Amazon Linux2 に SSL/TLS を設定する方法は、
Amazonの公式サイトに、詳細手順が記載されています。
Amazon Linux 2 に SSL/TLS を設定する
本記事は、公式サイトの説明で、少しわかりにくい部分を抜粋して、解説しています。
Apacheの実行確認
|
1 2 |
[@ip-xxx-xxx-xxx-xxx conf.d]# sudo systemctl is-enabled httpd disabled |
Apacheの起動と、起動設定
「enabled」でない場合には、Apacheの起動と設定を行う。
|
1 2 |
[@ip-xxx-xxx-xxx-xxx conf.d]# sudo systemctl start httpd && sudo systemctl enable httpd Created symlink from etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service. |
|
1 2 |
[@ip-xxx-xxx-xxx-xxx conf.d]# sudo systemctl is-enabled httpd enabled |
yum のアップデート
|
1 2 |
[@ip-xxx-xxx-xxx-xxx conf.d]# sudo yum update -y Loaded plugins: extras_suggestions, langpacks, priorities, update-motd |
mod_sslのインストール
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 |
[@ip-xxx-xxx-xxx-xxx conf.d]# sudo yum install -y mod_ssl Loaded plugins: extras_suggestions, langpacks, priorities, update-motd Resolving Dependencies --> Running transaction check ---> Package mod_ssl.x86_64 1:2.4.52-1.amzn2 will be installed --> Processing Dependency: sscg >= 2.2.0 for package: 1:mod_ssl-2.4.52-1.amzn2.x86_64 --> Running transaction check ---> Package sscg.x86_64 0:2.3.3-2.amzn2.0.1 will be installed --> Processing Dependency: libtalloc.so.2(TALLOC_2.0.2)(64bit) for package: sscg-2.3.3-2.amzn2.0.1.x86_64 --> Processing Dependency: libtalloc.so.2()(64bit) for package: sscg-2.3.3-2.amzn2.0.1.x86_64 --> Running transaction check ---> Package libtalloc.x86_64 0:2.1.16-1.amzn2 will be installed --> Finished Dependency Resolution Dependencies Resolved ======================================================================================================================= Package Arch Version Repository Size ======================================================================================================================= Installing: mod_ssl x86_64 1:2.4.52-1.amzn2 amzn2-core 118 k Installing for dependencies: libtalloc x86_64 2.1.16-1.amzn2 amzn2-core 42 k sscg x86_64 2.3.3-2.amzn2.0.1 amzn2-core 51 k Transaction Summary ======================================================================================================================= Install 1 Package (+2 Dependent packages) Total download size: 211 k Installed size: 438 k Downloading packages: (1/3): libtalloc-2.1.16-1.amzn2.x86_64.rpm | 42 kB 00:00:00 (2/3): sscg-2.3.3-2.amzn2.0.1.x86_64.rpm | 51 kB 00:00:00 (3/3): mod_ssl-2.4.52-1.amzn2.x86_64.rpm | 118 kB 00:00:00 ----------------------------------------------------------------------------------------------------------------------- Total 1.0 MB/s | 211 kB 00:00:00 Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : libtalloc-2.1.16-1.amzn2.x86_64 1/3 Installing : sscg-2.3.3-2.amzn2.0.1.x86_64 2/3 Installing : 1:mod_ssl-2.4.52-1.amzn2.x86_64 3/3 Verifying : sscg-2.3.3-2.amzn2.0.1.x86_64 1/3 Verifying : libtalloc-2.1.16-1.amzn2.x86_64 2/3 Verifying : 1:mod_ssl-2.4.52-1.amzn2.x86_64 3/3 Installed: mod_ssl.x86_64 1:2.4.52-1.amzn2 Dependency Installed: libtalloc.x86_64 0:2.1.16-1.amzn2 sscg.x86_64 0:2.3.3-2.amzn2.0.1 Complete! [@ip-xxx-xxx-xxx-xxx conf.d]# |
バージョン確認
|
1 2 |
[ec2-user@ip-xxx-xxx-xxx-xxx ~]$ openssl version OpenSSL 1.0.2k-fips 26 Jan 2017 |
conf設定
|
1 |
[ec2-user@ip-xxx-xxx-xxx-xxx conf]$ cd etc/httpd/conf |
キーの生成
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 |
[@ip-xxx-xxx-xxx-xxx conf]# openssl genrsa 2048 > server.key Generating RSA private key, 2048 bit long modulus ...................................+++ ..................+++ e is 65537 (0x10001) [@ip-xxx-xxx-xxx-xxx conf]# openssl req -new -key server.key > server.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]: State or Province Name (full name) []: Locality Name (eg, city) [Default City]: Organization Name (eg, company) [Default Company Ltd]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []: Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: [@ip-xxx-xxx-xxx-xxx conf]# openssl x509 -days 3650 -req -signkey server.key < server.csr > server.crt Signature ok subject=/C=XX/L=Default City/O=Default Company Ltd Getting Private key |
ファイルの移動
|
1 2 3 4 5 6 7 |
[@ip-xxx-xxx-xxx-xxx conf]# mkdir ssl.crt [@ip-xxx-xxx-xxx-xxx conf]# mv server.crt ssl.crt/ [@ip-xxx-xxx-xxx-xxx conf]# [@ip-xxx-xxx-xxx-xxx conf]# mkdir ssl.key 700 [@ip-xxx-xxx-xxx-xxx conf]# mv server.key ssl.key [@ip-xxx-xxx-xxx-xxx conf]# chmod 400 ssl.key/server.key |
Apache の再起動
|
1 |
[@ip-xxx-xxx-xxx-xxx conf]# sudo systemctl restart httpd |
