[PYTHON] The story of switching from WoSign to Let's Encrypt for a free SSL certificate

Trigger to switch SSL certificate

The following article was recently published.

Firefox blocks policy as China's largest certificate authority "WoSign" has falsified the certificate issuance date http://gigazine.net/news/20160928-wosign-firefox-block/

WoSign was convenient because it can issue SSL certificates for several years for free, but it was a falsification outbreak, which was a problem.

When I was looking for a place to issue a free SSL certificate at the beginning of last year, I chose it because there was only a remarkable place like WoSign, but when I investigated again, Let's Encrypt was 4 of this year. It was transitioning from beta to official service in April.

Leaving Beta, New Sponsors https://letsencrypt.org/2016/04/12/leaving-beta-new-sponsors.html

Good timing (laughs)

That's why I decided to give up on tampering and suspicious services.

How to install Let's Encrypt

The introduction method was automated to overturn the conventional wisdom. Until now, I used to get paid SSL certificates for business, but I was surprised that there was no procedure that was taken for granted at that time.

Conditions that can be introduced

--Have domain rights --A web server that can be accessed in that domain is running

Since there are only these two conditions, I have already met. Or rather, it seems unlikely that you want an SSL certificate even though you don't have this condition.

Installation procedure

Certificate acquisition is performed with a tool called certbot. The tool is on github, so it feels like pulling it with git and using it.

cd /usr/local
git clone https://github.com/certbot/certbot
cd certbot/

Since the server introduced this time was tied to the Vault repository of CentOS 6.2, it was necessary to temporarily enable base and updates in the subsequent steps.

vi /etc/yum.repos.d/CentOS-Base.repo

Then execute the following command.

./certbot-auto

The yum installation will start, so press "y" to proceed. After a while, the certificate creation started interactively with a blue screen, but I didn't have the domain name I wanted in the options, so I canceled it and ended it.

Then get the certificate with the following command.

./certbot-auto certonly --webroot \
-w /var/www/hogehoge -d www.example.com \
-m [email protected] \
--agree-tos

certonly is an option that only requires you to get a certificate. --webroot is an option to automatically put the authentication file in the document root. Next to -w is the PATH of the document root published in the domain. Next to -d is the domain name for which you want to get a certificate. Next to -m is the email address of the person in charge. It is for receiving contact when something happens. --agree-tos is a manifestation option that you agree to the terms of use.

The certificate is now obtained, but the following warning is displayed during execution.

/root/.local/share/letsencrypt/lib/python2.6/site-packages/cryptography/__init__.py:26: DeprecationWarning: Python 2.6 is no longer supported by the Python core team, please upgrade your Python. A future version of cryptography will drop support for Python 2.6

When I googled, there were many people who ran into Python version problems. There were various people who were through and those who were taking measures with SCL.

~~ I also tried putting 2.7 in SCL, but it didn't work out. ~~ If you look in the following PATH, which is entered when certbot is installed ...

ll /root/.local/share/letsencrypt/lib/python2.6/
Total 344
lrwxrwxrwx 1 root root 32 September 29 13:53 2016 UserDict.py -> /usr/lib64/python2.6/UserDict.py
-rw-r--r--1 root root 10062 September 29 13:53 2016 UserDict.pyc
lrwxrwxrwx 1 root root 31 September 29 13:53 2016 _abcoll.py -> /usr/lib64/python2.6/_abcoll.py
-rw-r--r--1 root root 24165 September 29 13:53 2016 _abcoll.pyc
lrwxrwxrwx 1 root root 27 September 29 13:53 2016 abc.py -> /usr/lib64/python2.6/abc.py
-rw-r--r--1 root root 6357 September 29 13:53 2016 abc.pyc
lrwxrwxrwx 1 root root 30 September 29 13:53 2016 codecs.py -> /usr/lib64/python2.6/codecs.py
-rw-r--r--1 root root 39165 September 29 13:53 2016 codecs.pyc
lrwxrwxrwx 1 root root 27 September 29 13:53 2016 config -> /usr/lib64/python2.6/config
lrwxrwxrwx 1 root root 32 September 29 13:53 2016 copy_reg.py -> /usr/lib64/python2.6/copy_reg.py
The following is omitted

A symbolic link was directly attached to Python 2.6 like this. So, no matter how much you start bash that can use 2.7, it seems that you will get a warning because 2.7 is not used and Python of 2.6 is forcibly used. ~~

~~ I have created the certificate itself, so Imaima will continue as it is, but someday it may not work completely. ~~

--The / root / .local / share / letsencrypt / folder is a cache, so delete it. --Run scl enable python27 bash again --Execute the certbot-auto command

With the above, the warning of 2.6 was not displayed and 2.7 was used. In this state, 2.7 cache was created below. /root/.local/share/letsencrypt/lib/python2.7

However, if you execute the certbot-auto command without scl enable python27 bash after that, it will be replaced with the 2.6 cache again, so be careful.

rm -rf /root/.local/share/letsencrypt
wget https://centos6.iuscommunity.org/ius-release.rpm
rpm -ivh ius-release.rpm
yum -y install python27 python27-devel python27-pip python27-setuptools python27-virtualenv

After completing the above installation, I logged on to the console again and ran certbot-auto, and it found python2.7 and used it without permission. Python2.7 is also saved in the cache. With this method, I'm happy because I don't make the mistake of accidentally forgetting scl enable and getting a 2.6 cache and getting a warning.

Change apache settings

Write the following in the corresponding server settings in the apache conf file.

SSLCertificateFile /etc/letsencrypt/live/www.example.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.example.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/www.example.com/chain.pem

Then reload apache and you're done.

service httpd reload

How to update automatically

Let's Encrypt has an expiration date of only 90 days. Therefore, it is troublesome for humans to process each time, and it seems to be forgotten.

So, put the settings in crontab so that it can be updated with a single command.

crontab -u root -e
00 03 01 * * source /opt/rh/python27/enable;/usr/local/certbot/certbot-auto renew --force-renew && /sbin/service httpd reload

The above is a command to forcibly renew the certificate at 3:00 am on the first day of every month. I can't say every 90 days in crontab, so I do it every month. Let's Encrypt has an upper limit on the update frequency, but it seems that there is no problem if it is once a month.

in conclusion

This time, I summarized the measures taken in the face of an emergency situation in which the SSL certificate had to be changed to another organization due to a scandal on the side of the certificate authority. ~~ It's a little regrettable that the Python version problem remains, but I'm glad I was able to solve it for the time being. ~~ I can't find any other service like Let's Encrypt, so I'm a little worried that it's only one, but I just hope that the service will continue forever.

Recommended Posts

The story of switching from WoSign to Let's Encrypt for a free SSL certificate
The story of moving from Pipenv to Poetry
The story of switching the Azure App Service web system from Windows to Linux
The story of launching a Minecraft server from Discord
Script to get the expiration date of the SSL certificate
I tried to reuse the SSL certificate issued by Let's Encrypt due to the server transfer
The story of creating a VIP channel for in-house chatwork
The story of a Django model field disappearing from a class
The story of copying data from S3 to Google's TeamDrive
After all, the story of returning from Linux to Windows
A story that struggled to handle the Python package of PocketSphinx
The story of making a standard driver for db with python.
A story that is a little addicted to the authority of the directory specified by expdp (for beginners)
Feel free to encrypt the disk
The story of writing a program
The story of creating a store search BOT (AI LINE BOT) for Go To EAT in Chiba Prefecture (1)
[AtCoder for beginners] A story about the amount of calculation that you want to know very roughly
A story about trying to improve the testing process of a system written in C language for 20 years
A story about creating a program that will increase the number of Instagram followers from 0 to 700 in a week
A story of a person who started aiming for data scientist from a beginner
The story of trying to reconnect the client
The story of adding MeCab to ubuntu 16.04
The story of blackjack A processing (python)
The story of pep8 changing to pycodestyle
Feel free to write a test with nose (in the case of + gevent)
The story of IPv6 address that I want to keep at a minimum
SSH login to the target server from Windows with a click of a shortcut
I want to add silence to the beginning of a wav file for 1 second
Python script to get a list of input examples for the AtCoder contest
A story of a high school graduate technician trying to predict the survival of the Titanic
[Introduction to Python] How to get the index of data with a for statement
How to calculate the volatility of a brand
The story of low learning costs for Python
Change the decimal point of logging from, to.
Image processing? The story of starting Python for
The story of making a lie news generator
A story of creating 16 * 16 dots from a Digimon photo
The story of making a mel icon generator
From the introduction of pyethapp to the execution of contract
A story that failed when trying to remove the suffix from the string with rstrip
A python script that gets the number of jobs for a specified condition from indeed.com
The story of Airflow's webserver and DAG, which takes a long time to load
A story about improving the program for partial filling of 3D binarized image data
Try to create a battle record table with matplotlib from the data of "Schedule-kun"
I can't find the clocksource tsc! ?? The story of trying to write a kernel patch
The story of Linux that I want to teach myself half a year ago
The story of trying to contribute to COVID-19 analysis with AWS free tier and failing
The story of porting code from C to Go and getting hooked (and to the language spec)
Find a guideline for the number of processes / threads to set in the application server
A story about trying to introduce Linter in the middle of a Python (Flask) project
See here for the amount of free memory of the free command
Create a dataset of images to use for learning
A story that reduces the effort of operation / maintenance
The wall of changing the Django service from Python 2.7 to Python 3
A memo to visually understand the axis of pandas.Panel
Python points from the perspective of a C programmer
The story of making a music generation neural network
Steps to calculate the likelihood of a normal distribution
Free SSL! Let's encrypt together at work or at home!
A story about changing the master name of BlueZ
Zip 4 Gbyte problem is a story of the past