Let’s EncryptのSSL証明書は3ヶ月で有効期限が切れてしまいます。
定期的に更新コマンドを実行するのは辛いのでcronで更新を自動化しました。
更新スクリプトの作成
Let’s EncryptのSSL証明書を更新するスクリプトを作成します。
$ cd ~
$ mkdir letsencrypt
$ vim letsencrypt/renew.sh
#!/bin/sh
cd /opt/redash/
docker run -t --rm -v /opt/redash/nginx/certs:/etc/letsencrypt -v /opt/redash/nginx/certs-data:/data/letsencrypt deliverous/certbot renew --webroot --webroot-path=/data/letsencrypt
docker-compose kill -s HUP nginx
実行してみて動作を確認します。
有効期限切れ間近でなければskippedで問題ありません。
$ sudo sh letsencrypt/renew.sh
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/example.redashapp.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The following certs are not due for renewal yet:
/etc/letsencrypt/live/example.redashapp.com/fullchain.pem expires on 2020-07-01 (skipped)
No renewals were attempted.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Killing redash_nginx_1 ... done
cronの設定
実行が確認出来たらcronで毎月実行されるように設定します。
$ sudo vim /etc/cron.d/letsencrypt
PATH=/usr/local/bin:/usr/bin:/bin
0 0 1 * * root sh /home/ubuntu/letsencrypt/renew.sh
接続元のIPアドレスの制限
Nginxで単純に接続元のIPアドレスを制限すると、Let’s EncryptのSSL証明書の更新ができなくなってしまうため、SSL証明書の更新用にHTTPでのアクセスは制限せず、HTTPSでのアクセスは指定したIPアドレス(例では198.51.100.0)のみに制限するようにNginxを設定にしました。
upstream redash {
server redash:5000;
}
server {
listen 80;
listen [::]:80;
server_name example.redashapp.com;
if ($host != "example.redashapp.com") {
return 444;
}
location ^~ /ping {
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://redash;
}
location / {
rewrite ^ https://$host$request_uri? permanent;
}
location ^~ /.well-known {
allow all;
root /data/letsencrypt/;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name example.redashapp.com;
if ($host != "example.redashapp.com") {
return 444;
}
add_header Strict-Transport-Security "max-age=31536000" always;
ssl_session_cache shared:SSL:20m;
ssl_session_timeout 10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "ECDH+AESGCM:ECDH+AES256:ECDH+AES128:!ADH:!AECDH:!MD5;";
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4;
ssl_certificate /etc/letsencrypt/live/example.redashapp.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.redashapp.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/example.redashapp.com/chain.pem;
set_real_ip_from 0.0.0.0/0;
real_ip_header X-Forwarded-For;
real_ip_recursive on;
allow 198.51.100.0;
deny all;
access_log /dev/stdout;
error_log /dev/stderr info;
# other configs
location / {
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
proxy_pass http://redash;
}
}