksIfOwnerMatch -FollowSymLinks

AllowOverride AuthConfig FileInfo Indexes Limit Options=MultiViews,Ind
sudo nano /etc/httpd/conf.d/virtual.conf
<VirtualHost *:80>
ServerName *****.upper-ricefield.net
DocumentRoot /var/www/wp_kldjlkdjslkdsja

Redirect permanent / https://ssl.web.somewhere/
ErrorLog logs/*****-error_log
CustomLog logs/*****-access_log combined env=!no_log
AllowEncodedSlashes On
</VirtualHost>
sudo nano /etc/httpd/conf.d/virtual-ssl.conf
<VirtualHost *:443>
DocumentRoot /var/www/klfjsalj
ServerName ssl.web.somewhere:443
ErrorLog logs/web-somewhere_ssl_error_log
TransferLog logs/web-somewhere_ssl_access_log
LogLevel warn
<Directory "/var/www/wp_cxo3zn9tlm">
        Options All -Indexes +SymLinksIfOwnerMatch -FollowSymLinks
        AllowOverride AuthConfig FileInfo Indexes Limit Options=MultiViews,Ind
</Directory>
<Directory /var/www/wp_aslseihldkd/wp-admin/>
        Order         deny,allow
        Deny from all
        Allow from ***.***.***.***/**
</Directory>
<Files wp-login.php>
        Order deny,allow
        Deny from all
        allow from ***.***.***.***
</Files>
<files xmlrpc.php>
         Order allow,deny
         Deny from all
</files>
<Files "/var/www/wp_seoiujo9hj/wp-admin/site-health.php">
        Order deny,allow
        Deny From All
        Allow From All
</Files>

Let’s Encrypt でワイルドカード証明書

まずはcertbotをインストールしAPIを叩く

sudo yum search --enablerepo=epel certbot

sudo certbot certonly --manual \
--server https://acme-v02.api.letsencrypt.org/directory \
--preferred-challenges dns \
-d *.upper-ricefield.net -d upper-ricefield.net \
-m ******@upper-ricefield.net \
--agree-tos
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Requesting a certificate for *.upper-ricefield.net and upper-ricefield.net
Performing the following challenges:
dns-01 challenge for upper-ricefield.net

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.upper-ricefield.net with the following value:

FL-dArNldjaskljl*******

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

この状態でDNSへの登録を行う。確認は(別ターミナルで)

dig @8.8.8.8 -t TXT _acme-challenge.upper-ricefield.net

正常に登録できるまではEnterは押さない。以下のようになれば証明書が発行されている。

Waiting for verification...
Cleaning up challenges
Subscribe to the EFF mailing list (email: ***@upper-ricefield.net).
Starting new HTTPS connection (1): supporters.eff.org

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/upper-ricefield.net/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/upper-ricefield.net/privkey.pem
   Your certificate will expire on 2022-01-21. To obtain a new or
   tweaked version of this certificate in the future, simply run
   certbot again. To non-interactively renew *all* of your
   certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

ワイルドカード証明書の場合は renew できないようだ…。