# vi /etc/httpd/conf/httpd.conf

Listen 80
SxymoerverAdmin webmaster@mail.bigbang.example.jp
ServerName www.bigbang.example.jp:80
Options Includes ExecCGI FollowSymLinks　←　CGI・SSI許可、ファイル一覧表示禁止
AllowOverride All　←　.htaccessの許可
DirectoryIndex index.html index.html.var index.htm
#AddDefaultCharset UTF-8　←　コメントアウトする
AddHandler cgi-script .cgi .pl　←　CGIスクリプトに.plを追加
# httpd.confの最終行に下記4行を追記
ServerTokens prod　←　エラーページ等でOS名を表示しないようにする
ServerSignature off　←　エラーページ等でApacheのバージョンを表示しないようにする
HostnameLookups off
KeepAlive on　←　接続の定期的チェックをオン

# service httpd restart
# chkconfig httpd on　←　apache自動起動設定
# chkconfig --level httpd　←　apache自動起動設定確認
httpd         0:off   1:off   2:on    3:on    4:on    5:on    6:off　←　ランレベル2〜5のonを確認

# vi /etc/httpd/conf/httpd.conf
NameVirtualHost *:80
<VirtualHost *:80>
  ServerName www.bigbang.example.jp
</VirtualHost>
<VirtualHost *:80>
  ServerName www_other.bigbang.mydns.jp
  DocumentRoot /home/www_other/public_html
  ScriptAlias /cgi-bin/ "/home/public/cgi-bin"
  DirectoryIndex index.htm
  Options Indexes MultiViews
</VirtualHost>

<VirtualHost *:80>
  ServerName www_other.bigbang.mydns.jp
  DocumentRoot /home/www_other/public_html
  ScriptAlias /cgi-bin/ "/home/www_other/cgi-bin"
  DirectoryIndex index.htm
  Options Indexes MultiViews
  TransferLog logs/www_other.bigbang.example.jp_log　←　追記
  ErrorLog logs/www_other.bigbang.example.jp-error_log　←　追記
</VirtualHost>

www		IN	A 	192.168.0.1
www_other 	IN	CNAME	www

# mkdir work
# cd work/

# wget http://ftp.riken.jp/Linux/centos/7/os/x86_64/Packages/openssl-1.0.2k-19.el7.x86_64.rpm

# rpm2cpio openssl-1.0.2k-19.el7.x86_64.rpm | cpio -id ./etc/pki/tls/misc/CA

# mv -i etc/pki/tls/misc/CA /etc/pki/tls/misc/

/etc/pki/tls/misc/CA -h
（下記のように、表示されればOKです。）
usage: ./CA -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify

# sed -i "s/365/3650/g" /etc/pki/tls/openssl.cnf
# sed -i "s/365/3650/g" /etc/pki/tls/misc/CA
# sed -i "s/1095/3650/g" /etc/pki/tls/misc/CA

# cd /etc/pki/tls/certs/
# /etc/pki/tls/misc/CA -newca
CA certificate filename (or enter to create)
Making CA certificate ...
Generating a 2048 bit RSA private key
.............................................................+++
..........................................+++
writing new private key to '/etc/pki/CA/private/./cakey.pem'
Enter PEM pass phrase:　←　パスワードを入力
Verifying - Enter PEM pass phrase:　←　パスワードを入力（再確認用）
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:JP
State or Province Name (full name) []:Tokyo
Locality Name (eg, city) [Default City]:（ENTER）
Organization Name (eg, company) [Default Company Ltd]:BIGBANG
Organizational Unit Name (eg, section) []:（ENTER）
Common Name (eg, your name or your server's hostname) []:bigbang.mydns.jp
Email Address []:webmaster@mail.bigbang.mydns.jp     
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:（ENTER）
An optional company name []:（ENTER）
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/./cakey.pem:　←　cakey.pem作成時のパスワードを入力
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 9348937751764410289 (0x81be195a39281fb1)
        Validity
            Not Before: Mar  3 08:14:45 2016 GMT
            Not After : Mar  1 08:14:45 2026 GMT
        Subject:
            countryName               = JP
            stateOrProvinceName       = Tokyo
            organizationName          = BIGBANG
            commonName                = bigbang.mydns.jp
            emailAddress              = webmaster@mail.bigbang.mydns.jp
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                79:00:……
            X509v3 Authority Key Identifier: 
                keyid:79:00:……
            X509v3 Basic Constraints: 
                CA:TRUE
Certificate is to be certified until Mar  1 08:14:45 2026 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated

failed to update database
TXT_DB error number 2

# rm /etc/pki/CA/private/cakey.pem
# rm /etc/pki/CA/index.txt

# openssl x509 -inform pem -in /etc/pki/CA/cacert.pem -outform der -out /var/www/html/cacert.der

# yum -y install mod_ssl

# cd /etc/pki/tls/certs/

# openssl genrsa -out server.key -aes256 2048
Generating RSA private key, 2048 bit long modulus
......................+++
....+++
e is 65537 (0x10001)
Enter pass phrase for server.key:パスワードを入力
Verifying - Enter pass phrase for server.key:パスワードを入力（再確認用）

# openssl req -new -key server.key -out server.csr
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:JP
State or Province Name (full name) []:Tokyo
Locality Name (eg, city) [Default City]:空ENTER
Organization Name (eg, company) [Default Company Ltd]:BIGBANG
Organizational Unit Name (eg, section) []:空ENTER
Common Name (eg, your name or your server's hostname) []:www.bigbang.mydns.jp
Email Address []:webmaster@mail.bigbang.mydns.jp
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:空ENTER
An optional company name []:空ENTER

# openssl ca -config /etc/pki/tls/openssl.cnf -in server.csr -keyfile /etc/pki/CA/private/cakey.pem \
-cert /etc/pki/CA/cacert.pem -out server.crt
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 9348937751764410292 (0x81be195a39281fb4)
        Validity
            Not Before: Mar  3 10:30:24 2016 GMT
            Not After : Mar  1 10:30:24 2026 GMT
        Subject:
            countryName               = JP
            stateOrProvinceName       = Tokyo
            organizationName          = BIGBANG
            commonName                = www.bigbang.mydns.jp
            emailAddress              = webmaster@mail.bigbang.mydns.jp
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                81:06:……
            X509v3 Authority Key Identifier: 
                keyid:DE:A6:……
Certificate is to be certified until Mar  1 10:30:24 2026 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

（…省略…）
Sign the certificate? [y/n]:y
failed to update database
TXT_DB error number 2

# ls -l /etc/pki/CA/newcerts
合計 32
-rw-r--r-- 1 root root 4510  3月  3 16:43 81BE195A39281FB0.pem
-rw-r--r-- 1 root root 4504  3月  3 17:14 81BE195A39281FB1.pem
-rw-r--r-- 1 root root 4504  3月  3 18:44 81BE195A39281FB2.pem
-rw-r--r-- 1 root root 4504  3月  3 19:21 81BE195A39281FB3.pem
# openssl ca -revoke /etc/pki/CA/newcerts/81BE195A39281FB0.pem 
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem:
Adding Entry with serial number 81BE195A39281FB0 to DB \
for /C=JP/ST=Tokyo/O=BIGBANG/CN=www.bigbang.mydns.jp/ailAddress=postmaster@mail.bigbang.mydns.jp
Revoking Certificate 81BE195A39281FB0.
Data Base Updated

# openssl rsa -in server.key -out server.key
Enter pass phrase for server.key:　←　サーバ秘密鍵・証明書作成時のパスワードを入力
writing RSA key

# openssl rsa -in server.key -text

# openssl req -in server.csr -text

# openssl x509 -in server.crt -text

or

# openssl s_client -connect localhost:443 | openssl x509 -text -noout

or

※Let's Encryptの場合
# openssl x509 -in /etc/letsencrypt/live/（管理しているドメイン名）/cert.pem -text

# echo | openssl s_client -connect www.bigbang.mydns.jp:443 -showcerts | openssl x509 -dates -noout
depth=0 C = JP, ST = Tokyo, L = Chiyoda-Ku, O = BIGBNAG, CN = www.bigbang.mydns.jp, emailAddress = webmaster@mail.bigbang.mydns.jp
verify error:num=18:self signed certificate
verify return:1
depth=0 C = JP, ST = Tokyo, L = Chiyoda-Ku, O = BIGBNAG, CN = www.bigbang.mydns.jp, emailAddress = webmaster@mail.bigbang.mydns.jp
verify return:1
DONE
notBefore=Aug 13 23:55:10 2015 GMT
notAfter=Aug 12 23:55:10 2020 GMT

# vi /etc/httpd/conf.d/ssl.conf
SSLCertificateFile /etc/pki/tls/certs/server.crt　←　サーバ証明書を指定
SSLCertificateKeyFile /etc/pki/tls/certs/server.key　←　サーバ秘密鍵を指定
#  General setup for the virtual host, inherited from global configuration
#DocumentRoot "/var/www/html"　←　#を削除（コメント解除）
DocumentRoot "/var/www/html"

https://（Webサーバ名、または、IPアドレス）/

# dnf --enablerepo=epel -y install snapd
# systemctl enable --now snapd.socket
# ln -s /var/lib/snapd/snap /snap
# snap install core
##### updateがあるかもしれないのでrefreshする。
# snap refresh core

##### インストール済Snapパッケージ一覧
# snap list
No snaps are installed yet. Try 'snap install hello-world'.

##### hello-worldパッケージをインストール
# snap install hello-world
hello-world 6.4 from Canonical✓ installed
[root@nezumi ~]# snap list
Name         Version    Rev    Tracking       Publisher     Notes
core         16-2.51.1  11316  latest/stable  canonical✓    core
core20       20210429   1026   latest/stable  canonical✓    base
hello-world  6.4        29     latest/stable  canonical✓    -

##### パッケージ情報を表示
# snap info hello-world
name:      hello-world
summary:   The 'hello-world' of snaps
publisher: Canonical✓
store-url: https://snapcraft.io/hello-world
contact:   snaps@canonical.com
license:   unset
description: |
  This is a simple hello world example.
commands:
  - hello-world.env
  - hello-world.evil
  - hello-world
  - hello-world.sh
snap-id:      buPKUD3TKqCOgLEjjHx5kSiCpIs5cMuQ
tracking:     latest/stable
refresh-date: today at 13:32 JST
channels:
  latest/stable:    6.4 2019-04-17 (29) 20kB -
  latest/candidate: 6.4 2019-04-17 (29) 20kB -
  latest/beta:      6.4 2019-04-17 (29) 20kB -
  latest/edge:      6.4 2019-04-17 (29) 20kB -
installed:          6.4            (29) 20kB -

##### アプリケーション実行
# hello-world
Hello World!

##### 実PATHは下記のとおり
# which hello-world
/var/lib/snapd/snap/bin/hello-world

##### 実体はリンク
# ll /var/lib/snapd/snap/bin/hello-world
lrwxrwxrwx. 1 root root 13  7月 12 13:32 /var/lib/snapd/snap/bin/hello-world -> /usr/bin/snap

##### アプリケーションの無効化
# snap disable hello-world
hello-world disabled
# snap list
Name         Version    Rev    Tracking       Publisher     Notes
core         16-2.51.1  11316  latest/stable  canonical✓    core
core20       20210429   1026   latest/stable  canonical✓    base
hello-world  6.4        29     latest/stable  canonical✓    disabled

# hello-world
-bash: /var/lib/snapd/snap/bin/hello-world: No such file or directory

##### アプリケーションの有効化
# snap enable hello-world
hello-world enabled
# hello-world
Hello World!

##### アンインストールする場合は以下
##### [snap remove] 実行にはシステムにtarコマンドが必要
##### CentOS Minimal Install にはtarは含まれていない
# snap remove hello-world
hello-world removed

# snap list
Name     Version    Rev    Tracking       Publisher     Notes
core     16-2.51.1  11316  latest/stable  canonical✓    core
core20   20210429   1026   latest/stable  canonical✓    base

# snap install certbot --classic
certbot 1.17.0 from Certbot Project (certbot-eff✓) installed

# ln -s /snap/bin/certbot /usr/bin/certbot

##### --webroot指定で稼働中Webサーバの公開ディレクトリ配下を認証用の一時領域に使用
##### -w ＜ドキュメントルート＞ -d ＜証明書を取得したいFQDN＞
##### FQDN（Fully Qualified Domain Name）：ホスト名.ドメイン名を省略なしで表記
##### ドキュメントルートはバーチャルホストで複数のホスト定義がある場合、該当するホスト定義のものを指定
##### 証明書を取得したいFQDNが複数ある場合は、-d ＜証明書を取得したいFQDN＞を複数指定
##### 例 : bigbang.mydns.jp/www.bigbang.mydns.jp の二つについて取得する場合
##### ⇒ ＜-d bigbang.mydns.jp -d www.bigbang.mydns.jp＞

# certbot certonly --webroot -w /var/www/html -d www.bigbang.mydns.jp
Bootstrapping dependencies for RedHat-based OSes that will use Python3... (you can skip this with --no-bootstrap)
dnf is /usr/bin/dnf
dnf is hashed (/usr/bin/dnf)
.....
.....
##### 初回のみメールアドレスの登録と利用条件への同意が必要
##### 受信可能なメールアドレスを指定
Enter email address (used for urgent renewal and security notices)
(Enter 'c' to cancel): root@mail.bigbang.mydns.jp

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# 利用条件に同意する
(A)gree/(C)ancel: A

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for www.bigbang.mydns.jp
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/www.bigbang.mydns.jp/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/www.bigbang.mydns.jp/privkey.pem
   Your cert will expire on 2020-03-17. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this dir now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this dir is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

##### [Congratulations] と表示されれば成功
##### メッセージ中に記載の通り [/etc/letsencrypt/live/(FQDN)/] 配下に証明書が取得されている

##### cert.pem       ⇒ SSLサーバー証明書(公開鍵含む)
##### chain.pem      ⇒ 中間証明書
##### fullchain.pem  ⇒ cert.pem と chain.pem が結合されたファイル
##### privkey.pem    ⇒ 公開鍵に対する秘密鍵

##### Snapd の Certbot パッケージはタイマーが付属
# systemctl status snap.certbot.renew.timer
*  snap.certbot.renew.timer - Timer renew for snap application certbot.renew
   Loaded: loaded (/etc/systemd/system/snap.certbot.renew.timer; enabled; vendo>
   Active: active (waiting) since Thu 2021-01-07 19:42:23 JST; 51min ago
  Trigger: Thu 2021-01-07 23:26:00 JST; 2h 52min left

Jan 07 19:42:23 dlp.srv.world systemd[1]: Started Timer renew for snap applicat>

##### デフォルトでは以下のように毎日2回、renewを実行
# systemctl cat snap.certbot.renew.timer
# /etc/systemd/system/snap.certbot.renew.timer
[Unit]
# Auto-generated, DO NOT EDIT
Description=Timer renew for snap application certbot.renew
Requires=var-lib-snapd-snap-certbot-1280.mount
After=var-lib-snapd-snap-certbot-1280.mount
X-Snappy=yes

[Timer]
Unit=snap.certbot.renew.service
OnCalendar=*-*-* 11:42
OnCalendar=*-*-* 14:32

[Install]
WantedBy=timers.target

# certbot renew --post-hook "systemctl restart httpd"

オプション
• –dry-run
  実際には証明書を更新しないでコマンドを実行します。–pre-hook、–post-hookで指定したコマンドは実行されます。このオプションはcertonlyサブコマンドでも使用可能です。
• –force-renewal
  有効期限までの日数に関わらず、強制的に証明書を更新します。ただし、一定期間内に更新できる回数には制限があります。
• –post-hook
  証明書の更新後に実行するコマンドを指定します。更新が必要なときのみ（＝デフォルトでは証明書の有効期限が30日未満となっている場合）実行されます。一般的には、更新された証明書を反映するために再起動するコマンドを指定します。
• –pre-hook
  証明書の更新前に実行するコマンドを指定します。更新が必要なときのみ（＝デフォルトでは証明書の有効期限が30日未満となっている場合）実行されます。

/etc/letsencrypt/renewal/<ドメイン名>.conf

# /usr/bin/certbot renew --post-hook "systemctl restart httpd" --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/www.bigbang.mydns.jp.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Simulating renewal of an existing certificate for www.bigbang.mydns.jp

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all simulated renewals succeeded: 
  /etc/letsencrypt/live/www.bigbang.mydns.jp/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

# ls -l /etc/letsencrypt/archive/www.bigbang.mydns.jp/*[56].pem
-rw-r--r--. 1 root root 1854  8月 23 22:18 /etc/letsencrypt/archive/www.bigbang.mydns.jp/cert5.pem
-rw-r--r--  1 root root 1854 10月 23 09:25 /etc/letsencrypt/archive/www.bigbang.mydns.jp/cert6.pem
-rw-r--r--. 1 root root 3749  8月 23 22:18 /etc/letsencrypt/archive/www.bigbang.mydns.jp/chain5.pem
-rw-r--r--  1 root root 3749 10月 23 09:25 /etc/letsencrypt/archive/www.bigbang.mydns.jp/chain6.pem
-rw-r--r--. 1 root root 5603  8月 23 22:18 /etc/letsencrypt/archive/www.bigbang.mydns.jp/fullchain5.pem
-rw-r--r--  1 root root 5603 10月 23 09:25 /etc/letsencrypt/archive/www.bigbang.mydns.jp/fullchain6.pem
-rw-------. 1 root root 1704  8月 23 22:18 /etc/letsencrypt/archive/www.bigbang.mydns.jp/privkey5.pem
-rw-------  1 root root 1704 10月 23 09:25 /etc/letsencrypt/archive/www.bigbang.mydns.jp/privkey6.pem

# openssl s_client -connect localhost:443 | openssl x509 -text -noout
Can't use SSL_get_servername
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = www.bigbang.mydns.jp
verify return:1
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
              **:**:**:**:**:**:**:**:**:**:**:**:**:**:**:**:**:**:**:**:
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, O = Let's Encrypt, CN = R3
        Validity
            Not Before: Oct 22 23:25:25 2021 GMT
            Not After : Jan 20 23:25:24 2022 GMT
        Subject: CN = www.bigbang.mydns.jp
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
（以下、省略）

# systemctl cat snap.certbot.renew.timer
# /etc/systemd/system/snap.certbot.renew.timer
[Unit]
# Auto-generated, DO NOT EDIT
Description=Timer renew for snap application certbot.renew
Requires=var-lib-snapd-snap-certbot-1280.mount
After=var-lib-snapd-snap-certbot-1280.mount
X-Snappy=yes

[Timer]
Unit=snap.certbot.renew.service
OnCalendar=*-*-* 11:42
OnCalendar=*-*-* 14:32

[Install]
WantedBy=timers.target

# vi /etc/systemd/system/snap.certbot.renew.timer
OnCalendar=*-*-* 14:32
　↓　下記に変更
OnCalendar=*-*-* 23:42

# systemctl daemon-reload

# systemctl cat snap.certbot.renew.timer
# /etc/systemd/system/snap.certbot.renew.timer
[Unit]
# Auto-generated, DO NOT EDIT
Description=Timer renew for snap application certbot.renew
Requires=var-lib-snapd-snap-certbot-1280.mount
After=var-lib-snapd-snap-certbot-1280.mount
X-Snappy=yes

[Timer]
Unit=snap.certbot.renew.service
OnCalendar=*-*-* 11:42
OnCalendar=*-*-* 23:42

[Install]
WantedBy=timers.target

# systemctl list-timers|grep -e NEXT -e certbot
NEXT                         LEFT          LAST                         PASSED       UNIT                         ACTIVATES
Mon 2021-07-12 23:42:00 JST  2h 15min left n/a                          n/a          snap.certbot.renew.timer     snap.certbot.renew.service

$ echo | openssl s_client -connect www.bigbang.mydns.jp:443 -showcerts | openssl x509 -dates -noout
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = www.bigbang.mydns.jp
verify return:1
notBefore=Jun  8 17:05:54 2021 GMT
notAfter=Sep  6 17:05:54 2021 GMT

• 認証方法がwebrootでそのパスが/usr/share/nginx/certbot/www.bigbang.mydns.jpになっていた。
  恐らく、SnapdのSSL導入時はNginxを使用し証明書を取得していたのだと思われます。
  現在はApacheを使用。
• NginxからApacheに変更したことにより、Invalid response from https://www.bigbang.mydns.jp/.well-known/acme-challenge/・・・となってしまったこと。

# mkdir -p /usr/share/nginx/html/.well-known/acme-challenge

# vi /etc/httpd/conf/httpd.conf
※末尾に追記
Alias /.well-known/acme-challenge /usr/share/nginx/html/.well-known/acme-challenge
<Directory /usr/share/nginx/html/.well-known/acme-challenge>
  Order allow,deny
  Allow from all
</Directory>

# systemctl restart httpd

# ls -l /etc/letsencrypt/archive/www.bigbang.mydns.jp/
合計 100
-rw-r--r--. 1 root root 1858  6月  9 03:05 cert4.pem
-rw-r--r--. 1 root root 1854  8月 23 22:18 cert5.pem
-rw-r--r--. 1 root root 3749  6月  9 03:05 chain4.pem
-rw-r--r--. 1 root root 3749  8月 23 22:18 chain5.pem
-rw-r--r--. 1 root root 5607  6月  9 03:05 fullchain4.pem
-rw-r--r--. 1 root root 5603  8月 23 22:18 fullchain5.pem
-rw-------. 1 root root 1704  6月  9 03:05 privkey4.pem
-rw-------. 1 root root 1704  8月 23 22:18 privkey5.pem

# systemctl start httpd

# ls -l /etc/letsencrypt/live/www.bigbang.mydns.jp/
合計 4
-rw-r--r--. 1 root root 692  5月 15 23:55 README
lrwxrwxrwx. 1 root root  44  8月 23 22:18 cert.pem -> ../../archive/www.bigbang.mydns.jp/cert5.pem
lrwxrwxrwx. 1 root root  45  8月 23 22:18 chain.pem -> ../../archive/www.bigbang.mydns.jp/chain5.pem
lrwxrwxrwx. 1 root root  49  8月 23 22:18 fullchain.pem -> ../../archive/www.bigbang.mydns.jp/fullchain5.pem
lrwxrwxrwx. 1 root root  47  8月 23 22:18 privkey.pem -> ../../archive/www.bigbang.mydns.jp/privkey5.pem

# ls -l /etc/letsencrypt/renewal/www.bigbang.mydns.jp.conf
-rw-r--r--. 1 root root 703  8月 23 22:18 /etc/letsencrypt/renewal/www.bigbang.mydns.jp.conf

# systemctl cat snap.certbot.renew.timer
# /etc/systemd/system/snap.certbot.renew.timer
[Unit]
# Auto-generated, DO NOT EDIT
Description=Timer renew for snap application certbot.renew
Requires=var-lib-snapd-snap-certbot-1343.mount
After=var-lib-snapd-snap-certbot-1343.mount
X-Snappy=yes

[Timer]
Unit=snap.certbot.renew.service
OnCalendar=*-*-* 07:32
OnCalendar=*-*-* 18:01

[Install]
WantedBy=timers.target

# certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/www.bigbang.mydns.jp.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Simulating renewal of an existing certificate for www.bigbang.mydns.jp

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all simulated renewals succeeded: 
  /etc/letsencrypt/live/www.bigbang.mydns.jp/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

# scp /etc/letsencrypt/archive/* new_server:/etc/letsencrypt/archive/
# scp /etc/letsencrypt/live/* new_server:/etc/letsencrypt/live/
# scp /etc/letsencrypt/renewal/* new_server:/etc/letsencrypt/renewal/

[root@new_server ~]# certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/www.bigbang.mydns.jp.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Simulating renewal of an existing certificate for www.bigbang.mydns.jp

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all simulated renewals succeeded: 
  /etc/letsencrypt/live/www.bigbang.mydns.jp/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

# certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/www.bigbang.mydns.jp.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Failed to renew certificate www.bigbang.mydns.bz with error: \
    You should register before running non-interactively, or provide --agree-tos and --email <email_address> flags.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All simulated renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/www.bigbang.mydns.jp/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. \
    See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

# certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/www.bigbang.mydns.jp.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Failed to renew certificate www.bigbang.mydns.jp with error: /
    Account at /etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/fef6***********************4103 does not exist

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/www.bigbang.mydns.bz/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. \
    See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

 ls -l /etc/letsencrypt/accounts
合計 0
drwx------ 3 root root 23  9月 23 23:02 acme-staging-v02.api.letsencrypt.org
drwx------ 3 root root 23  9月 23 23:03 acme-v02.api.letsencrypt.org

# ls -l /etc/letsencrypt/accounts/acme-*/directory
/etc/letsencrypt/accounts/acme-staging-v02.api.letsencrypt.org/directory:
合計 0

/etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory:
合計 0

# rsync -avz /etc/letsencrypt/accounts/acme-staging-v02.api.letsencrypt.org/directory/* \
    new_server:/etc/letsencrypt/accounts/acme-staging-v02.api.letsencrypt.org//directory/
# rsync -avz /etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory/* new_server:/etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory/

# certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/www.bigbang.mydns.bz.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Simulating renewal of an existing certificate for www.bigbang.mydns.bz

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all simulated renewals succeeded: 
  /etc/letsencrypt/live/www.bigbang.mydns.bz/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

[root@new_server ~]# certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/www.bigbang.mydns.jp.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Certificate not yet due for renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The following certificates are not due for renewal yet:
  /etc/letsencrypt/live/www.bigbang.mydns.jp/fullchain.pem expires on 2022-01-25 (skipped)
No renewals were attempted.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

[root@new_server ~]# certbot renew --force-renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/www.bigbang.mydns.jp.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Failed to renew certificate www.bigbang.mydns.jp with error: \
 Account at /etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/f9963706d349d1e0349a78********** does not exist

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/www.bigbang.mydns.jp/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

[root@new_server ~]# certbot certonly --webroot -w /var/www/html -d www.bigbang.mydns.jp
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Certificate not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/www.bigbang.mydns.jp.conf)

What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Keep the existing certificate for now
2: Renew & replace the certificate (may be subject to CA rate limits)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Renewing an existing certificate for www.bigbang.mydns.jp

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/www.bigbang.mydns.jp/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/www.bigbang.mydns.jp/privkey.pem
This certificate expires on 2022-02-20.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

root@ew_server~]# ll /etc/letsencrypt/archive/www.bigbang.mydns.jp/
　：
-rw-r--r-- 1 root root 1854 10月 28 04:48 cert7.pem
-rw-r--r-- 1 root root 1854 11月 22 15:49 cert8.pem
　：
-rw-r--r-- 1 root root 3749 10月 28 04:48 chain7.pem
-rw-r--r-- 1 root root 3749 11月 22 15:49 chain8.pem
　：
-rw-r--r-- 1 root root 5603 10月 28 04:48 fullchain7.pem
-rw-r--r-- 1 root root 5603 11月 22 15:49 fullchain8.pem
　：
-rw------- 1 root root 1704 10月 28 04:48 privkey7.pem
-rw------- 1 root root 1708 11月 22 15:49 privkey8.pem

[root@sew_server ~]# systemctl restart httpd

[root@sew_server ~]# echo | openssl s_client -connect www.bigbang.mydns.jp:443 -showcerts | openssl x509 -dates -noout
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = www.bigbang.mydns.jp
verify return:1
DONE
notBefore=Nov 22 05:49:38 2021 GMT
notAfter=Feb 20 05:49:37 2022 GMT

件名：Anacron job 'cron.monthly' on ホスト名

内容：/etc/cron.monthly/update_sslcert.sh:

===== Update SSL Certfile =====
2023年  8月 25日 金曜日 04:07:01 JST Update SSL Certfile start
/ not root-owned 1000:1000
2023年  8月 25日 金曜日 04:07:01 JST Update SSL Certfile end

# grep "1000:1000" /etc/passwd
hoge:x:1000:1000:hoge:/home/hoge:/bin/bash

# ls -alh /
合計 1.3M
drwxr-xr-x.  27 hoge  hoge  4.0K  8月  1 18:37 .
drwxr-xr-x.  27 hoge  hoge  4.0K  8月  1 18:37 ..
lrwxrwxrwx.   1 root  root     7  6月 22  2021 bin -> usr/bin
dr-xr-xr-x.   5 root  root  4.0K  8月 24 23:52 boot
drwxr-xr-x   22 root  root  3.7K  8月 24 23:52 dev

.と..のアクセス権を変更
# chown root. /.
# chown root. /..

# ls -alh /
合計 1.3M
drwxr-xr-x.  27 root  root  4.0K  8月  1 18:37 .
drwxr-xr-x.  27 root  root  4.0K  8月  1 18:37 ..

# bash -x /etc/cron.monthly/update_sslcert.sh
+ CERTBOT_CMD=/usr/bin/certbot
+ WEBSERVER_RESTART_CMD='systemctl restart httpd'
+ MAILTO=hoge@mail.bigbang.mydns.bz
+ echo '===== Update SSL Certfile ====='
===== Update SSL Certfile =====
++ date
+ echo '2023年  8月 25日 金曜日 07:55:39 JST Update SSL Certfile start'
2023年  8月 25日 金曜日 07:55:39 JST Update SSL Certfile start
+ /usr/bin/certbot renew --post-hook 'systemctl restart httpd' --force-renewal
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/www.bigbang.mydns.bz.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Failed to renew certificate www.bigbang.mydns.bz with error: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with \
url: /directory (Caused by ProxyError('Your proxy appears to only use HTTP and not HTTPS, try changing your proxy URL to be HTTP. \
See: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#https-proxy-error-http-proxy', SSLError(SSLError(1, \
'[SSL: WRONG_VERSION_NUMBER] wrong version number (_ssl.c:1131)'))))

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/www.bigbang.mydns.bz/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log \
or re-run Certbot with -v for more details.
+ LE_STATUS=1
+ '[' 1 '!=' 0 ']'
+ echo 'Update SSL Certfile failed'
++ hostname
+ mail -s 'Update SSL Certfile in ホスト名' hoge@mail.bigbang.mydns.bz
++ date
+ echo '2023年  8月 25日 金曜日 07:55:41 JST Update SSL Certfile end'
2023年  8月 25日 金曜日 07:55:41 JST Update SSL Certfile end

# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: www.bigbang.mydns.bz
    Serial Number: ***********************************
    Key Type: RSA
    Domains: www.bigbang.mydns.bz
    Expiry Date: 2023-10-22 18:29:52+00:00 (VALID: 58 days)
    Certificate Path: /etc/letsencrypt/live/www.bigbang.mydns.bz/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/www.bigbang.mydns.bz/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

# yum install epel-release
# yum install certbot python-certbot-apache

下記のように、一度にインストールすることもできます。
# yum -y epel-release && yum -y install certbot{,-apache}

# certbot certonly --webroot -w /var/www/html/ -d www.bigbang.mydns.jp

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): メールアドレスを入力

Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org

-------------------------------------------------------------------------------
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf. You must agree
in order to register with the ACME server at
https://acme-v01.api.letsencrypt.org/directory
-------------------------------------------------------------------------------
(A)gree/(C)ancel: A

-------------------------------------------------------------------------------
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about EFF and
our work to encrypt the web, protect its users and defend digital rights.
-------------------------------------------------------------------------------
(Y)es/(N)o: N

Obtaining a new certificate
Performing the following challenges:
http-01 challenge for www.bigbang.mydns.jp
Using the webroot path /var/www/www.bigbang.mydns.jp for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0000_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0000_csr-certbot.pem

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/www.bigbang.mydns.jp/fullchain.pem. Your cert
will expire on 2017-07-16. To obtain a new or tweaked version of
this certificate in the future, simply run certbot again. To
non-interactively renew *all* of your certificates, run "certbot
renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this dir now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this dir is ideal.
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

# ls -l /etc/letsencrypt/live/www.bigbang.mydns.jp/
合計 4
-rw-r--r--. 1 root root 692 10月 25 17:33 README
lrwxrwxrwx. 1 root root  44 10月 25 17:33 cert.pem -> ../../archive/www.bigbang.mydns.jp/cert1.pem
lrwxrwxrwx. 1 root root  45 10月 25 17:33 chain.pem -> ../../archive/www.bigbang.mydns.jp/chain1.pem
lrwxrwxrwx. 1 root root  49 10月 25 17:33 fullchain.pem -> ../../archive/www.bigbang.mydns.jp/fullchain1.pem
lrwxrwxrwx. 1 root root  47 10月 25 17:33 privkey.pem -> ../../archive/www.bigbang.mydns.jp/privkey1.pem

cert.pem         SSLCertificateFile         サーバ証明書
chain.pem        SSLCertificateChainFile    中間CA証明書
fullchain.pem    SSLCertificateFile         サーバ証明書＋中間CA証明書を結合したもの
privkey.pem      SLCertificateKeyFile       サーバ証明書の秘密鍵

# vi /etc/httpd/conf.d/ssl.conf
...
SSLCertificateFile /etc/letsencrypt/live/[サーバーのドメイン]/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/[サーバーのドメイン]/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/[サーバーのドメイン]/chain.pem
...

# systemctl start httpd

# firewall-cmd --add-service=https --zone=public --permanent
# firewall-cmd --reload

# vi /etc/letsencrypt/letsencrypt-renew.sh
#!/bin/sh
certbot renew -q --no-self-upgrade --post-hook "systemctl restat httpd.service"

# chmod 0700 /etc/letsencrypt/letsencrypt-renew.sh
# crontab -e

0 3 * * * /etc/letsencrypt/letsencrypt-renew.sh

# vi /etc/cron.monthly/certbot
#!/bin/bash
log=`mktemp`
code=0

which certbot > /dev/null 2>&1
if [ $? -eq 0 ]; then
    CERTBOT=`which certbot`
else
    CERTBOT=`which certbot-auto`
fi

#
# 証明書更新
#
for conf in `ls /etc/letsencrypt/renewal/`
do
    # ドメイン名取得
    domain=`echo ${conf}|sed -e 's/\([^ ]*\)\.conf/\1/p' -e d`

    # 認証方式取得
    authenticator=`grep authenticator /etc/letsencrypt/renewal/${conf}|awk '{print $3}'`

    if [ ${authenticator} = 'webroot' ]; then
        # Web認証の場合

        # ドキュメントルート取得
        webroot=`grep webroot_path /etc/letsencrypt/renewal/${conf}|grep =|awk '{print $3}'|awk -F '[,]' '{print $1}'`

        # 証明書更新
        ${CERTBOT} certonly --webroot \
        -w ${webroot} -d ${domain} --renew-by-default >> ${log} 2>&1
        [ $? -ne 0 ] && cat ${log}
    else
        # スタンドアロン認証の場合

        # 証明書更新
        lsof -i:80 > /dev/null 2>&1
        if [ $? -eq 0 ]; then
            echo 'Webサーバー稼働中のためスタンドアロン認証不可'
        else
            ${CERTBOT} certonly -a standalone \
            -d ${domain} --renew-by-default >> ${log} 2>&1
            [ $? -ne 0 ] && cat ${log}
        fi
    fi
    
    # 古い証明書を削除
    find /etc/letsencrypt/archive/${domain}/ -mtime +30 -delete
    
done

#
# 証明書更新反映
#

# Webサーバー設定再読込み
lsof -i:443 > /dev/null 2>&1
if [ $? -eq 0 ]; then
    rpm -q systemd > /dev/null 2>&1
    if [ $? -eq 0 ]; then
        systemctl reload httpd
    else
        /etc/rc.d/init.d/httpd reload > /dev/null 2>&1
    fi
fi

# SMTPサーバー設定再読込み
lsof -i:465 > /dev/null 2>&1
if [ $? -eq 0 ]; then
    rpm -q systemd > /dev/null 2>&1
    if [ $? -eq 0 ]; then
        systemctl reload postfix
    else
        /etc/rc.d/init.d/postfix reload > /dev/null 2>&1
    fi
fi

# IMAPサーバー設定再読込み
lsof -i:995 > /dev/null 2>&1
if [ $? -eq 0 ]; then
    rpm -q systemd > /dev/null 2>&1
    if [ $? -eq 0 ]; then
        systemctl reload dovecot
    else
        /etc/rc.d/init.d/dovecot reload > /dev/null 2>&1
    fi
fi

#
# ログをsyslogへ出力後削除
#
cat ${log}|logger -t `basename ${0}` ; rm -f ${log}

# chmod +x /etc/cron.monthly/certbot

# vi /etc/cron.monthly/update_sslcert.sh
#!/bin/bash
#
CERTBOT_CMD=/usr/bin/certbot
WEBSERVER_RESTART_CMD="systemctl restart httpd"

MAILTO=root@mail.bigbang.mydns.jp

echo "===== Update SSL Certfile ====="
echo "`date` Update SSL Certfile start"

# 証明書の更新
${CERTBOT_CMD} renew --post-hook "${WEBSERVER_RESTART_CMD}" --force-renewal

LE_STATUS=$?

# 証明書の取得に失敗したときはメールで通知
if [ "$LE_STATUS" != 0 ]; then
    echo "Update SSL Certfile failed" |mail -s "Update SSL Certfile in `hostname`" ${MAILTO}
fi

echo "`date` Update SSL Certfile end"

# EOF

# chmod +x /etc/cron.monthly/update_sslcert.sh

# rpm -ql certbot
/etc/letsencrypt
/etc/sysconfig/certbot
/usr/bin/certbot
/usr/bin/letsencrypt
/usr/lib/systemd/system/certbot-renew.service
/usr/lib/systemd/system/certbot-renew.timer
/usr/share/doc/certbot-1.11.0
/usr/share/doc/certbot-1.11.0/CHANGELOG.md
/usr/share/doc/certbot-1.11.0/README.fedora
/usr/share/doc/certbot-1.11.0/README.rst
/usr/share/licenses/certbot-1.11.0
/usr/share/licenses/certbot-1.11.0/LICENSE.txt
/var/lib/letsencrypt

# systemctl enable --now certbot-renew.timer
Created symlink from /etc/systemd/system/timers.target.wants/certbot-renew.timer to /usr/lib/systemd/system/certbot-renew.timer.

# systemctl list-timers
NEXT                         LEFT          LAST                         PASSED    UNIT                         ACTIVATES
月 2021-07-12 22:03:09 JST  3min 16s left n/a                          n/a       systemd-tmpfiles-clean.timer systemd-tmpfiles-clean
火 2021-07-13 00:00:00 JST  2h 0min left  月 2021-07-12 21:48:24 JST  11min ago unbound-anchor.timer         unbound-anchor.service
火 2021-07-13 08:15:55 JST  10h left      n/a                          n/a       certbot-renew.timer          certbot-renew.service

3 timers listed.

# vi /etc/sysconfig/certbot
POST_HOOK="--post-hook 'systemctl reload nginx'"

例：lsyncd.conf
sync{
        default.rsync, 
        source="/etc/letsencrypt/archive/www.bigbang.mydns.jp", 
        target="***.***.***.***::letsencrypt_archive", 
        delay = 5,
        rsync = {
            perms = true,
            owner = true,
            group = true,
            verbose = true,
        },
}

※***.***.***.***は送り先側のIPアドレス

例：rsync.conf
[letsencrypt_archive]
        comment = Web証明書（Let's Encrypt）
        path = /etc/letsencrypt/archive/www.bigbang.mydns.jp/
        hosts allow = ***.***.***.***/**
        read only = no

※：受け入れる送信元のIPアドレス、または、ネットワークアドレス

例：cron.weekly
certbot_ln.sh
# certbot_ln.sh

# Let's EncryptのSSL証明書を別サーバの更新後実施しているため、
# 証明書最新版に正常にリンクが張られないための処置。 

# 証明書各ファイルのアーカイブフォルダ、「*」付き
ARCH_DIR=/etc/letsencrypt/archive/www.bigbang.mydns.jp/*
# 各証明書の最新版へのリンク先を示すフォルダ、「*」付き
LIVE_DIR=/etc/letsencrypt/live/www.bigbang.mydns.jp/*
# cronでの起動間隔（日）
DAY=7    # cron.weekly（7日間に1回）で動かして、証明書が更新されていればリンクを張り直す
# 出力ファイル
OUTPUT=/tmp/certbot_ln.txt
# 証明書各ファイルのアーカイブフォルダ
ARCHIVE=/etc/letsencrypt/archive/www.bigbang.mydns.jp/
# 各証明書の最新版へのリンク先を示すフォルダ
LIVE=/etc/letsencrypt/live/www.bigbang.mydns.jp/

# 現在から7日（144時間）前までに更新された証明書があれば、それを抜き出す
find $ARCH_DIR -mtime -$DAY -ls|awk '{print $11}' > $OUTPUT

# 条件分岐
if [ -s $OUTPUT ]; then
    rm -f $OUTPUT
    logger -i -t crond Let's Encryptの証明書は更新されませんでした。
    exit
  else
    rm -f $LIVE_DIR
    while read line
    do
      BASENAME_ARCH=`basename $line`
      BASENAME_LIVE=`basename $line|sed -e "s/[0-9]//g"`
      ln -s $ARCHIVE$BASENAME_ARCH $LIVE$BASENAME_LIVE
      logger -i -t crond "ln -s $ARCHIVE$BASENAME_ARCH $LIVE$BASENAME_LIVE"
    done < $OUTPUT
    rm -f $OUTPUT
    logger -i -t crond Let's Encryptの証明書が更新されたため、リンクを更新しました。
fi

# Webサーバー設定再読込み
lsof -i:443 > /dev/null 2>&1
if [ $? -eq 0 ]; then
    rpm -q systemd > /dev/null 2>&1
  if [ $? -eq 0 ]; then
    systemctl reload httpd
  else
    /etc/rc.d/init.d/httpd reload > /dev/null 2>&1
  fi
fi

/etc/cron.monthly/certbot:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Renewing an existing certificate for www.bigbang.mydns.jp
Performing the following challenges:
http-01 challenge for www.bigbang.mydns.jp
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification...
Challenge failed for domain www.bigbang.mydns.jp
http-01 challenge for www.bigbang.mydns.jp
Cleaning up challenges
Some challenges have failed.
IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: www.bigbang.mydns.jp
   Type:   unauthorized
   Detail: Invalid response from
   http://www.bigbang.mydns.jp/.well-known/acme-challenge/3aMlO3dIun9S2b-dG1BFBMGRA2bWKEUO0SrLiekBBHQ
   [***.***.***.136]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
   2.0//EN\">\n<html><head>\n<title>404 Not
   Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

# /etc/cron.monthly/certbot　←　2回実行
# certbot certonly -w /var/www/html/ -d www.bigbang.mydns.jp　1回実行
# certbot certonly --apache -d www.bigbang.mydns.jp -d www.bigbang.mydns.jp　←　1回実行
# /etc/cron.monthly/certbot　←　1回実行
# certbot certonly --apache -d www.bigbang.mydns.jp -d www.bigbang.mydns.jp　←　1回実行

cronの実行1回を含め、下記の5回目で発行数制限に引っかかってしまったようです。
# /etc/cron.monthly/certbot　←　1回実行
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Renewing an existing certificate for www.bigbang.mydns.jp
An unexpected error occurred:
There were too many requests of a given type :: Error creating new order \
    :: too many failed authorizations recently: see https://letsencrypt.org/docs/rate-limits/
Please see the logfiles in /var/log/letsencrypt for more details.

# certbot certonly --apache -d www.bigbang.mydns.jp -d www.bigbang.mydns.jp
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/www.bigbang.mydns.jp.conf)

What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Keep the existing certificate for now
2: Renew & replace the certificate (may be subject to CA rate limits)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Renewing an existing certificate for www.bigbang.mydns.jp
An unexpected error occurred:
There were too many requests of a given type :: Error creating new order \
    :: too many failed authorizations recently: see https://letsencrypt.org/docs/rate-limits/
Please see the logfiles in /var/log/letsencrypt for more details.

# cp /etc/pki/tls/certs/server.key /var/www/html/server.der

# vi /var/www/cgi-bin/certificate.cgi
#!/bin/sh
echo "Content-type: application/x-x509-ca-cert"
echo "Content-Disposition: attachment; filename=server.der"
echo
cat /var/www/html/server.
# chown +x /var/www/cgi-bin/certificate.cgi

# useradd test
# ls -ld /home/test
drwx------ 4 test test 4096  9月 17 13:26 /home/test
# chmod 701 /home/test
# su - test
$ mkdir /home/test/webdav
$ chmod 777 webdav
$ ls -ld webdav
drwxrwxrwx 2 test test 4096  9月 17 15:00 webdav

# vi /etc/httpd/conf.d/ssl.conf
Alias /webdav /home/test/webdav
  <Location "/webdav">
    DAV On　←　webdav機能の有効
    SSLRequireSSL
    AuthType Basic　←　BASIC認証の有効化
    AuthName WebDAV
    AuthUserFile /var/www/.davpasswd　←　BASIC認証用パスワードの保存場所
      <LimitExcept OPTIONS PROPFIND>
      Require user davaccount　←　記載されているユーザのみ接続可
      #Require valid-user
      </LimitExcept>
    Header add MS-Author-Via "DAV"
    Order deny,allow
    Deny from all
    Allow from 192.168.0.0/255.255.255.0　←　192.168.0.0./24のネットワークからアクセス可
    Allow from 100.145.43　←　100.145.43.0のネットワークからアクセス可
    Allow from 100.145.49　←　100.145.49.0のネットワークからアクセス可
  </Location>
LimitExceptディレクティブは下記エラーログ対処のために追加
192.168.0.100 - - [06/Aug/2015:16:36:54 +0900] "OPTIONS /webdav/ HTTP/1.1" 401 401
192.168.0.100 - - [06/Aug/2015:16:40:55 +0900] "PROPFIND /webdav/ HTTP/1.1" 401 401
ただし、LimitExceptディレクティブにPROPFINDを設定すると該当フォルダは読み取り専用となります。

# htpasswd -c -m /var/www/.davpasswd davaccount　←　「davaccount」の作成：作成されるファイルのアクセス権及び所有者注意
New password:　←　パスワードの入力
Re-type new password:　←　パスワードの入力（再確認用）
Adding password for user davaccount
# chmod 600 /var/www/.davpasswd
# chown apache /var/www/.davpasswd

補足：アカウント削除方法
# htpasswd -D /etc/httpd/conf/.davpasswd davaccount
Deleting password for user davaccount

# service httpd restart

configure: Configured to build cadaver 0.23.3:

Install prefix: /usr/local
Compiler: gcc
Neon library: included libneon (0.29.1)
XML Parser: expat
SSL library: SSL support is not enabled
Internationalization: Built using native support
GNU readline support: enabled

# ./configure --with-ssl=openssl

$ cadaver https://www.bigbang.mydns.jp/webdav/　←　cadaverを使用して確認
WARNING: Untrusted server certificate presented for `www.bigbang.mydns.jp':
Issued to: bigbang, Chiyoda-Ku, Tokyo-To, JP
Issued by: bigbang, Chiyoda-Ku, Tokyo-To, JP
Certificate is valid from Thu, 30 Oct 2008 07:51:29 GMT to Wed, 30 Oct 2013 07:51:29 GMT
Do you wish to accept the certificate? (y/n)　←　「y」を入力
Authentication required for webdav on server `www.bigbang.mydns.jp':
Username:　←　パスワードファイルに設定されているユーザを入力
Password:　←　上記ユーザのパスワードを入力
dav:/webdav/>　←　右のように表示されればOK
プロキシサーバが途中にある場合は、下記のようにします。
$ cadaver -p, --proxy=PROXY[:PORT] https://サーバ名/フォルダ

ファイルのアップロード
$ curl --digest --user 'user:pass' -T SomeFile.html 'http://uwiki.net/uwiki/SomeFile.html'
ディレクトリの作成
$ curl --digest --user 'user:pass' -X MKCOL http://uwiki.net/uwiki/
ファイルの移動及びリネーム
$curl --digest --user 'user:pass' -X MOVE --header 'Destination: http://uwiki.net/uwiki/curl_dav.html' http://quad/svn/SomeFile.html
ディレクトリ内のリスト表示
$ curl -i -X PROPFIND http://uwiki.org/uwiki/ --upload-file - -H "Depth: 1" <<end
<?xml version="1.0"?>
<a:propfind xmlns:a="DAV:">
<a:prop><a:resourcetype/></a:prop>
</a:propfind>
end

SSL接続
$ curl --tlsv1 https://＜URL＞/
SSL接続（証明書の検証なし）
$ curl -k --tlsv1 https://＜URL＞/
または
$ curl --insecure --tlsv1 https://＜URL＞/
SSLかつBASIC認証限定接続のサイト
$ curl --user user:password --tlsv1 https://＜URL＞/
SSLかつBASIC認証に限らない（Digest認証、NTLM認証）サイト
$ curl --user user:password --tlsv1 https://＜URL＞/
リクエストヘッダやレスポンスヘッダを表示する
$ curl -v --tlsv1 https://＜URL＞/

# tail -f /var/log/httpd/ssl_access_log
192.168.0.1 - - [26/Aug/2016:17:59:24 +0900] "PROPFIND /webdav/ HTTP/1.1" 405 233

# vi /etc/hosts
192.168.0.1（仮想IP）      www.bigbang.mydns.jp
　↓ 
10.0.0.1（実IP）      www.bigbang.mydns.jp

• prefork
  安定した通信が可能ですが、アクセスが多い場合CPUとメモリを多く使用します。
• worker
  マルチスレッドとマルチプロセスのハイブリッド型。preforkに比べてメモリとCPU使用量が少ない。
• event
  Apache2.4系から導入されたマルチスレッドとマルチプロセスのモジュール。CPUとメモリの使用量が少ない。

# dnf module list php
メタデータの期限切れの最終確認: 2:23:26 時間前の 2021年06月07日 13時11分58秒 に実施しました。
CentOS Stream 8 - AppStream
Name                  Stream                   Profiles                                       Summary                               
php                   7.2 [d]                  common [d], devel, minimal                     PHP scripting language 
php                   7.3                      common [d], devel, minimal                     PHP scripting language 
php                   7.4 [e]                  common [d] [i], devel, minimal                 PHP scripting language 

Remi's Modular repository for Enterprise Linux 8 - x86_64
Name                  Stream                   Profiles                                       Summary                               
php                   remi-7.2                 common [d], devel, minimal                     PHP scripting language 
php                   remi-7.3                 common [d], devel, minimal                     PHP scripting language 
php                   remi-7.4                 common [d], devel, minimal                     PHP scripting language 
php                   remi-8.0                 common [d], devel, minimal                     PHP scripting language 

ヒント: [d]efault, [e]nabled, [x]disabled, [i]nstalled

# dnf module -y install php:7.4

# dnf -y install php-gd php-intl php-mysqlnd php-opcache php-pdo php-process

# dnf module list php
メタデータの期限切れの最終確認: 0:30:03 時間前の 2021年12月19日 12時20分26秒 に実施しました。
CentOS Stream 8 - AppStream
Name                   Stream                    Profiles                                    Summary
php                    7.2 [d]                   common [d], devel, minimal                  PHP scripting language
php                    7.3                       common [d], devel, minimal                  PHP scripting language
php                    7.4                       common [d], devel, minimal                  PHP scripting language

Remi's Modular repository for Enterprise Linux 8 - x86_64
Name                   Stream                    Profiles                                    Summary
php                    remi-7.2                  common [d], devel, minimal                  PHP scripting language
php                    remi-7.3                  common [d], devel, minimal                  PHP scripting language
php                    remi-7.4                  common [d], devel, minimal                  PHP scripting language
php                    remi-8.0                  common [d], devel, minimal                  PHP scripting language
php                    remi-8.1                  common [d], devel, minimal                  PHP scripting language

ヒント: [d]efault, [e]nabled, [x]disabled, [i]nstalled


# dnf module install php:remi-8.0

# dnf module list php
メタデータの期限切れの最終確認: 0:37:06 時間前の 2021年12月19日 12時20分26秒 に実施しました。
CentOS Stream 8 - AppStream
Name                 Stream                      Profiles                                      Summary
php                  7.2 [d]                     common [d], devel, minimal                    PHP scripting language
php                  7.3                         common [d], devel, minimal                    PHP scripting language
php                  7.4                         common [d], devel, minimal                    PHP scripting language

Remi's Modular repository for Enterprise Linux 8 - x86_64
Name                 Stream                      Profiles                                      Summary
php                  remi-7.2                    common [d], devel, minimal                    PHP scripting language
php                  remi-7.3                    common [d], devel, minimal                    PHP scripting language
php                  remi-7.4                    common [d], devel, minimal                    PHP scripting language
php                  remi-8.0 [e]                common [d] [i], devel, minimal                PHP scripting language
php                  remi-8.1                    common [d], devel, minimal                    PHP scripting language

ヒント: [d]efault, [e]nabled, [x]disabled, [i]nstalled

# php -v
PHP 8.0.14 (cli) (built: Dec 16 2021 03:01:07) ( NTS gcc x86_64 )
Copyright (c) The PHP Group
Zend Engine v4.0.14, Copyright (c) Zend Technologies

$ php -v

# cp -p /etc/php-fpm.d/www.conf /etc/php-fpm.d/www.conf.org

# vi /etc/php-fpm.d/www.conf
※変更しそうな箇所を列挙します。
;ユーザ、グループ
user = apache
group = apache
;ソケット接続用
listen.owner = apache
listen.group = apache
listen.mode = 0660
;パフォーマンスに関するパラメータ
;デフォルトでの設定だとメモリを多く使い過ぎてしまうことがありますので、数値を低めにすると防止できます。
pm.max_children = 50
;php-fpmのサービス開始時に起動される子プロセスの数になります。
pm.start_servers = 10
;待ち状態にあるphp-fpm子プロセスの最小の数値になります。
pm.min_spare_servers = 10
;待ち状態にあるphp-fpm子プロセスの最大の数値になります。
pm.max_spare_servers = 35
;子プロセスが再起動するまでに実行するリクエスト数です。
pm.max_requests = 500

# systemctl enable --now php-fpm

# cp -p /etc/php.ini /etc/php.ini.org

# vi /etc/php.ini
※変更しそうな箇所を列挙します。
;PHPのバージョンを非表示にします。
expose_php = Off
;アップロードサイズの変更
post_max_size = 400M
;「post_max_size」パラメータの変更だけでは、ファイルのアップロード容量を増やせないため、あわせて「upload_max_filesize」パラメータを変更します。
upload_max_filesize = 512M
;タイムゾーンの設定
date.timezone = "Asia/Tokyo"
;マルチバイト対応（日本語対応）設定
mbstring.language = Japanese
;内部文字エンコーディングのデフォルト値
mbstring.internal_encoding = UTF-8
;HTTP通信の時のインプット文字コードを指定
mbstring.http_input = UTF-8
;HTTP 出力文字コードを指定
mbstring.http_output = pass
;HTTP 入力変換を有効にするmbstring.encoding_translationをOnにします。文字化けが発生した場合はOffにします。
mbstring.encoding_translation = On
;文字コード自動検出の優先順位を定義
mbstring.detect_order = auto
;コードとして変換できない文字がある場合に、代替の文字を出力しないようにします。
mbstring.substitute_character = none

# systemctl restart php-fpm
# systemctl restart httpd

# php -r 'phpinfo();'

System => Linux nezumi.bigbang.dyndns.org 4.18.0-305.3.1.el8.x86_64 #1 SMP Tue Jun 1 16:14:33 UTC 2021 x86_64
Build Date => May  4 2021 11:06:37
Server API => Command Line Interface
Virtual Directory Support => disabled
Configuration File (php.ini) Path => /etc
Loaded Configuration File => /etc/php.ini
Scan this dir for additional .ini files => /etc/php.d
Additional .ini files parsed => /etc/php.d/10-opcache.ini,
/etc/php.d/20-bz2.ini,
/etc/php.d/20-calendar.ini,
/etc/php.d/20-ctype.ini,
　:
　:
　:
PHP License
This program is free software; you can redistribute it and/or modify
it under the terms of the PHP License as published by the PHP Group
and included in the distribution in the file:  LICENSE

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

If you did not receive a copy of the PHP license, or have any
questions about PHP licensing, please contact license@php.net.

# vi /var/www/html/test.php
<?php
  phpinfo();
?>

http://www.bigbang.mydns.jp/test.php

# rm -f /var/www/html/test.php

# vi /var/www/html/index.html　←　テストページ作成
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
　↑　システムの文字コードがUTF-8の場合
<meta http-equiv="Content-Type" content="text/html; charset=euc-jp">
　↑　システムの文字コードがEUCの場合
<title>テスト</title>
<body>
テスト
</body>
</html>

# rm -f /var/www/html/index.html

# vi /var/www/cgi-bin/test.cgi　←　テスト用CGI作成
#!/usr/bin/perl
print "Content-type: text/html\n\n";
print "<html>\n";
print "<head>\n";
print "<meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\">\n";
　↑　システムの文字コードがUTF-8の場合
print "<meta http-equiv=\"Content-Type\" content=\"text/html; charset=euc-jp\">\n";
　↑　システムの文字コードがEUCの場合
print "<title>テスト</title>\n";
print "</head>\n";
print "<body>\n";
print "CGIテスト\n";
print "</body>\n";
print "</html>\n";
# chmod 755 /var/www/cgi-bin/test.cgi　←　テスト用CGIパーミッション変更

# rm -f /var/www/cgi-bin/test.cgi

# vi /var/www/html/test.shtml　←　SSIテスト用ページ作成
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
　↑　システムの文字コードがUTF-8の場合
<meta http-equiv="Content-Type" content="text/html; charset=euc-jp">
　↑　システムの文字コードがEUCの場合
<title>テスト</title>
<body>
SSIテスト
<!--#config timefmt="%Y/%m/%d %H:%M:%S" -->
<!--#echo var="DATE_LOCAL" -->
</body>
</html>

# vi /var/www/html/.htaccess　←　.htaccessファイル作成
DirectoryIndex index.shtml
# vi /var/www/html/index.shtml　←　.htaccessテスト用ページ作成
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
　↑　システムの文字コードがUTF-8の場合
&<meta http-equiv="Content-Type" content="text/html; charset=euc-jp">
　↑　システムの文字コードがEUCの場合
<title>テスト</title>
<body>
<p>.htaccessによるWebサーバ設定（例としてDirectoryIndex）の変更テスト</p>
このページのファイル名は<!--#echo var="DOCUMENT_NAME" -->
</body>
</html>

# rm -f /var/www/html/.htaccess
# rm -f /var/www/html/index.shtml

# vi /var/www/html/test.php　←　PHPテスト用ページ作成
<?php
  phpinfo();
?>

AddHandler php5-script .php
AddType application/x-httpd-php .php
AddType application/x-httpd-php-source .phps

# rm -f /var/www/cgi-bin/test.cgi　←　作成したテスト用CGIファイルを削除
# rm -f /var/www/html/index.html　←　作成したテスト用HTMLファイルを削除
# rm -f /var/www/html/test.shtml　←　作成したテスト用SSIファイルを削除
# rm -f /var/www/html/.htaccess　←　作成したテスト用.htaccessファイルを削除
# rm -f /var/www/html/test.php　←　作成したテスト用PHPファイルを削除

# vi /etc/httpd/conf.d/userdir.conf
<IfModule mod_userdir.c>
    #
    # UserDir is disabled by default since it can confirm the presence
    # of a username on the system (depending on home directory
    # permissions).
    #
    #UserDir disabled　←　「#」を付加

    #
    # To enable requests to /~user/ to serve the user's public_html
    # directory, remove the "UserDir disabled" line above, and uncomment
    # the following line instead:
    # 
    UserDir public_html　←　「#」を削除して有効化
    # user1ユーザのみ、http://www.bigbang.mydns.jp/user1/のように~（チルダ）なしでアクセスできるようにする
    AliasMatch ^/user1(.*) /home/user1/public_html/$1
    # 全てのユーザでhttp://www.bigbang.mydns.jp/userdir/ユーザ名/でアクセスできるようにする
    AliasMatch ^/userdir/([^/]+)/(.*) /home/$1/public_html/$2
</IfModule>

<Directory "/home/*/public_html">
    DirectoryIndex index.html　←　正常に表示されない場合、追記
    # .htaccessの許可
    AllowOverride All
    # CGI,SSI（Exec命令以外）の許可
    Options IncludesNoExec ExecCGI FollowSymLinks
    # .cgi及び .plで終わるすべてのファイルに対してCGIプログラムの実行を許可するには下記のようにする
    # AddHandler cgi-script .cgi .pl
    # ユーザディレクトリのpublic_htmlディレクトリのすべてのファイルをCGIプログラムとして指定したい場合には下記のようにする
    SetHandler cgi-script
    Require method GET POST OPTIONS
</Directory>

# systemctl restart httpd

$ chmod 711 /home/user1
$ mkdir /home/user1/public_html
$ chmod 755 /home/user1/public_html
$ vi ./public_html/index.html
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>テスト</title>
<body>
<div style="width: 100%; font-size: 30px; font-weight: bold; text-align: center;">
UserDir Test Page
</div>
</body>
</html>

# ユーザディレクトリ一括作成スクリプト作成
# vi userdirmake
#!/bin/bash

for user in `ls /home`
do
    id $user > /dev/null 2>&1
    if [ $? -eq 0 ] && [ ! -d /home/$user/public_html ]; then
        mkdir -p /home/$user/public_html
        chown $user. /home/$user/public_html
        chmod 711 /home/$user
        echo $user
    fi
done

# ユーザディレクトリ一括作成スクリプト実行
# sh userdirmake
user1
・
・
・
usern

# ユーザディレクトリ一括作成スクリプト削除
# rm -f userdirmake

# ユーザ追加時に~/public_htmlディレクトリを自動作成
# mkdir /etc/skel/public_html

# 一般ユーザ追加
# useradd -s /sbin/nologin user2

# 一般ユーザパスワード設定
# passwd user2
Changing password for user user2.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.

# 一般ユーザのホームディレクトリのパーミッション変更
# chmod 711 /home/user2/

chrootユーザの場合
# 一般ユーザ追加
# chroot-useradd user2 /sbin/nologin
Changing password for user user2.
New UNIX password:
Retype new UNIX password:
passwd: all authentication tokens updated successfully.

# 一般ユーザのホームディレクトリのパーミッション変更
# chmod 711 /home/user2/

# 一般ユーザ追加
# useradd user3

# 一般ユーザパスワード設定
# passwd user3
Changing password for user user3.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.

# 一般ユーザのホームディレクトリのパーミッション変更
# chmod 711 /home/user3/

chrootユーザの場合
# 一般ユーザ追加
# chroot-useradd user3
Changing password for user user3.
New UNIX password
Retype new UNIX password:
passwd: all authentication tokens updated successfully.

# 一般ユーザのホームディレクトリのパーミッション変更
# chmod 711 /home/user3/

# vi test.cgi
#!/usr/bin/perl
print "Content-type: text/html\n\n";
print "<html>\n";
print "<head>\n";
print "<meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\">\n";
print "<title>テスト</title>\n";
print "</head>\n";
print "<body>\n";
print "<div style=\"width: 100%; font-size: 30px; font-weight: bold; text-align: center;\">\n";
print "UserDir Test Page\n";
print "</div>\n";
print "</body>\n";
print "</html>\n";

# chown user1. test.cgi
# chmod 755 test.cgi
# mv test.cgi /home/user1/public_html/

http://www.bigbang.mydns.jp/~user1/cgi-bin/test.cgi 

# vi test.shtml
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>テスト</title>
<body>
SSIテスト
<!--#config timefmt="%Y/%m/%d %H:%M:%S" -->
<!--#echo var="DATE_LOCAL" -->
</body>
</html>

# mv test.shtml /home/user1/public_html/

http://www.bigbang.mydns.jp/~user1/test.shtml

# vi .htaccess
DirectoryIndex index.shtml

# mv .htaccess /home/user1/public_html/
# vi index.shtml
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>テスト</title>
<body>
<p>.htaccessによるWebサーバー設定（例としてDirectoryIndex）の変更テスト</p>
このページのファイル名は<!--#echo var="DOCUMENT_NAME" -->
</body>
</html>
# mv index.shtml /home/user1/public_html/

# vi test.php
<?php
  phpinfo();
?>

# mv test.php /home/user1/public_html/

# vi /etc/httpd/conf.d/redmine.conf
※追記した箇所のみ記載
<IfModule mod_rewrite.c>
  RewriteEngine on
  RewriteCond %{HTTPS} off
  RewriteCond %{REQUEST_URI} ^/redmine/
  RewriteRule ^(.*)$ https://www.bigbang.mydns.jp%{REQUEST_URI} [R,L]
</IfModule>

# systemctl restart httpd

# httpd -V
Server version: Apache/2.4.37 (centos)
Server built:   May 20 2021 04:33:06
Server's Module Magic Number: 20120211:83
Server loaded:  APR 1.6.3, APR-UTIL 1.6.1
Compiled using: APR 1.6.3, APR-UTIL 1.6.1
Architecture:   64-bit
Server MPM:     event
  threaded:     yes (fixed thread count)
    forked:     yes (variable process count)
Server compiled with....
 -D APR_HAS_SENDFILE
 -D APR_HAS_MMAP
 -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
 -D APR_USE_SYSVSEM_SERIALIZE
 -D APR_USE_PTHREAD_SERIALIZE
 -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
 -D APR_HAS_OTHER_CHILD
 -D AP_HAVE_RELIABLE_PIPED_LOGS
 -D DYNAMIC_MODULE_LIMIT=256
 -D HTTPD_ROOT="/etc/httpd"
 -D SUEXEC_BIN="/usr/sbin/suexec"
 -D DEFAULT_PIDLOG="run/httpd.pid"
 -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
 -D DEFAULT_ERRORLOG="logs/error_log"
 -D AP_TYPES_CONFIG_FILE="conf/mime.types"
 -D SERVER_CONFIG_FILE="conf/httpd.conf"

# ls /etc/httpd/modules | grep mod_rewrite
mod_rewrite.so

# httpd -M|grep rewrite

or

# grep -i LoadModule /etc/httpd/conf/httpd.conf | grep rewrite

or

# grep -i LoadModule /etc/httpd/conf.modules.d/00-base.conf | grep rewrite

# vi /etc/httpd/conf/httpd.conf
　：
（省略）
　：
#
Include conf.modules.d/*.conf
　：
（省略）
　：

# grep rewrite_module /etc/httpd/conf.modules.d/00-base.conf
LoadModule rewrite_module modules/mod_rewrite.so

<IfModule mod_rewrite.c>
    #Options +FollowSymLinks
    # httpアクセスをhttpsアクセスにリダイレクト
    RewriteEngine on
    RewriteCond %{HTTPS} off
    #RewriteRule ^(.*)$ https://bigbang.mydns.jp/$1 [R=301]
    RewriteRule ^(.*)$ https://www.bigbang.mydns.jp/$1 [R=301,L]
    #RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R,L]
</IfModule>

# vi /etc/httpd/conf.d/rewrite.conf
<IfModule mod_rewrite.c>
    RewriteEngine on
    RewriteCond %{HTTPS} off
    RewriteRule ^(.*)$ https://www.bigbang.mydns.jp%{REQUEST_URI} [R=301,L]
</IfModule>
# systemctl reload httpd

<IfModule mod_rewrite.c>
    # Rewriteエンジン有効化
    RewriteEngine on
    # HTTPでアクセスされた場合
    RewriteCond %{HTTPS} off
    # 下記URLでの接続の場合（インターネットからの接続を想定）
    RewriteCond %{HTTP_HOST} ^www.bigbang.mydns.jp [OR]
    RewriteCond %{HTTP_HOST} ^bigbang.mydns.jp
    # 下記URLでの接続ではない場合（イントラネットからの接続を想定）
    RewriteCond %{HTTP_HOST} !^serverA.bigbang.dyndns.org
    # 下記URLはhttpsにリダイレクトする
    RewriteRule ^(.*)$ https://www.bigbang.mydns.jp%{REQUEST_URI} [R=301,L]
</IfModule>

    # HTTPSでアクセスされた場合
    RewriteCond %{HTTPS} on
    # www無しをwww有りにリダイレクト
    RewriteCond %{HTTP_HOST} ^bigbang.mydns.jp
    RewriteRule ^(.*)$ https://www.bigbang.mydns.jp%{REQUEST_URI} [R=301,L]

    # HTTPSでアクセスされた場合
    #RewriteCond %{HTTPS} on
    # 下記URLでの接続以外の場合
    #RewriteCond %{HTTP_HOST} !^serverA.bigbang.dyndns.org
    # 下記URLで接続の場合
    #RewriteCond %{HTTP_HOST} ^(.*)$bigbang.mydns.jp
    # リダイレクトする
    #RewriteRule ^(.*)$ https://www.bigbang.mydns.jp%{REQUEST_URI} [R=301,L]

# vi /etc/httpd/conf.d/ssl.conf
SSLEngine on
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
※max-age：有効期間秒数、includeSubDomains：サブドメインにもHSTSを有効化

# systemctl restart httpd

# vi .htaccess
※下記行を追記
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

1. Serve a valid certificate.
2. Redirect from HTTP to HTTPS on the same host, if you are listening on port 80.
3. Serve all subdomains over HTTPS.
   • In particular, you must support HTTPS for the www subdomain if a DNS record for that subdomain exists.
4. Serve an HSTS header on the base domain for HTTPS requests:
   • The max-age must be at least 31536000 seconds (1 year).
   • The includeSubDomains directive must be specified.
   • The preload directive must be specified.
   • If you are serving an additional redirect from your HTTPS site, that redirect must still have the HSTS header (rather than the page it redirects to).

• インターネット上のブラウザでhttps://www.bigbang.mydns.jp/にアクセスする。
• ブラウザは、WebサーバからのレスポンスヘッダStrict-Transport-Securityを受け取る。
• 同じドメインにhttpでアクセスした場合、Webサーバは「強制的にhttpsで接続し直しなさい」とブラウザに返答する。
• ブラウザはHSTS適用ドメインにwww.bigbang.mydns.jpを追加する。
• ブラウザはmax-ageで設定された有効期限が切れるまで、http://www.bigbang.mydns.jp/にアクセスしてもブラウザ側でhttps://www.bigbang.mydns.jp/にアクセスし直すようになる。

• ある期間、bigbang.mydns.jpというドメインを運営しているWebサーバでStrict-Transport-Securityレスポンスヘッダを返すよう設定されていたとする。
• その期間中、上記ドメインににアクセスしたブラウザは、ブラウザ内のHSTS適用ドメインにbigbang.mydns.jpを追加する。
• しばらくして、このウェブサイトにおいて「httpsアクセスで何らかの問題が発生する」ことがわかったとします。
• サイト運営者はhttpでもアクセスできるように、bigbang.mydns.jpのWebサーバの設定を変更し、Strict-Transport-Securityレスポンスヘッダの応答を停止します（これが間違った対応です）。
• しかし、ブラウザの「HSTS適用ドメイン」にはbigbang.mydns.jpが登録されたままであるため、相変わらずhttpsでしかアクセスできない。

# vi /etc/httpd/conf.d/ssl.conf
（途中、省略）
SSLProtocol all -SSLv2 -SSLv3 -TLSv1
SSLCipherSuite TLSv1.3 TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305
SSLHonorCipherOrder
<VirtualHost _default_:443>
（途中、省略）

# systemctl restart httpd

# openssl s_client -connect www.bigbang.mydns.jp:443 -tls1_1
（途中、省略）
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 133 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.1
（途中、省略）
---

# openssl s_client -connect www.bigbang.mydns.jp:443 -tls1_2
（途中、省略）
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4716 bytes and written 314 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
（途中、省略）
---
closed


# openssl s_client -connect www.bigbang.mydns.jp:443 -tls1_3
（途中、省略）
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4571 bytes and written 310 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
（途中、省略）
---
read R BLOCK




closed

# wget https://www.openssl.org/source/openssl-3.0.2.tar.gz
# wget https://www.openssl.org/source/openssl-3.0.2.tar.gz.sha256
# sha256sum openssl-3.0.2.tar.gz

# tar fxz openssl-3.0.2.tar.gz
# rm -f openssl-3.0.2.tar.gz
# cd openssl-3.0.2
# ./config --prefix=/opt/openssl3 shared zlib
Configuring OpenSSL version 3.0.2 for target linux-x86_64
Using os-specific seed configuration
Creating configdata.pm
Running configdata.pm
Creating Makefile.in
Creating Makefile

**********************************************************************
***                                                                ***
***   OpenSSL has been successfully configured                     ***
***                                                                ***
***   If you encounter a problem while building, please open an    ***
***   issue on GitHub <https://github.com/openssl/openssl/issues>  ***
***   and include the output from the following command:           ***
***                                                                ***
***       perl configdata.pm --dump                                ***
***                                                                ***
***   (If you are new to OpenSSL, you might want to consult the    ***
***   'Troubleshooting' section in the INSTALL.md file first)      ***
***                                                                ***
**********************************************************************

# vi /etc/ld.so.conf.d/openssl.conf
以下の内容を保存する
/opt/openssl3/lib64

# /opt/openssl3/bin/openssl version
OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)

# cd /usr/local/src
# wget https://github.com/nghttp2/nghttp2/releases/download/v1.47.0/nghttp2-1.47.0.tar.gz
# tar xvzf nghttp2-1.47.0.tar.gz
# cd nghttp2-1.47.0
# ./configure --prefix=/opt/nghttp2
# make
# make install

# vi /etc/ld.so.conf.d/nghttp2.conf
以下の内容を保存する
/opt/nghttp2/lib

設定を反映
# ldconfig

# cd /usr/local/src
# wget https://ftp.kddilabs.jp/infosystems/apache/httpd/httpd-2.4.52.tar.gz
# tar fxz httpd-2.4.52.tar.gz
# rm -f fxz httpd-2.4.52.tar.gz
# cd httpd-2.4.52
# ./configure --prefix=/opt/httpd2452 --enable-http2 --enable-ssl --with-ssl=/opt/openssl3 --with-nghttp2=/opt/nghttp2 \
 --enable-so --enable-mpms-shared=all --enable-mods-shared=all --with-apr=/opt/apr --with-apr-util=/opt/apr-util
# make
# make install

# vi /etc/systemd/system/httpd2452.service
[Unit]
Description=The Apache HTTP Server
After=network.target remote-fs.target nss-lookup.target

[Service]
Type=forking
ExecStart=/opt/httpd2452/bin/apachectl -k start
ExecReload=/opt/httpd2452/bin/apachectl -k graceful
ExecStop=/opt/httpd2452/bin/apachectl -k stop
PrivateTmp=true

[Install]
WantedBy=multi-user.target

# systemctl daemon-reload

# systemctl list-unit-files | grep httpd
httpd2452.service                             disabled

# systemctl start httpd2452
# systemctl enable httpd2452

# openssl version
OpenSSL 1.0.2k-fips  26 Jan 2017

# httpd -V
AH00548: NameVirtualHost has no effect and will be removed in the next release /etc/httpd/conf/httpd.conf:97
Server version: Apache/2.4.6 (CentOS)
Server built:   Nov 16 2020 16:18:20
Server's Module Magic Number: 20120211:24
Server loaded:  APR 1.4.8, APR-UTIL 1.5.2
Compiled using: APR 1.4.8, APR-UTIL 1.5.2
Architecture:   64-bit
Server MPM:     prefork
  threaded:     no
    forked:     yes (variable process count)
Server compiled with....
（以下、省略）

• OpenSSL 1.1.1 以降
• APR
• APR-util
• ビルドに必要なライブラリ・ツール類（perl、gcc、zlib-devel、expat-devel、pcre-devel）

# curl -O https://www.openssl.org/source/openssl-1.1.1l.tar.gz
# tar fxz openssl-1.1.1l.tar.gz
# rm -f openssl-1.1.1l.tar.gz
# yum install perl gcc zlib-devel
# cd openssl-1.1.1l
# ./config --prefix=/opt/openssl shared zlib
# make
# make install

# vi /etc/ld.so.conf.d/openssl.conf
以下の内容を保存する
/opt/openssl/lib

設定を反映
# ldconfig

動作の確認
# /opt/openssl/bin/openssl version
OpenSSL 1.1.1l  24 Aug 2021

モジュールの確認
# /opt/httpd/bin/httpd -M|grep ssl
 ssl_module (shared)

# cd /usr/local/src
# curl -O http://ftp.kddilabs.jp/infosystems/apache/apr/apr-1.7.0.tar.gz
# tar fxz apr-1.7.0.tar.gz 
# rm -f apr-1.7.0.tar.gz
# cd apr-1.7.0
# ./configure --prefix=/opt/apr
# make
# make install

# yum install expat-devel

# cd /usr/local/src
# curl -O http://ftp.kddilabs.jp/infosystems/apache/apr/apr-util-1.6.1.tar.gz
# tar fxz apr-util-1.6.1.tar.gz
# cd apr-util-1.6.1
# ./configure --prefix=/opt/apr-util --with-apr=/opt/apr
# make
# make install

# cd /usr/local/src
# curl -O http://ftp.kddilabs.jp/infosystems/apache/httpd/httpd-2.4.50.tar.gz
# tar fxz httpd-2.4.50.tar.gz
# rm -f httpd-2.4.50.tar.gz

ビルドに必要です。インストールされていない場合インストールします。
# yum install pcre-deve

# cd httpd-2.4.50
# ./configure --prefix=/opt/httpd --enable-ssl --with-ssl=/opt/openssl \
              --enable-mpms-shared=all --enable-mods-shared=all --with-apr=/opt/apr --with-apr-util=/opt/apr-util
# make
# make install

動作確認
# /opt/httpd/bin/httpd -V
Server version: Apache/2.4.50 (Unix)
Server built:   Oct  6 2021 08:31:38
Server's Module Magic Number: 20120211:117
Server loaded:  APR 1.7.0, APR-UTIL 1.6.1
Compiled using: APR 1.7.0, APR-UTIL 1.6.1
Architecture:   64-bit
Server MPM:     event
  threaded:     yes (fixed thread count)
    forked:     yes (variable process count)
Server compiled with....
（以下、省略）

# vi /opt/httpd/conf/httpd.conf

#それぞれアンコメントして有効化
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
LoadModule ssl_module modules/mod_ssl.so
Include conf/extra/httpd-ssl.conf

# vi /opt/httpd/conf/extra/httpd-ssl.conf

#変更が必要な項目のみ抜粋
<VirtualHost _default_:443>
ServerName [サーバのURL]:443
SSLCertificateFile "[サーバ証明書のファイルパス]"
SSLCertificateKeyFile "[サーバ秘密鍵のファイルパス]"
</VirtualHost>

＃ vi /opt/httpd/conf/extra/httpd-ssl.conf

#TLS1.3の暗号スイートの設定
SSLCipherSuite TLSv1.3 TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256

#TLS1.2以下の暗号スイートの設定（コピペ注意）
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305

#利用可能なプロトコルの設定（コピペ注意）
SSLProtocol +TLSv1.3 +TLSv1.2

#サーバ側の暗号スイート優先順位を使用
SSLHonorCipherOrder

#PFSを重視するならTLSセッションチケットはオフに
SSLSessionTickets off

Apacheを起動
# /opt/httpd/bin/httpd -k start

Apacheが起動しているかの確認
# ps aux|grep -v grep|grep httpd
（表示されれば正常に起動しています）

or

# lsof -i -P|egrep '*:80 \(LISTEN\)|*:443 \(LISTEN\)'
（設定したポートが表示されれば正常に起動しています）

# vi /etc/systemd/system/httpd2450.service 
[Unit]
Description=The Apache HTTP Server
After=network.target remote-fs.target nss-lookup.target

[Service]
Type=forking
ExecStart=/opt/httpd/bin/apachectl -k start
ExecReload=/opt/httpd/bin/apachectl -k graceful
ExecStop=/opt/httpd/bin/apachectl -k stop
PrivateTmp=true

[Install]
WantedBy=multi-user.target

# systemctl daemon-reload
# systemctl list-unit-files --type=service | grep http
httpd.service                                 disabled　←　これまで利用していたユニットファイル
httpd2450.service                             disabled　←　正常に登録された

# systemctl enable httpd2450
# systemctl start httpd2450

# systemctl status httpd2450
● httpd2450.service - The Apache HTTP Server
   Loaded: loaded (/etc/systemd/system/httpd2450.service; enabled; vendor preset: disabled)
   Active: active (running) since 木 2021-10-07 21:06:43 JST; 50min ago
  Process: 11506 ExecStop=/opt/httpd/bin/apachectl -k stop (code=exited, status=0/SUCCESS)
  Process: 11584 ExecStart=/opt/httpd/bin/apachectl -k start (code=exited, status=0/SUCCESS)
 Main PID: 11593 (httpd)
    Tasks: 13
   CGroup: /system.slice/httpd2450.service
           ├─10555 /opt/httpd/bin/httpd -k start
           ├─10556 /opt/httpd/bin/httpd -k start
           ├─10564 /opt/httpd/bin/httpd -k start
（以下、省略）

# ls -l /etc/httpd/logs/{access_log,error_log,ssl_access_log,ssl_error_log}
-rw-r--r-- 1 root root 0 10月  7 03:58 /etc/httpd/logs/access_log
-rw-r--r-- 1 root root 0 10月  7 03:58 /etc/httpd/logs/error_log
-rw-r--r-- 1 root root 0 10月  7 03:58 /etc/httpd/logs/ssl_access_log
-rw-r--r-- 1 root root 0 10月  7 03:58 /etc/httpd/logs/ssl_error_log

# ps aux|grep httpd
root     17659  0.0  0.0  98760  5272 ?        Ss   10月06   0:03 /opt/httpd/bin/httpd -k start
apache   22771  0.0  0.0 2041084 6256 ?        Sl   10月06   0:02 /opt/httpd/bin/httpd -k start
apache   25216  0.0  0.0 113720  2716 ?        S    10月06   0:00 /opt/httpd/bin/httpd -k start
apache   25217  0.0  0.0 2041084 5220 ?        Sl   10月06   0:00 /opt/httpd/bin/httpd -k start
apache   25218  0.0  0.0 2041084 5236 ?        Sl   10月06   0:00 /opt/httpd/bin/httpd -k start
apache   25219  0.0  0.0 2041084 5188 ?        Sl   10月06   0:00 /opt/httpd/bin/httpd -k start

# /opt/httpd/bin/httpd -k restart　←　手動で再起動を実施

# vi /etc/logrotate.d/httpd
（変更箇所のみ）
/bin/systemctl reload httpd.service > /dev/null 2>/dev/null || true
　↓
/opt/httpd/bin/httpd -k restart > /dev/null 2>/dev/null || true

# grep -i LoadModule /opt/httpd/conf/httpd.conf | grep rewrite
LoadModule rewrite_module modules/mod_rewrite.so

# vi /opt/httpd/conf/extra/httpd-rewrite.conf
<IfModule mod_rewrite.c>
    # Rewriteエンジン有効化
    RewriteEngine on

    # HTTPでアクセスされた場合
    RewriteCond %{HTTPS} off
    # 下記URLでの接続の場合（インターネットからの接続を想定）
    RewriteCond %{HTTP_HOST} ^www.bigbang.mydns.jp [OR]
    RewriteCond %{HTTP_HOST} ^bigbang.mydns.jp
    # 下記URLはhttpsにリダイレクトする
    RewriteRule ^(.*)$ https://www.bigbang.mydns.jp%{REQUEST_URI} [R=301,L]
</IfModule>

# systemctl restart httpd2450

# vi /etc/httpd/conf.d/ssl.conf
SSLEngine on
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
※max-age：有効期間秒数、includeSubDomains：サブドメインにもHSTSを有効化

# systemctl restart httpd

# vi /opt/httpd/conf/httpd.conf
（変更箇所のみ）
#LoadModule include_module modules/mod_include.so
　↓
LoadModule include_module modules/mod_include.so

# /opt/httpd/bin/httpd -k restart　←　設定変更を反映

# vi /opt/httpd/conf/extra/httpd-php.conf
# httpd.confにをincludeする設定ファイル
#
# PHPの場所 : /usr/bin/php
# 対象バージョン : PHP 5.4.16 (cli) (built: Apr  1 2020 04:07:17)
#
# これ↓をhttpd.confに追記する
#Include /opt/httpd/conf/extra/httpd-php.conf

#
# AddType allows you to add to or override the MIME configuration
# file specified in TypesConfig for specific file types.
#
AddType application/x-httpd-php .php

#
# Dynamic Shared Object (DSO) Support
#
# To be able to use the functionality of a module which was built as a DSO you
# have to place corresponding `LoadModule' lines at this location so the
# directives contained in it are actually available _before_ they are used.
# Statically compiled modules (those listed by `httpd -l') do not need
# to be loaded here.
#
LoadModule php5_module "/usr/lib64/httpd/modules/libphp5.so"

#
# DirectoryIndex: sets the file that Apache will serve if a directory
# is requested.
#
<IfModule dir_module>
    DirectoryIndex index.php
</IfModule>

#
# php.iniの場所
#
PHPIniDir "/etc/php.ini"

# /opt/httpd/bin/httpd -k restart
[Thu Oct 07 14:21:29.579972 2021] [:crit] [pid 8143:tid 139623391147904] Apache is running a threaded MPM, \
but your PHP Module is not compiled to be threadsafe.  You need to recompile PHP.
AH00013: Pre-configuration failed

# vi /opt/httpd/conf/httpd.conf
（途中、省略）
LoadModule mpm_event_module modules/mod_mpm_event.so
#LoadModule mpm_prefork_module modules/mod_mpm_prefork.so
#LoadModule mpm_worker_module modules/mod_mpm_worker.so
（途中、省略）

　↓

（途中、省略）
#LoadModule mpm_event_module modules/mod_mpm_event.so
LoadModule mpm_prefork_module modules/mod_mpm_prefork.so
#LoadModule mpm_worker_module modules/mod_mpm_worker.so
（途中、省略）

# /opt/httpd/bin/httpd -k restart

# cd /usr/local/src/
# curl -O https://ftp.pcre.org/pub/pcre/pcre-8.45.tar.gz
# tar fxz pcre-8.45.tar.gz
# rm -f pcre-8.45.tar.gz
# cd tar fxz pcre-8.45
# ./configure --prefix=/opt/pcre
# make
# make install

# cd ..
# curl -O https://github.com/libexpat/libexpat/releases/download/R_2_4_1/expat-2.4.1.tar.gz
# tar fxz expat-2.4.1.tar.gz
# rm -f expat-2.4.1.tar.gz
# cd expat-2.4.1
# ./configure --prefix=/opt/expat
# make
# make install

# cd /usr/local/src
# curl -O ftp://xmlsoft.org/libxml2/libxml2-2.9.12.tar.gz
# tar fxz libxml2-2.9.12.tar.gz
# rm -f libxml2-2.9.12.tar.gz
# cd libxml2-2.9.12
# ./configure --prefix=/opt/libxml2 --without-python

# cd /usr/local/src
# curl -O https://www.sqlite.org/2021/sqlite-autoconf-3360000.tar.gz
# tar fxz sqlite-autoconf-3360000.tar.gz
# rm -f sqlite-autoconf-3360000.tar.gz
# cd sqlite-autoconf-3360000
# ./configure
# make
# make install

# /opt/sqlite3/bin/sqlite3 --version
3.36.0 2021-06-18 18:36:39 5c9a6c06871cb9fe42814af9c039eb6da5427a6ec28f187af7ebfb62eafa66e5

# cd /usr/local/src
# curl -O https://github.com/kkos/oniguruma/releases/download/v6.9.7/onig-6.9.7.tar.gz
# tar fxz onig-6.9.7.tar.gz
# rm -f onig-6.9.7.tar.gz
# cd onig-6.9.7
# ./configure --prefix=/opt/oniguruma
# make
# make install

# cd /usr/local/src
# curl -O https://zlib.net/zlib-1.2.11.tar.gz
# tar fxz zlib-1.2.11.tar.gz
# rm -f zlib-1.2.11.tar.gz
# cd zlib-1.2.11
# ./configure --prefix=/opt/zlib
# make
# make install

# /opt/php80/bin/php -vresion
PHP 8.0.11 (cli) (built: Oct 11 2021 17:40:59) ( NTS )
Copyright (c) The PHP Group
Zend Engine v4.0.11, Copyright (c) Zend Technologies

# cp -p php-8.0.11/php.ini-development /opt/php80/php.ini

# vi /opt/httpd/conf/extra/httpd-php80.conf
#
# AddType allows you to add to or override the MIME configuration
# file specified in TypesConfig for specific file types.
#
AddType application/x-httpd-php .php

#
# DirectoryIndex: sets the file that Apache will serve if a directory
# is requested.
#
<IfModule dir_module>
    DirectoryIndex index.php
</IfModule>

#
# php.iniの場所
#
PHPIniDir "/opt/php80/php.ini"

# vi /opt/php80/php.ini

• error_reportingの設定を変更
  error_reporting = E_ALL | E_STRICT（開発環境においてはSTRICTを含めたすべてのレポートをさせる）
• display_errorsの設定を変更
  display_errors = On（エラーがあった際にブラウザなどにエラー内容を表示するように設定）
• log_errorsの設定を変更
  log_errors = On（エラーログを吐く設定を有効にしておく）
• error_logの設定を変更
  error_log = /var/log/php.log（phpに関連するエラーログを/var/log/php.logに吐くように設定）

• default_charset = "UTF-8"
• mbstring.language = Japanese
• mbstring.internal_encoding = UTF-8　←　PHP 8 で非推奨
• mbstring.encoding_translation = Off
• mbstring.http_input = pass　←　PHP 8 で非推奨
• mbstring.http_output = pass　←　PHP 8 で非推奨
• mbstring.detect_order = utf-8,sjis,euc-jp,jis,ascii
• mbstring.substitute_character = none

• memory_limit = 32MB
  PHPの1プロセスが利用可能なメモリー容量の設定。
• post_max_size = 16M
  POSTのリクエストを受け付ける際の、最大のPOSTリクエストサイズを設定
• upload_max_filesize = 8M
  ファイルアップロードを受け付ける際の、最大のファイル受付サイズを設定

• expose_php = Off
  これがOnだとレスポンスヘッダにPHPのバージョン情報などが露呈してしまう
• session.hash_function = 1
  セッションID発行のハッシュアルゴリズムをSHA-1(160bit)へ変更, 0だとMD5(128bit)。生成されたハッシュを32桁にしたい場合は、併せてsession.hash_bits_per_character = 5とする
• session.entropy_file = /dev/urandom
  /dev/urandomが存在するときのみ
• session.entropy_length = 32

• short_open_tag = Off
  PHPファイルのタグを<?php ?>のみ利用可能と制限（<? ?>などを使用不可にする）
• register_argc_argv = On
  バッチのようなコマンドラインプログラムを書く場合は必須の設定
• max_execution_time = 30
  PHPプログラムの１つの最大実行時間の設定。これも大きなファイルアップロードや大きいバッチ処理がある場合はプログラム側のini_set()などで随時設定する

# systemctl restart httpd2450

# vi /opt/httpd/conf/httpd.conf
（途中、省略）
#LoadModule dav_module modules/mod_dav.so
#LoadModule dav_fs_module modules/mod_dav_fs.so
#LoadModule dav_lock_module modules/mod_dav_lock.so
　↓
LoadModule dav_module modules/mod_dav.so
LoadModule dav_fs_module modules/mod_dav_fs.so
LoadModule dav_lock_module modules/mod_dav_lock.so
（途中、省略）

# systemctl restart httpd2450

# cp -p /etc/httpd/conf.d/xymon.conf /opt/httpd/conf/extra/httpd-xymon.conf

# vi /opt/httpd/conf/httpd.conf
（変更部分のみ）
#LoadModule rewrite_module modules/mod_rewrite.so
　↓
LoadModule rewrite_module modules/mod_rewrite.so

Include conf/extra/httpd-xymon.conf

# systemctl restart httpd2450

# /opt/httpd/bin/httpd -M|grep rewrite
 rewrite_module (shared)

# cp -p /etc/httpd/conf.d/xymon.conf /opt/httpd/conf/extra/httpd-xymon.conf

# vi /opt/httpd/conf/httpd.conf
（変更部分のみ）
#LoadModule authz_core_module modules/mod_authz_core.so
　↓
LoadModule authz_core_module modules/mod_authz_core.so

Include conf/extra/httpd-apcupsd.conf

# systemctl restart httpd2450

 /opt/httpd/bin/httpd -M|grep authz_core
 authz_core_module (shared)

# cp -p /etc/httpd/conf.d/awstats.conf /opt/httpd/conf/extra/httpd-awstats.conf
# cp -p /etc/httpd/conf.d/awstatsreport.conf /opt/httpd/conf/extra/httpd-awstatsreport.conf

# vi /opt/httpd/conf/httpd.conf
（変更部分のみ）
#LoadModule authz_core_module modules/mod_authz_core.so
#LoadModule authz_core_module modules/mod_env.so
　↓
LoadModule authz_core_module modules/mod_authz_core.so
LoadModule authz_core_module modules/mod_env.so

Include conf/extra/httpd-apcupsd.conf
Include conf/extra/httpd-apcupsdreport.conf

# systemctl restart httpd2450

 /opt/httpd/bin/httpd -M|grep authz_core
 authz_core_module (shared)

# curl -O wget https://github.com/SpiderLabs/ModSecurity/releases/download/v2.9.4/modsecurity-2.9.4.tar.gz
# tar fxz modsecurity-2.9.4.tar.gz
# rm -f modsecurity-2.9.4.tar.gz
# yum install gcc-c++ flex bison yajl yajl-devel curl-devel curl GeoIP-devel doxygen zlib-devel pcre-devel
# cd modsecurity-2.9.4
# ./configure --prefix=/opt/modsecurity --with-apxs=/opt/httpd/bin/apxs --with-apr=/usr/local/src/apr-1.7.0 --with-apr-util=/usr/local/src/apr-util-1.6.1
# make
# make install

# chmod 755 /opt/httpd/modules/mod_security2.so

# cp modsecurity.conf-recommended /opt/httpd/conf/extra/modsecurity.conf

# cd /opt/httpd/conf
# git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git
# cp -p owasp-modsecurity-crs/crs-setup.conf.example owasp-modsecurity-crs/crs-setup.conf
# mkdir -p /var/log/mod_security/data
# chown -R apache:apache /var/log/mod_security

# cd owasp-modsecurity-crs
# mv rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
# mv rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf

# cp /usr/local/src/modsecurity-2.9.4/unicode.mapping /opt/httpd/conf/unicode.mapping

# chown -R apache:apache /opt/httpd

# vi /opt/httpd/conf/httpd.conf
（下記を最終行に追記）
<IfModule security2_module>
<IfModule unique_id_module>
  SecRuleEngine On
  SecRequestBodyAccess On
  SecDebugLog /var/log/mod_security/modsec_debug.log
  SecDebugLogLevel 3
  SecTmpDir /tmp/
  SecUploadDir /tmp/
  SecDataDir /tmp/
  SecAuditEngine RelevantOnly
  SecAuditLogParts ABIDEFGHZ
  SecAuditLogType Serial
  SecAuditLogType concurrent
  SecAuditLog /var/log/mod_security/audit_log
  SecAuditLogStorageDir /var/log/mod_security/data

  Include conf/owasp-modsecurity-crs/crs-setup.conf
  Include conf/owasp-modsecurity-crs/rules/*.conf
</IfModule>
</IfModule>

# vi /opt/httpd/conf/httpd.conf

# vi /opt/httpd/conf/extra/modsecurity.conf
# systemctl restart httpd2450

# vi /opt/httpd/conf/owasp-modsecurity-crs/rules/rules-01.conf
SecRule REMOTE_ADDR "@ipMatch 127.0.0.1" "phase:1,id:1,nolog,allow,ctl:ruleEngine=Off,ctl:auditEngine=Off"
SecRule REMOTE_ADDR "@ipMatch 172.27.0.0/24" "phase:1,id:2,nolog,allow,ctl:ruleEngine=Off,ctl:auditEngine=Off"
SecRule REMOTE_ADDR "@ipMatch 192.168.0.0/24" "phase:1,id:3,nolog,allow,ctl:ruleEngine=Off,ctl:auditEngine=Off"

or

SecRule REMOTE_ADDR "@ipMatch 127.0.0.1,172.27.0.0/24,192.168.0.0/24" "phase:1,id:1,nolog,allow,ctl:ruleEngine=Off,ctl:auditEngine=Off"

# systemctl restart httpd2450

# sed -i -E -e 's/Warning\.\*([^?])/Warning.*?\1/g' /opt/httpd/conf/owasp-modsecurity-crs/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf

# systemctl restart httpd2450

# vi /opt/httpd/conf/extra/modsecurity.conf
（途中、省略）
SecPcreMatchLimit 1000
SecPcreMatchLimitRecursion 1000
　↓
SecPcreMatchLimit 300000
SecPcreMatchLimitRecursion 300000
（途中、省略）

# systemctl restart httpd2450

（該当箇所のみ抜粋）
HTTP/1.1 413 Request Entity Too Large

Message: Request body no files data length is larger than the configured limit (131072).. Deny with code (413)

# vi /etc/httpd/conf.d/mod_security.conf
SecRequestBodyLimit 13107200
SecRequestBodyNoFilesLimit 131072
　↓
SecRequestBodyLimit 536870912
SecRequestBodyNoFilesLimit 536870912

# systemctl restart httpd2450

# vi /etc/httpd/conf.d/ssl.conf
SSLProxyEngine On
ProxyPass /test/ https://serverB.bigbang.mydns.jp/test/

# systemctl reload httpd

Proxy Error

The proxy server could not handle the request

Reason: Error during SSL Handshake with remote server

• CarotDAVでのProxyの設定（Connection Setting）が「Default Proxy」である。
• 自己証明書による接続時、IE（インターネットエクスプローラ）の証明書ストアに該当証明書をあらかじめ信頼しインストールしておく。
• hostsファイルに接続するサーバの名前解決ができるようにあらかじめ記載しておく。

# rpm -qa | grep openldap
openldap-servers-2.4.19-15.el6_0.2.i686
openldap-clients-2.4.19-15.el6_0.2.i686
openldap-2.4.19-15.el6_0.2.i686

# yum install openldap*

• CGIの先頭にあるperlへのパスが誤っている。
• CGIそのものに問題がある。
• CGIの改行コードが違っている。(Linuxのみ)

• CGIの先頭にあるperlへのパスが誤っている。
  インターネットで流通しているフリーのCGIの多くは、perlへのパスは、「#!/usr/local/bin/perl」となっています。しかし、例えばRedHat標準のperlのパスは、「/usr/bin/perl」であり、修正が必要です。
  CGIを使用する場合は、まず、perlへのパスを確認し、自分のシステムに合わせる必要があります。
• CGIそのものに問題がある。
  この場合、切り分けのため下記のような簡単なテスト用CGIを、「test.cgi」等の適当な名前で元のCGIと同じ場所に置いてアクセスしてみるとよい。このCGIは、アクセス元のアドレスを返送するだけの簡単なものです。このCGIにアクセスしたとき、「500 Internal Server Error」と表示されれば、元のCGIが壊れているか、改行コード問題等で実行できなくなっているので、調査します。

［テスト用CGI例］
#!/usr/local/bin/perl
print "Content-Type: text/html\n\n";
print "Your_IP=$ENV{'REMOTE_ADDR'}\n";

• CGIの改行コードが違っている。(Linuxのみ)
  Windowsの改行コードは「CR+LF」、これに対してLinuxの改行コードは「LF」のため、たったこれだけですが、CGIは動いてくれません。対策としては、エディタで改行コードを変更する方法ありますが、もっと簡単には、FTPクライアントで、CGIをアスキーモード又はテキストモードで転送すれば、OSに応じて自動変換してくれるので、この方法でもかまいません。

suexec policy violation: see suexec log for more details
Premature end of script headers: test.cgi

# apachectl -V
 -D SUEXEC_BIN="/usr/sbin/suexec"

# ls -l /usr/sbin/suexec　←　モジュールの確認
-r-s--x--- 1 root apache 11060 2009-03-17 22:16 /usr/sbin/suexec
# mv /usr/sbin/suexec /usr/sbin/suexec_bak　←　リネーム
バイナリモジュールを削除するか、リネームすれば無効になります。
# service httpd reload　←　設定反映のため再起動

#vi /etc/httpd/conf/httpd.conf
DirectoryIndex index.shtml index.html index.html.var　←　 「index.shtml」を追記

[Sun Sep 04 20:03:54 2011] [warn] [client ***.***.***.***] mod_include: Options +Includes (or IncludesNoExec) \
wasn't set, INCLUDES filter removed

Options Includes Indexes FollowSymLinks　←　「Includes」を追記
# service httpd reload　←　設定反映のため再起動

# vi /etc/httpd/conf.d/ssl.conf
DirectoryIndex index.shtml index.htm
Options +Includes Indexes MultiViews
# service httpd reload

mod_include: Options +Includes (or IncludesNoExec) wasn't set, INCLUDES filter removed

  DirectoryIndex index.shtml index.htm
  <Directory /home/public/public_html>
    Options +Includes Indexes MultiViews
  </Directory>
# service httpd reload

invalid CGI ref "../cgi-bin/uptime.cgi"

<!--#exec cgi="../cgi-bin/uptime.cgi"-->
　　　↓
<!--#exec cgi="cgi-bin/uptime.cgi"-->

• Vistaから発生している現象
  対処はWeb フォルダのソフトウェア更新プログラム: KB907306 を適用する
• SSLなしのBasic認証なら接続可能
  対処はWindows7でwebdavを使う方法：なんとなしの日記を参照
• 自己証明書SSLだとの接続不可能
  対処はWindows7でwebdavを使ってみたを参照

#SSLProtocol all -SSLv2
　↓
SSLProtocol all -SSLv2 -SSLv3　←　SSLv2、SSLv3の無効化
SSLHonorCipherOrder ON　←　行頭の#を削除
SSLCipherSuite ALL:!ADH:!EXPORT:+SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
　↓
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:!SSLv3:RC4+RSA:+HIGH:+MEDIUM:+LOW

# openssl s_client -connect localhost:443 -tls1
CONNECTED(00000003)
140592254707616:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1259:SSL alert number 40

SSLCipherSuite EECDH+HIGH:EDH+HIGH:HIGH:MEDIUM:+3DES:!ADH:!RC4:MD5:!aNULL:!eNULL:!SSLv3:!SSLv2:!LOW:!EXP:!PSK:!SRP:!DSS:!KRB5

#service httpd restart

$ openssl s_client -connect localhost:443 -ssl2
CONNECTED(00000003)
3078194924:error:1407F0E5:SSL routines:SSL2_WRITE:ssl handshake failure:s2_pkt.c:429:

# openssl s_client -connect localhost:443 -ssl3
CONNECTED(00000003)
139778341582752:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1259:SSL alert number 40

[notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[error] SSL Library Error: -8181 Certificate has expired
[error] Unable to verify certificate 'Server-Cert'. Add "NSSEnforceValidCerts off" /
                        to nss.conf so the server can start until the problem can be resolved.

$ sudo certutil -L -d /etc/httpd/alias
$ sudo certutil -L -d /etc/httpd/alias -n Server-Cert

# certutil -L -d /etc/httpd/alias -n Server-Cert

or

# openssl s_client -connect localhost:443 | openssl x509 -text -noout

or

※Let's Encryptの場合
# openssl x509 -in /etc/letsencrypt/live/（管理しているドメイン名）/cert.pem -text

下記は
# certutil -L -d /etc/httpd/alias -n Server-Cert
の実行結果です。

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 3 (0x3)
        Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
        Issuer: "CN=Certificate Shack,O=mydns.jp,C=US"
        Validity:
            Not Before: Sun Jul 31 12:05:53 2011
            Not After : Fri Jul 31 12:05:53 2015
        Subject: "CN=localhost4.localdomain4,O=mydns.jp,C=US"
        Subject Public Key Info:
            Public Key Algorithm: PKCS #1 RSA Encryption
            RSA Public Key:
                Modulus:
                    e8:a3:30:c7:49:91:b9:fc:39:12:bb:b0:2a:90:af:58:
                    df:e3:c3:f8:81:24:48:d6:b7:1c:bd:1e:0e:b2:3a:13:
                    0c:7c:d3:21:ed:c5:5f:c8:e5:64:e1:8c:cd:22:6e:32:
                    d7:41:d6:61:83:2a:6f:22:37:23:c4:d5:d9:7d:dc:bb:
                    8e:d2:e0:10:72:42:c3:d4:43:c5:1b:0d:d3:e3:f6:c4:
                    c4:e3:8f:d6:65:a3:e9:f2:da:b0:a7:63:08:d8:87:2c:
                    2e:dc:05:6f:05:43:bb:b3:a1:1f:9e:c2:88:03:17:dc:
                    ea:22:ed:51:e8:b8:97:6e:62:ea:2f:16:1c:ab:2a:91
                Exponent: 65537 (0x10001)
        Signed Extensions:
            Name: Certificate Type
            Data: <SSL Server>
            Name: Certificate Key Usage
            Usages: Key Encipherment
    Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
    Signature:
        13:13:cd:fb:b5:56:70:45:8f:a6:4c:50:ce:db:06:ce:
        8f:07:7c:d8:ee:11:c7:3f:65:c6:aa:7e:d9:7c:7d:ad:
        14:5c:0d:27:22:b8:2f:d1:3b:22:f1:0b:9d:01:4f:ad:
        1f:56:0d:da:69:33:03:1f:0d:64:f2:5b:6c:a4:6e:d7:
        9c:5c:4a:3d:20:39:b3:a9:de:96:b0:af:ad:bc:6f:64:
        b4:7b:34:2a:3e:27:be:36:74:d8:b7:36:16:d9:d8:25:
        50:c2:58:68:c3:70:d5:ed:0d:5d:18:c0:84:ff:e1:a8:
        e3:83:b5:07:96:eb:e1:af:8b:ee:37:84:70:bd:d1:33
    Fingerprint (SHA-256):
        1E:8F:5B:3B:CD:9C:DD:E3:79:E4:98:D5:47:0C:F2:4F:3E:B7:A0 :D2:D4:1B:A9:E7:77:4C:A5:7B:22:4B:CB:94
    Fingerprint (SHA1):
        B6:EA:FE:50:74:53:0D:0E:1B:44:1F:EB:76:78:BD:DB:28:7E:D4:4E
    Certificate Trust Flags:
        SSL Flags:
            User
        Email Flags:
            User
        Object Signing Flags:
            User

# rpm -e mod_nss
# rm /etc/httpd/alias/*
# yum install mod_nss
# service httpd restart
# service httpd restart
httpd を停止中:                                            [  OK  ]
httpd を起動中:                                            [  OK  ]

# certutil -L -d /etc/httpd/alias -n Server-Cert
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 3 (0x3)
        Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
        Issuer: "CN=Certificate Shack,O=mydns.jp,C=US"
         Validity:
            Not Before: Wed Aug 05 06:53:25 2015
            Not After : Mon Aug 05 06:53:25 2019
        Subject: "CN=www.bigbang.mydns.jp,O=mydns.jp,C=US"
        Subject Public Key Info:
            Public Key Algorithm: PKCS #1 RSA Encryption
            RSA Public Key:
                Modulus:
                    b3:13:c5:31:cc:62:48:c0:2b:e8:3e:ae:31:5c:04:aa:
                    cd:61:f8:74:dd:47:00:37:a8:4d:87:98:b2:ea:94:50:
                    76:8e:64:0a:be:6f:1a:fe:23:7c:db:59:b3:47:2e:56:
                    b4:bb:26:2a:99:7a:09:3f:70:74:a2:42:be:7f:58:71:
                    49:b2:21:5e:6d:6b:0f:ad:52:f8:67:37:eb:6f:6a:b1:
                    48:81:b7:59:b7:b5:a7:c0:e7:a2:29:94:1c:b1:32:c0:
                    14:f5:b9:a4:c2:b4:08:01:7d:88:6d:cb:76:26:7a:7a:
                    90:6a:86:4f:b4:7a:2d:7e:25:61:24:80:61:ec:9f:ff
                Exponent: 65537 (0x10001)
        Signed Extensions:
            Name: Certificate Type
            Data: <SSL Server>
            Name: Certificate Key Usage
            Usages: Key Encipherment
    Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
    Signature:
        50:2b:32:d1:7c:12:52:08:d9:9f:4b:58:6b:47:d1:04:
        fc:d2:4a:ed:0b:15:1c:23:59:2f:cc:24:b0:73:3a:2c:
        71:22:df:27:11:63:b0:48:d5:ee:c0:97:15:c6:c5:24:
        30:16:54:27:c0:0c:56:55:ac:a0:dd:8b:57:67:da:44:
        4f:df:95:6f:ac:e6:9e:31:1d:54:b4:b2:45:5d:8b:c9:
        ec:5d:12:36:89:f8:0c:d9:91:84:fb:54:14:50:ec:52:
        3d:a9:96:8e:5e:6c:6a:8e:7d:09:3e:8f:2e:ed:5b:b5:
        e5:70:44:c2:e4:22:08:90:6f:a0:2e:6f:17:3b:77:4e
    Fingerprint (SHA-256):
        6F:B6:A8:96:B8:73:69:74:8A:14:14:2F:2E:47:60:54:E8:AD:4B :62:A7:0A:BD:AA:80:43:3A:95:15:01:01:76
    Fingerprint (SHA1):
        B5:9F:67:B3:CC:52:06:B1:48:49:CB:17:CB:FA:9A:CD:95:F7:62:9A
    Certificate Trust Flags:
        SSL Flags:
            User
        Email Flags:
            User
        Object Signing Flags:
            User

[Thu Aug 13 17:28:15.530195 2015] [ssl:warn] [pid 19982] AH01906: RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Thu Aug 13 17:28:15.568821 2015] [ssl:warn] [pid 19982] AH01906: RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)

<VirtualHost intranet.bigbang.dyndns.org:443>
  ServerName intranet.bigbang.dyndns.org
  Alias /webdav /var/www/webdav
    ErrorLog logs/ssl_error_log
    TransferLog logs/ssl_access_log
    LogLevel warn
    SSLEngine on
    SSLProtocol all -SSLv2
    SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
    SSLCertificateFile /etc/pki/tls/certs/server.crt
    SSLCertificateKeyFile /etc/pki/tls/certs/server.key
    DirectoryIndex disabled
    DavLockDB "/tmp/DavLock"
    <Location "/webdav">
      DAV On
      SSLRequireSSL
      AuthType Basic
      AuthName WebDAV
      AuthUserFile /etc/httpd/conf/.htpasswd
      <RequireAny>
        Require method GET POST OPTIONS
        Require user hoge john
        #Require valid-user
      </RequireAny>
      #<LimitExcept OPTIONS PROPFIND>
      Require local
      Require ip 192.168.0.0/255.255.255.0
      Require ip 102.103.104
      Require ip 102.103.204
      Require user hoge john
      #</LimitExcept>
      Header add MS-Author-Via "DAV"
    </Location>
</VirtualHost>
<VirtualHost internet.bigbang.mydns.jp:443>
  ServerName internet.bigbang.mydns.jp
  Alias /webdav /var/www/webdav
    ErrorLog logs/ssl_error_log
    TransferLog logs/ssl_access_log
    LogLevel warn
    SSLEngine on
    SSLProtocol all -SSLv2
    SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
    SSLCertificateFile /etc/pki/tls/certs/server.crt
    SSLCertificateKeyFile /etc/pki/tls/certs/server.key
    DirectoryIndex disabled
    DavLockDB "/tmp/DavLock"
    <Location "/webdav">
      DAV On
      SSLRequireSSL
      AuthType Basic
      AuthName WebDAV
      AuthUserFile /etc/httpd/conf/.htpasswd
      <RequireAny>
        Require method GET POST OPTIONS
        Require user hoge john
        #Require valid-user
      </RequireAny>
      #<LimitExcept OPTIONS PROPFIND>
      Require local
      Require ip 192.168.0.0/255.255.255.0
      Require ip 102.103.104
      Require ip 102.103.204
      Require user hoge john
      #</LimitExcept>
      Header add MS-Author-Via "DAV"
    </Location>
</VirtualHost>

DavLockDB "/tmp/DavLock"

これは簡単に説明するとCentOS独自のopensslのバージョン表記であるため、と考えるとわかりやすいと思います。 CentOSでは、リリース時点のバージョンにパッチを当てる形で保守されます。 これにより、yum updateしても、バージョン番号などはそのままになっていることがあるのです。 脆弱性が報告されたのにいくらアップデートしても最新にならないよーーーー！と焦りがちですが、RedHatのCVEデータベースを見ると良いでしょう。 発表された脆弱性には、CVEという番号が振られてますので該当のCVE番号で検索すれば脆弱性の対象かどうかがわかります。

# certutil -L -d /etc/httpd/alias -n Server-Cert
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 3 (0x3)
        Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
        Issuer: "CN=Certificate Shack,O=example.com,C=US"
        Validity:
            Not Before: Wed Jun 28 11:37:12 2017
            Not After : Mon Jun 28 11:37:12 2021
        Subject: "CN=localhost4.localdomain4,O=example.com,C=US"
　：
　：
（以下、省略）

# yum remove mod_nss
# rm /etc/httpd/alias/*
# yum install mod_nss -y
# systemctl restart httpd

# certutil -d /etc/httpd/alias -L -n Server-Cert
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 4 (0x4)
        Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
        Issuer: "CN=Certificate Shack,O=example.com,C=US"
        Validity:
            Not Before: Tue Jun 29 00:25:53 2021
            Not After : Sun Jun 29 00:25:53 2025
        Subject: "CN=localhost4.localdomain4,O=example.com,C=US"

# bash /etc/cron.monthly/update_sslcert.sh
===== Update SSL Certfile =====
2021年  7月 12日 月曜日 09:26:46 JST Update SSL Certfile start
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/www.bigbang.mydns.jp.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Renewing an existing certificate for www.bigbang.mydns.jp

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: www.bigbang.mydns.jp
  Type:   unauthorized
  Detail: Invalid response from https://www.bigbang.mydns.jp/.well-known/acme-challenge/3Y-dGOZbV656EnvH4H9MsrETzVsr5gKiuEtOcgNyfes [***.***.***.***]: \
          "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. \
      Ensure that the listed domains serve their content from \
      the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Failed to renew certificate www.bigbang.mydns.jp with error: Some challenges have failed.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/www.bigbang.mydns.jp/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. \
See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
2021年  7月 12日 月曜日 09:26:55 JST Update SSL Certfile end

# certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/www.bigbang.mydns.jp.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Certificate not yet due for renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The following certificates are not due for renewal yet:
  /etc/letsencrypt/live/www.bigbang.mydns.jp/fullchain.pem expires on 2021-09-06 (skipped)
No renewals were attempted.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

<Directory /usr/share/test/>
   DirectoryIndex index.php
　　　：
</Directory>

• 該当のディレクトリに「index.html」等を作成する
• 上記でも解決しない場合、「DirectoryIndex」の設定を確認する
• 上記でも解決しない場合、ファイルやディレクトリのアクセス権限を確認する

# /opt/httpd/bin/apachectl -M|grep cgi
 cgid_module (shared)

# vi /opt/httpd/conf/httpd.conf
（途中、省略）
<IfModule cgid_module>
    #
    # ScriptSock: On threaded servers, designate the path to the UNIX
    # socket used to communicate with the CGI daemon of mod_cgid.
    #
    #Scriptsock cgisock
</IfModule>
（途中、省略）

　↓

（途中、省略）
<IfModule cgid_module>
    #
    # ScriptSock: On threaded servers, designate the path to the UNIX
    # socket used to communicate with the CGI daemon of mod_cgid.
    #
    Scriptsock cgisock　←　アンコメント（#を削除）
</IfModule>
（途中、省略）

# /opt/httpd/bin/httpd -k restart

Forbidden

You don't have permission to access this resource.Reason: Cannot perform Post-Handshake Authentication.

Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request.

# vi /etc/httpd/conf.d/ssl.conf

SSLProtocol -all +TLSv1.2 +TLSv1.3
　↓
SSLProtocol -all +TLSv1.2

# systemctl restart httpd