====== FreeBSD 12とApache 2.4とcertbotでLet's Encrypt! ======

自宅鯖のオレオレ証明書を間違って''sudo rm -rf *''してしまったので、Let's EncryptでちゃんとしたSSL可する事にした。試してみたら凄い簡単でびっくりぽん。certbot公式サイトで[[https://certbot.eff.org/lets-encrypt/freebsd-apache|OSとhttpdごとの設定方法]]が載ってるので、それに従って進めるだけ。

<WRAP important>
本記事の手法はいささか古く、更新後の証明書の再読み込み手順が抜けている。[[freebsd_13_apache24_certbot]]の方を参照されたい（FreeBSD 13と謳っているが12でも使えるハズ）
</WRAP>

===== 試した環境 =====

  * FreeBSD 12.0-RELEASE-p4
  * Apache 2.4.41
  * py36-certbot-0.37.1
  * py36-certbot-apache-0.37.1 

===== certbotのインストール =====

certbotをpkgでサクッとインストールする。webrootモードで更新したいのでapache用のプラグインも入れる。

<code>
$ sudo pkg install py36-certbot py36-certbot-apache
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
Checking integrity... done (0 conflicting)
The following 16 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
        py36-certbot: 0.37.1,1
        py36-certbot-apache: 0.37.1
（略）
[16/16] Extracting py36-certbot-apache-0.37.1: 100%
Message from py36-certbot-0.37.1,1:

===========================================================================

This port installs the "standalone" client only, which does not use and
is not the certbot-auto bootstrap/wrapper script.

The simplest form of usage to obtain certificates is:

 # sudo certbot certonly --standalone -d <domain>, [domain2, ... domainN]>

NOTE:

The client requires the ability to bind on TCP port 80 or 443 (depending
on the --preferred-challenges option used). If a server is running on that
port, it will need to be temporarily stopped so that the standalone server
can listen on that port to complete the challenge authentication process.

For more information on the 'standalone' mode, see:

  https://certbot.eff.org/docs/using.html#standalone

The certbot plugins to support apache and nginx certificate installation
will be made available in the following ports:

 * Apache plugin: security/py-certbot-apache
 * Nginx plugin: security/py-certbot-nginx

===========================================================================
</code>

certbotにはStandaloneとWebrootの2つのモードがあり、前者はその名の通りcertbot単体で、後者は他のサービスと連携して証明書の取得＆更新を行うモードとのこと。

===== 証明書の取得 =====

certbotで証明書の取得を行う。

''-w''にApacheのドキュメントルート、''-d''に証明を受けるドメインのFQDNを指定する。初回のみメールアドレス関連のあれこれが聞かれるので、適切に回答する。

証明書は''/usr/local/etc/letsencrypt/live/指定したFQDN/''の下に置かれる。

<code>
$ sudo certbot certonly --webroot -w /usr/home/www/ -d hoge.example.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): admin@example.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: a

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: n
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for hoge.example.com
Using the webroot path /usr/home/www for all unmatched domains.
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /usr/local/etc/letsencrypt/live/hoge.example.com/fullchain.pem
   Your key file has been saved at:
   /usr/local/etc/letsencrypt/live/hoge.example.com/privkey.pem
   Your cert will expire on 2019-11-15. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /usr/local/etc/letsencrypt. You should
   make a secure backup of this folder now. This configuration
   directory will also contain certificates and private keys obtained
   by Certbot so making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le
</code>

===== ApacheのSSL設定 =====

ApacheのSSLの設定を行う。[[https://ssl-config.mozilla.org/|Mozilla SSL Configuration Generator]]で生成したものを使う方が確実かも…。

サンプルファイルをコピー。
<code>
$ cd /usr/local/etc/apache24
$ sudo cp extra/httpd-ssl.conf Includes/
$ sudo emacs Includes/httpd-ssl.conf
</code>

重要なのは''SSLCertificateFile''と''SSLCertificateKeyFile''。

<code>
SSLRandomSeed startup file:/dev/random  512
SSLRandomSeed connect file:/dev/random  512

Listen 443

SSLCipherSuite !3DES:!aNULL:EDH+HIGH:ECDH+HIGH:-AES128:-3DES:-DSS:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA
SSLProxyCipherSuite !3DES:!aNULL:EDH+HIGH:ECDH+HIGH:-AES128:-3DES:-DSS:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA

SSLHonorCipherOrder on

SSLProtocol all -SSLv2 -SSLv3
SSLProxyProtocol all -SSLv2 -SSLv3

SSLPassPhraseDialog  builtin

SSLSessionCache        "shmcb:/var/run/ssl_scache(512000)"
SSLSessionCacheTimeout  300

<VirtualHost _default_:443>
DocumentRoot "/usr/home/www"
ServerName hoge.example.com:443
ServerAdmin you@example.com
ErrorLog "/var/log/httpd-error.log"
TransferLog "/var/log/httpd-access.log"

SSLEngine on
SSLCertificateFile "/usr/local/etc/letsencrypt/live/hoge.example.com/fullchain.pem"
SSLCertificateKeyFile "/usr/local/etc/letsencrypt/live/hoge.example.com/privkey.pem"

<FilesMatch "\.(cgi|shtml|phtml|php)$">
    SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/usr/local/www/apache24/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>

BrowserMatch "MSIE [2-5]" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0

CustomLog "/var/log/httpd-ssl_request.log" \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

</VirtualHost>
</code>

===== 証明書の自動更新の設定 =====

Let's Encryptの証明書は有効期限が90日なので、忘れずに自動更新設定を行う。

<fc #ff0000>証明書の更新はhttpで行われる。</fc>

よって<html><code>http://象ドメイン/.well-known/acme-challenge/</code></html>に外部から到達できるよう、ルータとApacheを適切に設定のこと。宅内DNSで対象ドメインをさばいてたりすると、作業PCのブラウザからは見えるが、外部からは到達不可で証明書の更新が行えないなんていう罠も潜んでたりするので要注意。

まずはテスト。
<code>
$ sudo certbot --dry-run renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /usr/local/etc/letsencrypt/renewal/hoge.example.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for hoge.example.com
Using the webroot path /usr/home/www for all unmatched domains.
Waiting for verification...
Cleaning up challenges

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed without reload, fullchain is
/usr/local/etc/letsencrypt/live/hoge.example.com/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
  /usr/local/etc/letsencrypt/live/hoge.example.com/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
 - Your account credentials have been saved in your Certbot
   configuration directory at /usr/local/etc/letsencrypt. You should
   make a secure backup of this folder now. This configuration
   directory will also contain certificates and private keys obtained
   by Certbot so making regular backups of this folder is ideal.
</code>

問題なさそうなので、''/etc/crontab''に追加。
<code>
$ echo "0 0,12 * * * root python -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew" | sudo tee -a /etc/crontab > /dev/null
</code>

<WRAP info>(2021-05-04 追記)

いつ頃かのバージョンからシステムの定期ジョブ設定(''/etc/periodic.conf'')に対応するようになっていた。ports/pkgインストールの最後に表示されるMessageをよく確認すること。

まぁ、従来通りcrontabでも問題はないだろうけど。
</WRAP>

===== 参考サイト =====

  * [[http://www.yomaigoto.jp/archives/557|[FreeBSD10]Let's Encrypt を導入する | 世迷言]]
  * [[https://certbot.eff.org/lets-encrypt/freebsd-apache|Certbot - Freebsd Apache]]
  * [[https://qiita.com/f_uto/items/4178a9fdd657b78672ea|Let’s Encryptの使い方。standaloneとwebroot - Qiita]]
  * [[https://qiita.com/bageljp@github/items/6b9876b7571852284ead|apache 2.4におけるSSL証明書の設定 - Qiita]]
  * [[https://qiita.com/papillon/items/f56a6f278609270a392c|mod_sslで使用するSSLCipherSuiteの設定を詰めてみる - Qiita]]
  * [[https://ssl-config.mozilla.org/|Mozilla SSL Configuration Generator]]