$ sudo vi /etc/fstab
$ cat /etc/fstab
#
# /etc/fstab
# Created by anaconda on Thu Jun 12 01:18:32 2025
#
# Accessible filesystems, by reference, are maintained under '/dev/disk/'.
# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info.
#
# After editing this file, run 'systemctl daemon-reload' to update systemd
# units generated from this file.
#
/dev/mapper/ocivolume-root / xfs defaults 0 0
UUID=dd88872e-0527-4193-8282-b8281f1ae6fd /boot xfs defaults 0 0
UUID=AE3C-806E /boot/efi vfat defaults,uid=0,gid=0,umask=077,shortname=winnt 0 2
/dev/mapper/ocivolume-oled /var/oled xfs defaults 0 0
tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0
######################################
## ORACLE CLOUD INFRASTRUCTURE CUSTOMERS
##
## If you are adding an iSCSI remote block volume to this file you MUST
## include the '_netdev' mount option or your instance will become
## unavailable after the next reboot.
## SCSI device names are not stable across reboots; please use the device UUID instead of /dev path.
##
## Example:
## UUID="94c5aade-8bb1-4d55-ad0c-388bb8aa716a" /data1 xfs defaults,noatime,_netdev 0 2
##
## More information:
## https://docs.us-phoenix-1.oraclecloud.com/Content/Block/Tasks/connectingtoavolume.htm
/.swapfile none swap sw 0 0
/var/oled/swapfile none swap sw 0 0
$
準備2-3: パッケージを最新へアップデート
現時点での最新へアップデートする
$ sudo dnf update -y
<略>
$ sudo reboot
手順1-4: 日本語Locale対応
ja_JP.UTF-8など日本語Localeで設定した際、「Failed to set locale, defaulting to C.UTF-8」というメッセージが出力される場合があります。
[opc@ocimail ~]$ sudo dehydrated --register
# INFO: Using main config file /etc/dehydrated/config
# INFO: Using additional config file /etc/dehydrated/conf.d/local.sh
To use dehydrated with this certificate authority you have to agree to their terms of service which you can find here: https://letsencrypt.org/documents/LE-SA-v1.5-February-24-2025.pdf
To accept these terms of service run "/bin/dehydrated --register --accept-terms".
[opc@ocimail ~]$ sudo dehydrated --register --accept-terms
# INFO: Using main config file /etc/dehydrated/config
# INFO: Using additional config file /etc/dehydrated/conf.d/local.sh
+ Generating account key...
+ Registering account key with ACME server...
+ Fetching account URL...
+ Done!
[opc@ocimail ~]$
初回のSSL証明書発行処理を実行します。
[opc@ocimail ~]$ sudo dehydrated --cron
# INFO: Using main config file /etc/dehydrated/config
# INFO: Using additional config file /etc/dehydrated/conf.d/local.sh
Processing ocimail.websa.jp
+ Signing domains...
+ Generating private key...
+ Generating signing request...
+ Requesting new certificate order from CA...
+ Received 1 authorizations URLs from the CA
+ Handling authorization for ホスト名
+ 1 pending challenge(s)
+ Deploying challenge tokens...
+ Responding to challenge for ocimail.websa.jp authorization...
+ Challenge is valid!
+ Cleaning challenge tokens...
+ Requesting certificate...
Warning: Will read cert request from stdin since no -in option is given
+ Checking certificate...
+ Done!
+ Creating fullchain.pem...
+ Done!
+ Running automatic cleanup
Moving unused file to archive directory: ホスト名/cert-1761722366.csr
Moving unused file to archive directory: ホスト名/cert-1761722366.pem
Moving unused file to archive directory: ホスト名/privkey-1761722366.pem
[opc@ocimail ~]$
これで/etc/dehydrated/certs/ホスト名/ にSSL証明書が作成される
[opc@ocimail ~]$ sudo ls -l /etc/dehydrated/certs/ホスト名/
total 20
-rw-------. 1 root root 1655 Oct 29 07:26 cert-1761722787.csr
-rw-------. 1 root root 2134 Oct 29 07:26 cert-1761722787.pem
lrwxrwxrwx. 1 root root 19 Oct 29 07:26 cert.csr -> cert-1761722787.csr
lrwxrwxrwx. 1 root root 19 Oct 29 07:26 cert.pem -> cert-1761722787.pem
-rw-------. 1 root root 1802 Oct 29 07:26 chain-1761722787.pem
lrwxrwxrwx. 1 root root 20 Oct 29 07:26 chain.pem -> chain-1761722787.pem
-rw-------. 1 root root 3936 Oct 29 07:26 fullchain-1761722787.pem
lrwxrwxrwx. 1 root root 24 Oct 29 07:26 fullchain.pem -> fullchain-1761722787.pem
-rw-------. 1 root root 3272 Oct 29 07:26 privkey-1761722787.pem
lrwxrwxrwx. 1 root root 22 Oct 29 07:26 privkey.pem -> privkey-1761722787.pem
[opc@ocimail ~]$
dovecot設定
dovecot ssl設定
/etc/dovecot/conf.d/10-ssl.conf にて
「ssl = required」を「ssl = yes」に変更
# SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>
# disable plain pop3 and imap, allowed are only pop3+TLS, pop3s, imap+TLS and imaps
# plain imap and pop3 are still allowed for local connections
ssl = yes
ssl_certとssl_keyをdehydratedが出力したファイルに置き換え
# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
# dropping root privileges, so keep the key file unreadable by anyone but
# root. Included doc/mkcert.sh can be used to easily generate self-signed
# certificate, just make sure to update the domains in dovecot-openssl.cnf
ssl_cert = </etc/dehydrated/certs/ホスト名/fullchain.pem
ssl_key = </etc/dehydrated/certs/ホスト名/privkey.pem
dhパラメータのコメントを取る
# SSL DH parameters
# Generate new params with `openssl dhparam -out /etc/dovecot/dh.pem 4096`
# Or migrate from old ssl-parameters.dat file with the command dovecot
# gives on startup when ssl_dh is unset.
ssl_dh = </etc/dovecot/dh.pem
# Space separated list of plugins to load for all services. Plugins specific to
# IMAP, LDA, etc. are added to this list in their own .conf files.
mail_plugins = $mail_plugins quota
##
## Mailbox handling optimizations
##
# Mailbox list indexes can be used to optimize IMAP STATUS commands. They are
# also required for IMAP NOTIFY extension to be enabled.
mailbox_list_index = yes
# Disable LOGIN command and all other plaintext authentications unless
# SSL/TLS is used (LOGINDISABLED capability). Note that if the remote IP
# matches the local IP (ie. you're connecting from the same computer), the
# connection is considered secure and plaintext authentication is allowed.
# See also ssl=required setting.
#disable_plaintext_auth = yes
また、下記を「auth_mechanism = plain login」に変更する
# Space separated list of wanted authentication mechanisms:
# plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp
# gss-spnego
# NOTE: See also disable_plaintext_auth setting.
auth_mechanisms = plain
protocol imap {
# Space separated list of plugins to load (default is global mail_plugins).
mail_plugins = $mail_plugins imap_quota
# Maximum number of IMAP connections allowed for a user from each IP address.
# NOTE: The username is compared case-sensitively.
#mail_max_userip_connections = 10
}
##
## Mailbox definitions
##
# Each mailbox is specified in a separate mailbox section. The section name
# specifies the mailbox name. If it has spaces, you can put the name
# "in quotes". These sections can contain the following mailbox settings:
#
# auto:
# Indicates whether the mailbox with this name is automatically created
# implicitly when it is first accessed. The user can also be automatically
# subscribed to the mailbox after creation. The following values are
# defined for this setting:
#
# no - Never created automatically.
# create - Automatically created, but no automatic subscription.
# subscribe - Automatically created and subscribed.
#
# special_use:
# A space-separated list of SPECIAL-USE flags (RFC 6154) to use for the
# mailbox. There are no validity checks, so you could specify anything
# you want in here, but it's not a good idea to use flags other than the
# standard ones specified in the RFC:
#
# \All - This (virtual) mailbox presents all messages in the
# user's message store.
# \Archive - This mailbox is used to archive messages.
# \Drafts - This mailbox is used to hold draft messages.
# \Flagged - This (virtual) mailbox presents all messages in the
# user's message store marked with the IMAP \Flagged flag.
# \Important - This (virtual) mailbox presents all messages in the
# user's message store deemed important to user.
# \Junk - This mailbox is where messages deemed to be junk mail
# are held.
# \Sent - This mailbox is used to hold copies of messages that
# have been sent.
# \Trash - This mailbox is used to hold messages that have been
# deleted.
#
# comment:
# Defines a default comment or note associated with the mailbox. This
# value is accessible through the IMAP METADATA mailbox entries
# "/shared/comment" and "/private/comment". Users with sufficient
# privileges can override the default value for entries with a custom
# value.
# NOTE: Assumes "namespace inbox" has been defined in 10-mail.conf.
namespace inbox {
# These mailboxes are widely used and could perhaps be created automatically:
mailbox Drafts {
special_use = \Drafts
}
mailbox "下書き" {
special_use = \Drafts
}
mailbox INBOX.Drafts {
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox "迷惑メール" {
special_use = \Junk
}
mailbox "Junk Email" {
special_use = \Junk
}
mailbox "INBOX.Junk Email" {
special_use = \Junk
}
mailbox Trash {
special_use = \Trash
}
mailbox "削除済みアイテム" {
special_use = \Trash
}
mailbox "Deleted Items" {
special_use = \Trash
}
mailbox "INBOX.Deleted Items" {
special_use = \Trash
}
# For \Sent mailboxes there are two widely used names. We'll mark both of
# them as \Sent. User typically deletes one of them if duplicates are created.
mailbox Sent {
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox "送信済みアイテム" {
special_use = \Sent
}
mailbox "Sent Items" {
special_use = \Sent
}
mailbox "INBOX.Sent Items" {
special_use = \Sent
}
# If you have a virtual "All messages" mailbox:
#mailbox virtual/All {
# special_use = \All
# comment = All my messages
#}
# If you have a virtual "Flagged" mailbox:
#mailbox virtual/Flagged {
# special_use = \Flagged
# comment = All my flagged messages
#}
# If you have a virtual "Important" mailbox:
#mailbox virtual/Important {
# special_use = \Important
# comment = All my important messages
#}
}
dovecotのquota設定
既存の /etc/dovecot/conf.d/90-quota.conf の最後に下記を追加する
これは100MBで制限する例
mailbox_list_index = yes
# Avoid spending excessive time waiting for the quota calculation to finish
# when mails' vsizes aren't already cached. If this many mails are opened,
# finish the quota calculation on background in indexer-worker process. Mail
# deliveries will be assumed to succeed, and explicit quota lookups will
# return internal error. (v2.2.28+)
protocol !indexer-worker {
mail_vsize_bg_after_count = 100
}
plugin {
quota = count:User quota
quota_rule = *:storage=100M
#quota_rule2 = Trash:storage=+100M
# This is required - it uses "virtual sizes" rather than "physical sizes"
# for quota counting:
quota_vsizes = yes
}
# Relay server configuration:
#
# The Dovecot SMTP submission service directly proxies the mail transaction
# to the SMTP relay configured here.
# Host name for the relay server (required)
submission_relay_host = ホスト名.ドメン名
# INTERNET HOST AND DOMAIN NAMES
#
# The myhostname parameter specifies the internet hostname of this
# mail system. The default is to use the fully-qualified domain name
# from gethostname(). $myhostname is used as a default value for many
# other configuration parameters.
#
#myhostname = host.domain.tld
#myhostname = virtual.domain.tld
myhostname = ホスト名.ドメイン名
続いてmydomain も 外部で認識させたいドメイン名を入れる
# The mydomain parameter specifies the local internet domain name.
# The default is to use $myhostname minus the first component.
# $mydomain is used as a default value for many other configuration
# parameters.
#
#mydomain = domain.tld
mydomain = ドメイン名
# SENDING MAIL
#
# The myorigin parameter specifies the domain that locally-posted
# mail appears to come from. The default is to append $myhostname,
# which is fine for small sites. If you run a domain with multiple
# machines, you should (1) change this to $mydomain and (2) set up
# a domain-wide alias database that aliases each user to
# user@that.users.mailhost.
#
# For the sake of consistency between sender and recipient addresses,
# myorigin also specifies the default domain name that is appended
# to recipient addresses that have no @domain part.
#
#myorigin = $myhostname
myorigin = $mydomain
# The inet_interfaces parameter specifies the network interface
# addresses that this mail system receives mail on. By default,
# the software claims all active interfaces on the machine. The
# parameter also controls delivery of mail to user@[ip.address].
#
# See also the proxy_interfaces parameter, for network addresses that
# are forwarded to us via a proxy or network address translator.
#
# Note: you need to stop/start Postfix when this parameter changes.
#
inet_interfaces = all
#inet_interfaces = $myhostname
#inet_interfaces = $myhostname, localhost
#inet_interfaces = localhost
# Enable IPv4, and IPv6 if supported
inet_protocols = all
自サーバで受信するメールドメインの設定は2番目のドメイン宛ても受け取るやつにします
# See also below, section "REJECTING MAIL FOR UNKNOWN LOCAL USERS".
#
#mydestination = $myhostname, localhost.$mydomain, localhost
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
#mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain,
# mail.$mydomain, www.$mydomain, ftp.$mydomain
# The right-hand side of the lookup tables is conveniently ignored.
# In the left-hand side, specify a bare username, an @domain.tld
# wild-card, or specify a user@domain.tld address.
#
local_recipient_maps = unix:passwd.byname $alias_maps
#local_recipient_maps = proxy:unix:passwd.byname $alias_maps
#local_recipient_maps =
# With Postfix version before 2.10, use smtpd_recipient_restrictions
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
postfixのssl証明書設定
/etc/postfix/main.cf の最後の方にSSL関連の設定がある
# The full pathname of a file with the Postfix SMTP server RSA certificate
# in PEM format. Intermediate certificates should be included in general,
# the server certificate first, then the issuing CA(s) (bottom-up order).
#
smtpd_tls_cert_file = /etc/dehydrated/certs/ocimail.websa.jp/fullchain.pem
# The full pathname of a file with the Postfix SMTP server RSA private key
# in PEM format. The private key must be accessible without a pass-phrase,
# i.e. it must not be encrypted.
#
smtpd_tls_key_file = /etc/dehydrated/certs/ocimail.websa.jp/privkey.pem
postfix側からdovecotを起動する設定
/etc/postfix/master.cf の最終行に以下を追加
dovecot unix - n n - - pipe
flags=DRhu user=vmail:vmail argv=/usr/libexec/dovecot/dovecot-lda -f ${sender} -d ${recipient}
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
# dovecot sasl configuration
smtpd_sasl_type = dovecot
# Can be an absolute path, or relative to $queue_directory
# Debian/Ubuntu users: Postfix is setup by default to run chrooted, so it is best to leave it as-is below
smtpd_sasl_path = private/auth
# and the common settings to enable SASL:
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
トラブル対応
gmail宛てがgmail側で受け取り拒否
gmailに送ったところ、メールがなかなか届かないので/var/log/maillogを確認
Oct 30 10:15:28 ocimail postfix/smtp[5898]: AA57A309E87E: to=<アドレス@gmail.com>, relay=gmail-smtp-in.l.google.com[2404:6800:4008:c15::1b]:25, delay=2.6, delays=0.29/0.19/1.2/0.9, dsn=5.7.1, status=bounced (host gmail-
smtp-in.l.google.com[2404:6800:4008:c15::1b] said: 550-5.7.1 [2603:c023:f:9000:0:7a41:2e84:f27f] Gmail has detected that this 550-5.7.1 message does not meet IPv6 sending guidelines regarding PTR records 550-5.7.1 and auth
entication. For more information, go to 550 5.7.1 https://support.google.com/mail/?p=IPv6AuthError 41be03b00d2f7-b71f4ba78c7si7488417a12.1056 - gsmtp (in reply to end of DATA command))
「Gmail has detected that this 550-5.7.1 message does not meet IPv6 sending guidelines regarding PTR records 550-5.7.1 and authentication. For more information, go to 550 5.7.1 https://support.google.com/mail/?p=IPv6AuthError」という形で拒否されていた。
IPv6 認証エラーの例を次に示します。 550-5.7.1: Message does not meet IPv6 sending guidelines regarding PTR records and authentication.(メールが PTR レコードと認証に関する IPv6 の送信ガイドラインに準拠していません。)
あと、最初の方に書かれているIPアドレスに対する要件も関係している
インフラストラクチャ設定の要件とガイドライン IP アドレス 重要: 送信元 IP アドレスは、ポインタ(PTR)レコードで指定されたホスト名の IP アドレスと一致している必要があります。
送信元 SMTP サーバーのパブリック IP アドレスには、対応するホスト名を参照する PTR レコードが必要です。これは、リバース DNS ルックアップと呼ばれます。このホスト名には、送信元サーバーと同じパブリック IP アドレスを参照する A レコード(IPv4 の場合)または AAAA レコード(IPv6 の場合)も必要です。これは、フォワード DNS ルックアップと呼ばれます。 送信元サーバーの IP アドレスとドメインを対応付ける有効なリバース DNS レコードを設定します。Google 管理者ツールボックスの Dig ツールを使用して PTR レコードを確認します。 重要: 送信元 IP アドレスは、ポインタ(PTR)レコードで指定されたホスト名の IP アドレスと一致している必要があります。
[opc@oci10 ~]$ sudo vi /etc/fstab
[opc@oci10 ~]$ cat /etc/fstab
#
# /etc/fstab
# Created by anaconda on Wed Jul 16 02:09:25 2025
#
# Accessible filesystems, by reference, are maintained under '/dev/disk/'.
# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info.
#
# After editing this file, run 'systemctl daemon-reload' to update systemd
# units generated from this file.
#
UUID=7d252e5c-0a4d-4f09-afca-58d232b956c2 / xfs defaults 0 0
UUID=02208839-bc64-488a-9f5f-b87452a0f76d /boot xfs defaults 0 0
UUID=9A6D-CFD1 /boot/efi vfat defaults,uid=0,gid=0,umask=077,shortname=winnt 0 2
UUID=81c1f07e-ee73-470f-b0ec-d21ad8693c3e /var/oled xfs defaults 0 0
tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0
######################################
## ORACLE CLOUD INFRASTRUCTURE CUSTOMERS
##
## If you are adding an iSCSI remote block volume to this file you MUST
## include the '_netdev' mount option or your instance will become
## unavailable after the next reboot.
## SCSI device names are not stable across reboots; please use the device UUID instead of /dev path.
##
## Example:
## UUID="94c5aade-8bb1-4d55-ad0c-388bb8aa716a" /data1 xfs defaults,noatime,_netdev 0 2
##
## More information:
## https://docs.cloud.oracle.com/Content/Block/Tasks/connectingtoavolume.htm
/.swapfile none swap sw 0 0
/var/oled/swapfile none swap sw 0 0
[opc@oci10 ~]$
No modular packages are available for Oracle Linux 10. Different versions of userspace packages continue to be available as Application Streams but don’t use the package modularity available in previous releases.
なので、単純に「dnf install php」でインストールします。
[opc@oci10 ~]$ sudo dnf install php -y
Last metadata expiration check: 0:13:46 ago on Tue 09 Sep 2025 01:42:02 PM JST.
Dependencies resolved.
=========================================================================================================================================================================================================================================================================================================================
Package Architecture Version Repository Size
=========================================================================================================================================================================================================================================================================================================================
Installing:
php x86_64 8.3.19-1.el10_0 ol10_appstream 75 k
Installing dependencies:
apr x86_64 1.7.5-2.el10 ol10_appstream 135 k
apr-util x86_64 1.6.3-21.el10 ol10_appstream 102 k
apr-util-lmdb x86_64 1.6.3-21.el10 ol10_appstream 14 k
capstone x86_64 5.0.1-6.el10 ol10_appstream 1.0 M
httpd-core x86_64 2.4.63-1.0.1.el10_0.2 ol10_appstream 1.8 M
httpd-filesystem noarch 2.4.63-1.0.1.el10_0.2 ol10_appstream 9.1 k
httpd-tools x86_64 2.4.63-1.0.1.el10_0.2 ol10_appstream 91 k
libxslt x86_64 1.1.39-8.el10_0 ol10_appstream 208 k
mailcap noarch 2.1.54-8.el10 ol10_baseos_latest 39 k
nginx-filesystem noarch 2:1.26.3-1.0.1.el10 ol10_appstream 31 k
oracle-logos-httpd noarch 100.1-1.0.3.el10 ol10_baseos_latest 53 k
php-common x86_64 8.3.19-1.el10_0 ol10_appstream 815 k
Installing weak dependencies:
apr-util-openssl x86_64 1.6.3-21.el10 ol10_appstream 16 k
httpd x86_64 2.4.63-1.0.1.el10_0.2 ol10_appstream 63 k
mod_http2 x86_64 2.0.29-2.el10_0.1 ol10_appstream 177 k
mod_lua x86_64 2.4.63-1.0.1.el10_0.2 ol10_appstream 55 k
php-cli x86_64 8.3.19-1.el10_0 ol10_appstream 3.7 M
php-fpm x86_64 8.3.19-1.el10_0 ol10_appstream 1.9 M
php-mbstring x86_64 8.3.19-1.el10_0 ol10_appstream 584 k
php-opcache x86_64 8.3.19-1.el10_0 ol10_appstream 430 k
php-pdo x86_64 8.3.19-1.el10_0 ol10_appstream 158 k
php-xml x86_64 8.3.19-1.el10_0 ol10_appstream 225 k
Transaction Summary
=========================================================================================================================================================================================================================================================================================================================
Install 23 Packages
Total download size: 12 M
Installed size: 57 M
Downloading Packages:
<略>
Running scriptlet: httpd-2.4.63-1.0.1.el10_0.2.x86_64 23/23
Running scriptlet: php-8.3.19-1.el10_0.x86_64 23/23
Installed:
apr-1.7.5-2.el10.x86_64 apr-util-1.6.3-21.el10.x86_64 apr-util-lmdb-1.6.3-21.el10.x86_64 apr-util-openssl-1.6.3-21.el10.x86_64 capstone-5.0.1-6.el10.x86_64 httpd-2.4.63-1.0.1.el10_0.2.x86_64 httpd-core-2.4.63-1.0.1.el10_0.2.x86_64
httpd-filesystem-2.4.63-1.0.1.el10_0.2.noarch httpd-tools-2.4.63-1.0.1.el10_0.2.x86_64 libxslt-1.1.39-8.el10_0.x86_64 mailcap-2.1.54-8.el10.noarch mod_http2-2.0.29-2.el10_0.1.x86_64 mod_lua-2.4.63-1.0.1.el10_0.2.x86_64 nginx-filesystem-2:1.26.3-1.0.1.el10.noarch
oracle-logos-httpd-100.1-1.0.3.el10.noarch php-8.3.19-1.el10_0.x86_64 php-cli-8.3.19-1.el10_0.x86_64 php-common-8.3.19-1.el10_0.x86_64 php-fpm-8.3.19-1.el10_0.x86_64 php-mbstring-8.3.19-1.el10_0.x86_64 php-opcache-8.3.19-1.el10_0.x86_64
php-pdo-8.3.19-1.el10_0.x86_64 php-xml-8.3.19-1.el10_0.x86_64
Complete!
[opc@oci10 ~]$
php 8.3.19がインストールされました。
手順6: MySQL設定編
Oralce Linux 10ではMySQL 8.4.4 か mariadb 10.11.11が提供されています。
とりあえず、Oracle直営なのでMySQLを使っておきます。
[opc@oci10 ~]$ sudo dnf install mysql8.4-server -y
Last metadata expiration check: 0:17:41 ago on Tue 09 Sep 2025 01:42:02 PM JST.
Dependencies resolved.
=========================================================================================================================================================================================================================================================================================================================
Package Architecture Version Repository Size
=========================================================================================================================================================================================================================================================================================================================
Installing:
mysql8.4-server x86_64 8.4.4-2.el10 ol10_appstream 18 M
Installing dependencies:
libicu x86_64 74.2-5.el10_0 ol10_baseos_latest 10 M
mariadb-connector-c-config noarch 3.4.4-1.el10 ol10_baseos_latest 8.8 k
mecab x86_64 0.996-9.el10 ol10_appstream 390 k
mysql-selinux noarch 1.0.13-2.el10 ol10_appstream 37 k
mysql8.4 x86_64 8.4.4-2.el10 ol10_appstream 2.4 M
mysql8.4-common noarch 8.4.4-2.el10 ol10_appstream 102 k
mysql8.4-errmsg noarch 8.4.4-2.el10 ol10_appstream 545 k
protobuf-lite x86_64 3.19.6-11.el10 ol10_appstream 262 k
Transaction Summary
=========================================================================================================================================================================================================================================================================================================================
Install 9 Packages
Total download size: 32 M
Installed size: 199 M
Downloading Packages:
<略>
Running scriptlet: mysql8.4-server-8.4.4-2.el10.x86_64 9/9
Installed:
libicu-74.2-5.el10_0.x86_64 mariadb-connector-c-config-3.4.4-1.el10.noarch mecab-0.996-9.el10.x86_64 mysql-selinux-1.0.13-2.el10.noarch mysql8.4-8.4.4-2.el10.x86_64 mysql8.4-common-8.4.4-2.el10.noarch mysql8.4-errmsg-8.4.4-2.el10.noarch mysql8.4-server-8.4.4-2.el10.x86_64
protobuf-lite-3.19.6-11.el10.x86_64
Complete!
[opc@oci10 ~]$
[opc@oci10 ~]$ sudo mysql -u root
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 8
Server version: 8.4.4 Source distribution
Copyright (c) 2000, 2025, Oracle and/or its affiliates.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> create database DB名 character set utf8;
Query OK, 1 row affected, 1 warning (0.01 sec)
mysql> create user wordpress@localhost identified by 'パスワード';
Query OK, 0 rows affected (0.02 sec)
mysql> grant all privileges on DB名.* to wordpress@localhost;
Query OK, 0 rows affected (0.01 sec)
mysql> quit
Bye
[opc@oci10 ~]$
手順7-1: httpdインストール
httpdをインストールします。
Oracle Linux 10.0ではWebサーバとして Apache(httpd) 2.4.63 、nginx 1.26.3が使えるが、apacheを使う。
[opc@oci10 ~]$ sudo dnf install httpd -y
Last metadata expiration check: 0:23:31 ago on Tue 09 Sep 2025 01:42:02 PM JST.
Package httpd-2.4.63-1.0.1.el10_0.2.x86_64 is already installed.
Dependencies resolved.
Nothing to do.
Complete!
[opc@oci10 ~]$
[opc@oci10 ~]$ sudo dehydrated --register
# INFO: Using main config file /etc/dehydrated/config
# INFO: Using additional config file /etc/dehydrated/conf.d/local.sh
To use dehydrated with this certificate authority you have to agree to their terms of service which you can find here: https://letsencrypt.org/documents/LE-SA-v1.5-February-24-2025.pdf
To accept these terms of service run "/bin/dehydrated --register --accept-terms".
[opc@oci10 ~]$ sudo dehydrated --register --accept-terms
# INFO: Using main config file /etc/dehydrated/config
# INFO: Using additional config file /etc/dehydrated/conf.d/local.sh
+ Generating account key...
+ Registering account key with ACME server...
+ Fetching account URL...
+ Done!
[opc@oci10 ~]$
初回のSSL証明書発行処理を実行します。
$ sudo dehydrated --cron
# INFO: Using main config file /etc/dehydrated/config
# INFO: Using additional config file /etc/dehydrated/conf.d/local.sh
+ Creating chain cache directory /etc/dehydrated/chains
Processing ホスト1名.ドメイン名 with alternative names: ホスト2名.ドメイン名
+ Creating new directory /etc/dehydrated/certs/ホスト1名.ドメイン名 ...
+ Signing domains...
+ Generating private key...
+ Generating signing request...
+ Requesting new certificate order from CA...
+ Received 2 authorizations URLs from the CA
+ Handling authorization for ホスト1名.ドメイン名
+ Handling authorization for ホスト2名.ドメイン名
+ 2 pending challenge(s)
+ Deploying challenge tokens...
+ Responding to challenge for ホスト1名.ドメイン名 authorization...
+ Challenge is valid!
+ Responding to challenge for ホスト2名.ドメイン名 authorization...
+ Challenge is valid!
+ Cleaning challenge tokens...
+ Requesting certificate...
+ Checking certificate...
+ Done!
+ Creating fullchain.pem...
+ Done!
+ Running automatic cleanup
$
手順7-3: WebサーバへのSSL証明書設定
まず、httpdにmod_sslを追加します。
[opc@oci10 ~]$ sudo dnf install mod_ssl -y
Last metadata expiration check: 0:33:34 ago on Tue 09 Sep 2025 01:42:02 PM JST.
Dependencies resolved.
=========================================================================================================================================================================================================================================================================================================================
Package Architecture Version Repository Size
=========================================================================================================================================================================================================================================================================================================================
Installing:
mod_ssl x86_64 1:2.4.63-1.0.1.el10_0.2 ol10_appstream 113 k
Installing dependencies:
sscg x86_64 3.0.5-9.el10 ol10_appstream 50 k
Transaction Summary
=========================================================================================================================================================================================================================================================================================================================
Install 2 Packages
Total download size: 163 k
Installed size: 366 k
Downloading Packages:
<略>
Installed:
mod_ssl-1:2.4.63-1.0.1.el10_0.2.x86_64 sscg-3.0.5-9.el10.x86_64
Complete!
[opc@oci10 ~]$
現在の設定値を「sudo getsebool -a |grep httpd_can_network」で確認し、「sudo setsebool -P httpd_can_network_connect on」で有効にする
[opc@oci10 ~]$ sudo vi /var/www/html/wordpress/wp-config.php
[opc@oci10 ~]$ sudo getsebool -a |grep httpd_can_network
httpd_can_network_connect --> off
httpd_can_network_connect_cobbler --> off
httpd_can_network_connect_db --> off
httpd_can_network_memcache --> off
httpd_can_network_redis --> off
httpd_can_network_relay --> off
[opc@oci10 ~]$ sudo setsebool -P httpd_can_network_connect on
[opc@oci10 ~]$ sudo getsebool -a |grep httpd_can_network
httpd_can_network_connect --> on
httpd_can_network_connect_cobbler --> off
httpd_can_network_connect_db --> off
httpd_can_network_memcache --> off
httpd_can_network_redis --> off
httpd_can_network_relay --> off
[opc@oci10 ~]$
[opc@oci10 ~]$ sudo vi /etc/dnf/automatic.conf
[opc@oci10 ~]$ cat /etc/dnf/automatic.conf
[commands]
# What kind of upgrade to perform:
# default = all available upgrades
# security = only the security upgrades
upgrade_type = default
random_sleep = 0
# Maximum time in seconds to wait until the system is on-line and able to
# connect to remote repositories.
network_online_timeout = 60
# To just receive updates use dnf-automatic-notifyonly.timer
# Whether updates should be downloaded when they are available, by
# dnf-automatic.timer. notifyonly.timer, download.timer and
# install.timer override this setting.
download_updates = yes
# Whether updates should be applied when they are available, by
# dnf-automatic.timer. notifyonly.timer, download.timer and
# install.timer override this setting.
apply_updates = yes
# When the system should reboot following upgrades:
# never = don't reboot after upgrades
# when-changed = reboot after any changes
# when-needed = reboot when necessary to apply changes
reboot = never
# The command that is run to trigger a system reboot.
reboot_command = "shutdown -r +5 'Rebooting after applying package updates'"
[emitters]
# Name to use for this system in messages that are emitted. Default is the
# hostname.
# system_name = my-host
# How to send messages. Valid options are stdio, email and motd. If
# emit_via includes stdio, messages will be sent to stdout; this is useful
# to have cron send the messages. If emit_via includes email, this
# program will send email itself according to the configured options.
# If emit_via includes motd, /etc/motd file will have the messages. if
# emit_via includes command_email, then messages will be send via a shell
# command compatible with sendmail.
# Default is email,stdio.
# If emit_via is None or left blank, no messages will be sent.
emit_via = stdio
[email]
# The address to send email messages from.
email_from = root@example.com
# List of addresses to send messages to.
email_to = root
# Name of the host to connect to to send email messages.
email_host = localhost
# Port number to connect to at the email host.
email_port = 25
# Use TLS or STARTTLS to connect to the email host.
email_tls = no
[command]
# The shell command to execute. This is a Python format string, as used in
# str.format(). The format function will pass a shell-quoted argument called
# `body`.
# command_format = "cat"
# The contents of stdin to pass to the command. It is a format string with the
# same arguments as `command_format`.
# stdin_format = "{body}"
[command_email]
# The shell command to use to send email. This is a Python format string,
# as used in str.format(). The format function will pass shell-quoted arguments
# called body, subject, email_from, email_to.
# command_format = "mail -Ssendwait -s {subject} -r {email_from} {email_to}"
# The contents of stdin to pass to the command. It is a format string with the
# same arguments as `command_format`.
# stdin_format = "{body}"
# The address to send email messages from.
email_from = root@example.com
# List of addresses to send messages to.
email_to = root
[base]
# This section overrides dnf.conf
# Use this to filter DNF core messages
debuglevel = 1
[opc@oci10 ~]$
そしてdnf-automatic.timerを有効化し、開始します。
$ sudo systemctl enable dnf-automatic.timer
Created symlink /etc/systemd/system/timers.target.wants/dnf-automatic.timer → /usr/lib/systemd/system/dnf-automatic.timer.
$ sudo systemctl status dnf-automatic
○ dnf-automatic.service - dnf automatic
Loaded: loaded (/usr/lib/systemd/system/dnf-automatic.service; static)
Active: inactive (dead)
TriggeredBy: ○ dnf-automatic.timer
$ sudo systemctl start dnf-automatic.timer
$ sudo systemctl status dnf-automatic.timer
● dnf-automatic.timer - dnf-automatic timer
Loaded: loaded (/usr/lib/systemd/system/dnf-automatic.timer; enabled; pres>
Active: active (waiting) since Tue 2023-09-12 13:11:00 JST; 5s ago
Until: Tue 2023-09-12 13:11:00 JST; 5s ago
Trigger: Wed 2023-09-13 06:44:33 JST; 17h left
Triggers: ● dnf-automatic.service
Sep 12 13:11:00 ホスト名 systemd[1]: Started dnf-automatic timer.
$
#!/bin/bash
case "$1" in
"deploy_cert")
/bin/systemctl restart httpd
;;
esac
exit 0
強制的にSSL証明書再発行を実行「sudo dehydrated –cron –force」
[opc@oci10 ~]$ sudo dehydrated --cron --force
# INFO: Using main config file /etc/dehydrated/config
# INFO: Using additional config file /etc/dehydrated/conf.d/local.sh
Processing <ホスト名>
+ Checking expire date of existing cert...
+ Valid till Dec 9 01:51:44 2025 GMT (Longer than 30 days). Ignoring because renew was forced!
+ Signing domains...
+ Generating signing request...
+ Requesting new certificate order from CA...
+ Received 1 authorizations URLs from the CA
+ Handling authorization for <ホスト名>
+ Found valid authorization for <ホスト名>
+ 0 pending challenge(s)
+ Requesting certificate...
Warning: Will read cert request from stdin since no -in option is given
+ Checking certificate...
+ Done!
+ Creating fullchain.pem...
+ Done!
+ Running automatic cleanup
Moving unused file to archive directory: <ホスト名>/cert-1757472608.csr
Moving unused file to archive directory: <ホスト名>/cert-1757472608.pem
Moving unused file to archive directory: <ホスト名>/chain-1757472608.pem
Moving unused file to archive directory: <ホスト名>/fullchain-1757472608.pem
[opc@oci10 ~]$
ちゃんとhttpdが再起動しているかを「systemctl status httpd」を実行して確認
下記の「Active:」のsinceの後ろの時刻がつい最近であることを確認する
[opc@oci10 ~]$ systemctl status httpd
● httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; preset: disabled)
Drop-In: /etc/systemd/system/httpd.service.d
└─php-fpm.conf
Active: active (running) since Wed 2025-09-10 11:51:21 JST; 7s ago
Invocation: cae425cfbaae4ba68fa746588b2dde05
Docs: man:httpd.service(8)
Main PID: 110426 (httpd)
Status: "Started, listening on: port 443, port 80"
Tasks: 177 (limit: 5249)
Memory: 14.6M (peak: 14.8M)
CPU: 216ms
CGroup: /system.slice/httpd.service
├─110426 /usr/sbin/httpd -DFOREGROUND
├─110427 /usr/sbin/httpd -DFOREGROUND
├─110428 /usr/sbin/httpd -DFOREGROUND
├─110429 /usr/sbin/httpd -DFOREGROUND
└─110430 /usr/sbin/httpd -DFOREGROUND
Sep 10 11:51:21 oci10 systemd[1]: Starting httpd.service - The Apache HTTP Server...
Sep 10 11:51:21 oci10 (httpd)[110426]: httpd.service: Referenced but unset environment variable evaluates to an empty string: OPTIONS
Sep 10 11:51:21 oci10 systemd[1]: Started httpd.service - The Apache HTTP Server.
Sep 10 11:51:21 oci10 httpd[110426]: Server configured, listening on: port 443, port 80
[opc@oci10 ~]$
次にdehydratedが定期的に実行される設定になっているかを「systemctl status dehydrated.timer」を実行して確認する
[opc@oci10 ~]$ systemctl status dehydrated.timer
● dehydrated.timer - dehydrated client for signing certificates with an ACME server
Loaded: loaded (/usr/lib/systemd/system/dehydrated.timer; enabled; preset: enabled)
Active: active (waiting) since Tue 2025-09-09 14:07:18 JST; 21h ago
Invocation: d81b66fc4dd943368689b90f756ab156
Trigger: Thu 2025-09-11 01:41:37 JST; 13h left
Triggers: ● dehydrated.service
Sep 09 14:07:18 oci10 systemd[1]: Started dehydrated.timer - dehydrated client for signing certificates with an ACME server.
[opc@oci10 ~]$
Oracle Linux 10においては標準でenabledとなっているので、自動的に実行されるようになっていた。
[opc@oci10 ~]$ sudo dnf update -y
Last metadata expiration check: 1:18:42 ago on Fri 19 Sep 2025 12:26:32 PM JST.
Error:
Problem: package python3-oci-sdk-2.159.0-1.el10.x86_64 from ol10_oci_included requires (python3.12dist(pyopenssl) < 25~~ with python3.12dist(pyopenssl) >= 17.5), but none of the providers can be installed
- cannot install both python3-pyOpenSSL-25.0.0-1.el10_0.noarch from ol10_u0_developer_EPEL and python3-pyOpenSSL-24.2.1-1.0.1.el10.noarch from @System
- cannot install both python3-pyOpenSSL-25.0.0-1.el10_0.noarch from ol10_u0_developer_EPEL and python3-pyOpenSSL-24.2.1-1.el10_0.noarch from ol10_u0_developer_EPEL
- cannot install both python3-pyOpenSSL-24.2.1-1.0.1.el10.noarch from ol10_appstream and python3-pyOpenSSL-25.0.0-1.el10_0.noarch from ol10_u0_developer_EPEL
- cannot install the best update candidate for package python3-pyOpenSSL-24.2.1-1.0.1.el10.noarch
- cannot install the best update candidate for package python3-oci-sdk-2.158.0-1.el10.x86_64
(try to add '--allowerasing' to command line to replace conflicting packages or '--skip-broken' to skip uninstallable packages or '--nobest' to use not only best candidate packages)
[opc@oci10 ~]$
python3-pyOpenSSLがOracle Linux 10標準提供の python3-pyOpenSSL-24.2.1 系列と、EPEL提供の python3-pyOpenSSL-25.0.0 系列の2種類があるために発生している模様
