Fedora40 で HTTPS のウェブサーバを動かす

firewall-cmd --add-service=http --permanent
firewall-cmd --add-service=https --permanent
firewall-cmd --reload

dnf -y install nginx
systemctl enable --now nginx

curl http://localhost 2>&1 | grep '<title>'
# => <title>Test Page for the HTTP Server on Fedora</title>

read -p 'DOMAIN?> ' DOMAIN

read -p 'SERVER_NAME?>' SERVER_NAME

read -p 'EMAIL?>' EMAIL

dnf -y install certbot python3-certbot-nginx
certbot certonly --nginx -d $DOMAIN -m $EMAIL --agree-tos -n

cat << EOF > /etc/nginx/default.d/tls.conf
    ssl_certificate "/etc/letsencrypt/live/$DOMAIN/fullchain.pem";
    ssl_certificate_key "/etc/letsencrypt/live/$DOMAIN/privkey.pem";
    ssl_session_cache shared:SSL:1m;
    ssl_session_timeout  10m;
    ssl_ciphers PROFILE=SYSTEM;
    ssl_prefer_server_ciphers on;
EOF

FQDN="$SERVER_NAME.$DOMAIN"
RANGE1='Settings for a TLS enabled server'
RANGE2='^}'
sed -i.bak -r \
    -e "/$RANGE1/,/$RANGE2/s@^#@@" \
    -e "/.*ssl_.*/d" \
    -e "/$RANGE1/d" \
    /etc/nginx/nginx.conf

nginx -t
# => nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
# => nginx: configuration file /etc/nginx/nginx.conf test is successful

systemctl restart nginx

curl -k https://localhost 2>&1 | grep '<title>'
# => <title>Test Page for the HTTP Server on Fedora</title>

systemctl enable --now certbot-renew.timer
# systemctl daemon-reload でも良いかも

systemctl list-timers certbot-renew.timer

cat /etc/sysconfig/certbot | grep POST_HOOK
# => POST_HOOK="--post-hook 'systemctl restart nginx'"