Certbot は Electronic Frontier 財団が開発した ACME クライアントで Python で書かれている🤔
Certbot - ArchWiki より…
ACME (自動証明書管理環境) は、認証機関 (CA) が署名する X.509 証明書を自動化するために、インターネット標準 (RFC 8555) で仕様化されている😉
$ sudo -s # cd ~ # dnf install python3-virtualenv # curl -O https://dl.eff.org/certbot-auto # chmod a+x certbot-auto # ./certbot-auto
Bootstrapping dependencies for RedHat-based OSes... (you can skip this with --no-bootstrap) dnf は /usr/bin/dnf です dnf はハッシュされています (/usr/bin/dnf) メタデータの期限切れの最終確認: 1:18:05 時間前の 2019年02月15日 10時47分08秒 に実施しました。 パッケージ gcc-8.2.1-6.fc29.x86_64 は既にインストールされています。 パッケージ augeas-libs-1.10.1-3.fc29.x86_64 は既にインストールされています。 パッケージ openssl-1:1.1.1a-1.fc29.x86_64 は既にインストールされています。 パッケージ openssl-devel-1:1.1.1a-1.fc29.x86_64 は既にインストールされています。 パッケージ libffi-devel-3.1-18.fc29.x86_64 は既にインストールされています。 パッケージ redhat-rpm-config-118-1.fc29.noarch は既にインストールされています。 パッケージ ca-certificates-2018.2.26-2.fc29.noarch は既にインストールされています。 パッケージ python2-libs-2.7.15-11.fc29.x86_64 は既にインストールされています。 パッケージ python2-setuptools-40.4.3-1.fc29.noarch は既にインストールされています。 パッケージ python2-devel-2.7.15-11.fc29.x86_64 は既にインストールされています。 パッケージ python2-virtualenv-16.0.0-5.fc29.noarch は既にインストールされています。 パッケージ python2-tools-2.7.15-11.fc29.x86_64 は既にインストールされています。 パッケージ python2-pip-18.1-1.fc29.noarch は既にインストールされています。 パッケージ mod_ssl-1:2.4.38-2.fc29.x86_64 は既にインストールされています。 依存関係が解決しました。 行うべきことはありません。 完了しました! Creating virtual environment... Installing Python packages... Installation succeeded. Saving debug log to /var/log/letsencrypt/letsencrypt.log Error while running apachectl configtest. AH00526: Syntax error on line 101 of /etc/httpd/conf.d/ssl.conf: SSLCertificateFile: file '/etc/pki/tls/certs/localhost.crt' does not exist or is empty Certbot doesn't know how to automatically configure the web server on this system. However, it can still get a certificate for you. Please run "certbot-auto certonly" to do so. You'll need to manually configure your web server to use the resulting certificate.
$ sudo dnf install certbot python-certbot-apache
$ certbot --help
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...
Certbot can obtain and install HTTPS/TLS/SSL certificates. By default,
it will attempt to use a webserver both for obtaining and installing the
certificate. The most common SUBCOMMANDS and flags are:
obtain, install, and renew certificates:
(default) run Obtain & install a certificate in your current webserver
certonly Obtain or renew a certificate, but do not install it
renew Renew all previously obtained certificates that are near
expiry
enhance Add security enhancements to your existing configuration
-d DOMAINS Comma-separated list of domains to obtain a certificate for
(the certbot apache plugin is not installed)
--standalone Run a standalone webserver for authentication
(the certbot nginx plugin is not installed)
--webroot Place files in a server's webroot folder for authentication
--manual Obtain certificates interactively, or using shell script
hooks
-n Run non-interactively
--test-cert Obtain a test certificate from a staging server
--dry-run Test "renew" or "certonly" without saving any certificates
to disk
manage certificates:
certificates Display information about certificates you have from Certbot
revoke Revoke a certificate (supply --cert-name or --cert-path)
delete Delete a certificate (supply --cert-name)
manage your account:
register Create an ACME account
unregister Deactivate an ACME account
update_account Update an ACME account
show_account Display account details
--agree-tos Agree to the ACME server's Subscriber Agreement
-m EMAIL Email address for important account notifications
More detailed help:
-h, --help [TOPIC] print this message, or detailed help on a topic;
the available TOPICS are:
all, automation, commands, paths, security, testing, or any of the
subcommands or plugins (certonly, renew, install, register, nginx,
apache, standalone, webroot, etc.)
-h all print a detailed help page including all topics
--version print the version number
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
$ sudo certbot
Saving debug log to /var/log/letsencrypt/letsencrypt.log Certbot doesn't know how to automatically configure the web server on this system. However, it can still get a certificate for you. Please run "certbot certonly" to do so. You'll need to manually configure your web server to use the resulting certificate. $ sudo less /var/log/letsencrypt/letsencrypt.log
2019-02-15 11:53:24,221:DEBUG:certbot.main:certbot version: 0.30.2 2019-02-15 11:53:24,222:DEBUG:certbot.main:Arguments: [] 2019-02-15 11:53:24,222:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot) 2019-02-15 11:53:24,246:DEBUG:certbot.log:Root logging level set at 20 2019-02-15 11:53:24,247:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log 2019-02-15 11:53:24,248:DEBUG:certbot.plugins.selection:Requested authenticator None and installer None 2019-02-15 11:53:24,248:DEBUG:certbot.plugins.selection:No candidate plugin 2019-02-15 11:53:24,248:DEBUG:certbot.plugins.selection:Selected authenticator None and installer None
$ sudo certbot certonly --webroot -w /var/www/vhosts/letsencrypt -d monsters-g.com -w /var/www/vhosts/letsencrypt -d www.monsters-g.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator webroot, Installer None Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): tomoyan@tomoyan.net - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must agree in order to register with the ACME server at https://acme-v02.api.letsencrypt.org/directory - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (A)gree/(C)ancel: A - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Would you be willing to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: Y Obtaining a new certificate Performing the following challenges: http-01 challenge for monsters-g.com http-01 challenge for www.monsters-g.com Using the webroot path /var/www/vhosts/letsencrypt for all unmatched domains. Waiting for verification... Cleaning up challenges IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/www.monsters-g.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/www.monsters-g.com/privkey.pem Your cert will expire on 2019-05-16. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
redmine.monsters-g.com サブドメインを追加する場合、既存ドメインに monsters-g.com、www.monsters-g.com のあとに追記する🤔
コマンドラインでは、-w /var/www/vhosts/letsencrypt -d redmine.monsters-g.comを追加で指定する。
$ sudo ls -al /etc/letsencrypt/live
合計 3 drwx------. 1 root root 88 8月 28 06:47 . drwxr-xr-x. 1 root root 106 8月 28 06:47 .. -rw-r--r--. 1 root root 740 2月 15 2019 README drwxr-xr-x 1 root root 94 8月 28 06:47 monsters-g.com drwxr-xr-x. 1 root root 94 8月 28 06:15 tomoyan.net
$ sudo certbot certonly --force-renew --webroot -w /var/www/vhosts/letsencrypt -d monsters-g.com -w /var/www/vhosts/letsencrypt -d www.monsters-g.com -w /var/www/vhosts/letsencrypt -d redmine.monsters-g.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - An RSA certificate named monsters-g.com already exists. Do you want to update its key type to ECDSA? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (U)pdate key type/(K)eep existing key type: u Renewing an existing certificate for monsters-g.com and 2 more domains Successfully received certificate. Certificate is saved at: /etc/letsencrypt/live/monsters-g.com/fullchain.pem Key is saved at: /etc/letsencrypt/live/monsters-g.com/privkey.pem This certificate expires on 2023-07-02. These files will be updated when the certificate renews. Certbot has set up a scheduled task to automatically renew this certificate in the background. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - If you like Certbot, please consider supporting our work by: * Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate * Donating to EFF: https://eff.org/donate-le - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Apache の場合は、新しく取得した証明書を有効化する為にリロードする🤔
$ sudo systemctl reload httpd
$ sudo certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Processing /etc/letsencrypt/renewal/monsters-g.com.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Simulating renewal of an existing certificate for monsters-g.com and www.monsters-g.com - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Processing /etc/letsencrypt/renewal/tomoyan.net.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Simulating renewal of an existing certificate for tomoyan.net and 3 more domains - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Congratulations, all simulated renewals succeeded: /etc/letsencrypt/live/monsters-g.com/fullchain.pem (success) /etc/letsencrypt/live/tomoyan.net/fullchain.pem (success) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
$ sudo certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Processing /etc/letsencrypt/renewal/monsters-g.com.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Cert is due for renewal, auto-renewing... Plugins selected: Authenticator webroot, Installer None Renewing an existing certificate Performing the following challenges: http-01 challenge for monsters-g.com http-01 challenge for www.monsters-g.com Waiting for verification... Cleaning up challenges - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - new certificate deployed without reload, fullchain is /etc/letsencrypt/live/monsters-g.com/fullchain.pem - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Processing /etc/letsencrypt/renewal/tomoyan.net.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Cert is due for renewal, auto-renewing... Plugins selected: Authenticator webroot, Installer None Renewing an existing certificate Performing the following challenges: http-01 challenge for redmine.tomoyan.net http-01 challenge for repos.tomoyan.net http-01 challenge for tomoyan.net http-01 challenge for www.tomoyan.net Waiting for verification... Cleaning up challenges - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - new certificate deployed without reload, fullchain is /etc/letsencrypt/live/tomoyan.net/fullchain.pem - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Congratulations, all renewals succeeded. The following certs have been renewed: /etc/letsencrypt/live/monsters-g.com/fullchain.pem (success) /etc/letsencrypt/live/tomoyan.net/fullchain.pem (success) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
新しい証明書を反映させるために、Apache をリロードする😉
$ sudo systemctl reload httpd