本日はRHEL8、CentOS8で起動するウェブサーバーであるNGINXにSSL設定をおこないます。「Let’s Encrypt」を使用して無料で設定することができます。サーバー証明書を設定するにあたって予めポート番号443を開放しておく必要があります。OSそのものと、ルーターなど両方に設定しておきます。最近はクラウドサービスの利用が増えてきているので、その場合も同様に開放しておきます。

まず最初に、Let’s EncryptのクライアントのCertbotというツールをインストールします。Windowsでも設定できるプログラムがあります。

sudo dnf install certbot


certbot --nginx


The following error was encountered:
[Errno 13] Permission denied: '/var/log/letsencrypt’
Either run as root, or set –config-dir, –work-dir, and –logs-dir to writeable paths.


sudo certbot --nginx


Saving debug log to /var/log/letsencrypt/letsencrypt.log
The requested nginx plugin does not appear to be installed

2021-06-22 20:47:01,121:DEBUG:certbot._internal.main:certbot version: 1.14.0
2021-06-22 20:47:01,122:DEBUG:certbot._internal.main:Location of certbot entry point: /bin/certbot
2021-06-22 20:47:01,122:DEBUG:certbot._internal.main:Arguments: ['–nginx’]
2021-06-22 20:47:01,122:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2021-06-22 20:47:01,138:DEBUG:certbot._internal.log:Root logging level set at 20
2021-06-22 20:47:01,139:INFO:certbot._internal.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2021-06-22 20:47:01,143:DEBUG:certbot._internal.plugins.selection:Requested authenticator nginx and installer nginx
2021-06-22 20:47:01,143:DEBUG:certbot._internal.plugins.selection:No candidate plugin
2021-06-22 20:47:01,143:DEBUG:certbot._internal.plugins.selection:Selected authenticator None and installer None


sudo dnf install python3-certbot-nginx


sudo certbot --nginx

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Enter email address (used for urgent renewal and security notices)
(Enter 'c’ to cancel):

Please read the Terms of Service at You must
agree in order to register with the ACME server. Do you agree?

(Y)es/(N)o: y

Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let’s Encrypt project and the non-profit organization that
develops Certbot? We’d like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.

(Y)es/(N)o: y
Account registered.

Which names would you like to activate HTTPS for?


Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c’ to cancel): 1
Requesting a certificate for
Performing the following challenges:
http-01 challenge for
Waiting for verification…
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/nginx/conf.d/drupal.conf
Redirecting all traffic on port 80 to ssl in /etc/nginx/conf.d/drupal.conf

Congratulations! You have successfully enabled

Subscribe to the EFF mailing list (email:


  • Congratulations! Your certificate and chain have been saved at:
    Your key file has been saved at:
    Your certificate will expire on 2021-09-20. To obtain a new or
    tweaked version of this certificate in the future, simply run
    certbot again with the “certonly" option. To non-interactively
    renew all of your certificates, run “certbot renew"
  • If you like Certbot, please consider supporting our work by: Donating to ISRG / Let’s Encrypt:
    Donating to EFF:

完了したら、NGINXの設定ファイルを確認してみます。「managed by Certbot」という記述の所がCertbotにより追記されたものです。さらに自動更新の設定も行います。期限切れの前に更新してくれます。

sudo systemctl enable --now certbot-renew.timer



Posted by admin