差分

このページの2つのバージョン間の差分を表示します。

--- linux:certbot_client [2019/02/15 12:06] – [Certbot クライアント] ともやん
+++ linux:certbot_client [2025/04/23 07:14] (現在) – [Certbot クライアント] ともやん
@@ 行 1: / 行 1: @@
 ====== Certbot クライアント ======
+Certbot は Electronic Frontier 財団が開発した ACME クライアントで Python で書かれている🤔\\
+[[arc>Certbot|Certbot - ArchWiki]] より...\\
-===== Fedora 29 でのインストール =====
+ACME (自動証明書管理環境) は、認証機関 (CA) が署名する X.509 証明書を自動化するために、インターネット標準 ([[https://datatracker.ietf.org/doc/html/rfc8555|RFC 8555]]) で仕様化されている😉\\
-<code>
+[[https://letsencrypt.org/ja/docs/client-options/|ACME クライアント実装 - Let's Encrypt]]\\
+===== Fedora でのインストール =====
+<WRAP color_term>
+<WRAP color_command><html><pre>
 $ sudo -s
 # cd ~
@@ 行 9: / 行 16: @@
 # chmod a+x certbot-auto
 # ./certbot-auto
-</code>
+</pre></html></WRAP>
-<WRAP prewrap 100%>
+<WRAP color_result><html><pre>
-<code>
 Bootstrapping dependencies for RedHat-based OSes... (you can skip this with --no-bootstrap)
 dnf は /usr/bin/dnf です
@@ 行 35: / 行 41: @@
 Creating virtual environment...
 Installing Python packages...
-</code>
+Installation succeeded.
+Saving debug log to /var/log/letsencrypt/letsencrypt.log
+Error while running apachectl configtest.
+AH00526: Syntax error on line 101 of /etc/httpd/conf.d/ssl.conf:
+SSLCertificateFile: file '/etc/pki/tls/certs/localhost.crt' does not exist or is empty
+Certbot doesn't know how to automatically configure the web server on this system. However, it can still get a certificate for you. Please run "certbot-auto certonly" to do so. You'll need to manually configure your web server to use the resulting certificate.
+</pre></html></WRAP>
 </WRAP>
 ===== インストール =====
-<code>
+<WRAP color_term>
+<WRAP color_command><html><pre>
 $ sudo dnf install certbot python-certbot-apache
-</code>
+</pre></html></WRAP>
+</WRAP>
+===== 使用方法 [--help] =====
+<WRAP color_term>
+<WRAP color_command><html><pre>
+$ certbot --help
+</pre></html></WRAP>
+<WRAP color_result_long><html><pre>
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+  certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...
+Certbot can obtain and install HTTPS/TLS/SSL certificates.  By default,
+it will attempt to use a webserver both for obtaining and installing the
+certificate. The most common SUBCOMMANDS and flags are:
+obtain, install, and renew certificates:
+    (default) run   Obtain & install a certificate in your current webserver
+    certonly        Obtain or renew a certificate, but do not install it
+    renew           Renew all previously obtained certificates that are near
+expiry
+    enhance         Add security enhancements to your existing configuration
+   -d DOMAINS       Comma-separated list of domains to obtain a certificate for
+  (the certbot apache plugin is not installed)
+  --standalone      Run a standalone webserver for authentication
+  (the certbot nginx plugin is not installed)
+  --webroot         Place files in a server's webroot folder for authentication
+  --manual          Obtain certificates interactively, or using shell script
+hooks
+   -n               Run non-interactively
+  --test-cert       Obtain a test certificate from a staging server
+  --dry-run         Test "renew" or "certonly" without saving any certificates
+to disk
+manage certificates:
+    certificates    Display information about certificates you have from Certbot
+    revoke          Revoke a certificate (supply --cert-name or --cert-path)
+    delete          Delete a certificate (supply --cert-name)
+manage your account:
+    register        Create an ACME account
+    unregister      Deactivate an ACME account
+    update_account  Update an ACME account
+    show_account    Display account details
+  --agree-tos       Agree to the ACME server's Subscriber Agreement
+   -m EMAIL         Email address for important account notifications
+More detailed help:
+  -h, --help [TOPIC]    print this message, or detailed help on a topic;
+                        the available TOPICS are:
+   all, automation, commands, paths, security, testing, or any of the
+   subcommands or plugins (certonly, renew, install, register, nginx,
+   apache, standalone, webroot, etc.)
+  -h all                print a detailed help page including all topics
+  --version             print the version number
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+</pre></html></WRAP>
+</WRAP>
 ===== テスト実行 =====
-<WRAP prewrap 100%>
+<WRAP color_term>
-<code>
+<WRAP color_command><html><pre>
 $ sudo certbot
+</pre></html></WRAP>
+<WRAP color_result><html><pre>
 Saving debug log to /var/log/letsencrypt/letsencrypt.log
 Certbot doesn't know how to automatically configure the web server on this system. However, it can still get a certificate for you. Please run "certbot certonly" to do so. You'll need to manually configure your web server to use the resulting certificate.
 $ sudo less /var/log/letsencrypt/letsencrypt.log
-</code>
+</pre></html></WRAP>
 </WRAP>
-<WRAP prewrap 100%>
-<file /var/log/letsencrypt/letsencrypt.log>
+<WRAP color_term>
+<WRAP color_mincode><file /var/log/letsencrypt/letsencrypt.log>
 -02-15 11:53:24,221:DEBUG:certbot.main:certbot version: 0.30.2
 -02-15 11:53:24,222:DEBUG:certbot.main:Arguments: []
@@ 行 61: / 行 143: @@
 -02-15 11:53:24,248:DEBUG:certbot.plugins.selection:No candidate plugin
 -02-15 11:53:24,248:DEBUG:certbot.plugins.selection:Selected authenticator None and installer None
-</file>
+</file></WRAP>
 </WRAP>
 ===== 証明書取得の実行 =====
-<WRAP prewrap 100%>
+<WRAP color_term>
-<code>
+<WRAP color_command><html><pre>
-$ sudo certbot certonly --agree-tos --webroot -w /var/www/html/ -d tomoyan.net
+$ sudo certbot certonly --webroot -w /var/www/vhosts/letsencrypt -d monsters-g.com -w /var/www/vhosts/letsencrypt -d www.monsters-g.com
+</pre></html></WRAP>
+<WRAP color_result_long><html><pre>
 Saving debug log to /var/log/letsencrypt/letsencrypt.log
 Plugins selected: Authenticator webroot, Installer None
 Enter email address (used for urgent renewal and security notices) (Enter 'c' to
 cancel): tomoyan@tomoyan.net
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Please read the Terms of Service at
+https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
+agree in order to register with the ACME server at
+https://acme-v02.api.letsencrypt.org/directory
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+(A)gree/(C)ancel: A
 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
@@ 行 79: / 行 172: @@
 encrypting the web, EFF news, campaigns, and ways to support digital freedom.
 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-(Y)es/(N)o: N
+(Y)es/(N)o: Y
 Obtaining a new certificate
 Performing the following challenges:
-http-01 challenge for tomoyan.net
+http-01 challenge for monsters-g.com
-Using the webroot path /var/www/html for all unmatched domains.
+http-01 challenge for www.monsters-g.com
+Using the webroot path /var/www/vhosts/letsencrypt for all unmatched domains.
 Waiting for verification...
 Cleaning up challenges
-Failed authorization procedure. tomoyan.net (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://www.tomoyan.net.well-known/acme-challenge/V134KUuu24abYl4WMcicF22FOFrp7AxkOJHBkVzFA4c: Error getting validation data
 IMPORTANT NOTES:
- - The following errors were reported by the server:
+ - Congratulations! Your certificate and chain have been saved at:
+   /etc/letsencrypt/live/www.monsters-g.com/fullchain.pem
+   Your key file has been saved at:
+   /etc/letsencrypt/live/www.monsters-g.com/privkey.pem
+   Your cert will expire on 2019-05-16. To obtain a new or tweaked
+   version of this certificate in the future, simply run certbot
+   again. To non-interactively renew *all* of your certificates, run
+   "certbot renew"
+ - If you like Certbot, please consider supporting our work by:
-   Domain: tomoyan.net
+   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
-   Type:   connection
+   Donating to EFF:                    https://eff.org/donate-le
-   Detail: Fetching
+</pre></html></WRAP>
-   http://www.tomoyan.net.well-known/acme-challenge/V134KUuu24abYl4WMcicF22FOFrp7AxkOJHBkVzFA4c:
+</WRAP>
-   Error getting validation data
-   To fix these errors, please make sure that your domain name was
+===== 既に取得済みの証明書にサブドメインを追加 =====
-   entered correctly and the DNS A/AAAA record(s) for that domain
+**redmine.monsters-g.com** サブドメインを追加する場合、既存ドメインに **monsters-g.com**、**www.monsters-g.com** のあとに追記する🤔\\
-   contain(s) the right IP address. Additionally, please check that
+コマンドラインでは、<html><code>-w /var/www/vhosts/letsencrypt -d redmine.monsters-g.com</code></html>を追加で指定する。\\
-   your computer has a publicly routable IP address and that no
+<WRAP color_term>
-   firewalls are preventing the server from communicating with the
+<WRAP color_command><html><pre>
-   client. If you're using the webroot plugin, you should also verify
+<b class=GRN>$</b> <b class=HIY>sudo</b> ls -al /etc/letsencrypt/live
-   that you are serving files from the webroot path you provided.
+</pre></html></WRAP>
- - Your account credentials have been saved in your Certbot
+<WRAP color_result><html><pre>
-   configuration directory at /etc/letsencrypt. You should make a
+合計 3
-   secure backup of this folder now. This configuration directory will
+drwx------. 1 root root  88  8月 28 06:47 .
-   also contain certificates and private keys obtained by Certbot so
+drwxr-xr-x. 1 root root 106  8月 28 06:47 ..
-   making regular backups of this folder is ideal.
+-rw-r--r--. 1 root root 740  2月 15  2019 README
-</code>
+drwxr-xr-x  1 root root  94  8月 28 06:47 monsters-g.com
+drwxr-xr-x. 1 root root  94  8月 28 06:15 tomoyan.net
+</pre></html></WRAP>
 </WRAP>
-<WRAP prewrap 100%>
+<WRAP color_term>
-<code>
+<WRAP color_command><html><pre>
-$ sudo certbot certonly --agree-tos --webroot -w /var/www/html/ -d monsters-g.com
+<b class=GRN>$</b> <b class=HIY>sudo</b> certbot certonly <b class=HIK>--force-renew --webroot -w</b> /var/www/vhosts/letsencrypt <b class=HIK>-d</b> monsters-g.com <b class=HIK>-w</b> /var/www/vhosts/letsencrypt <b class=HIK>-d</b> www.monsters-g.com <b class=HIK>-w</b> /var/www/vhosts/letsencrypt <b class=HIK>-d</b> redmine.monsters-g.com
+</pre></html></WRAP>
+<WRAP color_result><html><pre>
 Saving debug log to /var/log/letsencrypt/letsencrypt.log
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+An RSA certificate named monsters-g.com already exists. Do you want to update
+its key type to ECDSA?
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+(U)pdate key type/(K)eep existing key type: u
+Renewing an existing certificate for monsters-g.com and 2 more domains
+Successfully received certificate.
+Certificate is saved at: /etc/letsencrypt/live/monsters-g.com/fullchain.pem
+Key is saved at:         /etc/letsencrypt/live/monsters-g.com/privkey.pem
+This certificate expires on 2023-07-02.
+These files will be updated when the certificate renews.
+Certbot has set up a scheduled task to automatically renew this certificate in the background.
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+If you like Certbot, please consider supporting our work by:
+ * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
+ * Donating to EFF:                    https://eff.org/donate-le
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+</pre></html></WRAP>
+</WRAP>
+Apache の場合は、新しく取得した証明書を有効化する為にリロードする🤔\\
+<WRAP color_term>
+<WRAP color_command><html><pre>
+<b class=GRN>$</b> <b class=HIY>sudo</b> systemctl reload httpd
+</pre></html></WRAP>
+</WRAP>
+===== 証明書更新テストの実行 =====
+<WRAP color_term>
+<WRAP color_command><html><pre>
+$ sudo certbot renew --dry-run
+</pre></html></WRAP>
+<WRAP color_result><html><pre>
+Saving debug log to /var/log/letsencrypt/letsencrypt.log
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Processing /etc/letsencrypt/renewal/monsters-g.com.conf
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Simulating renewal of an existing certificate for monsters-g.com and www.monsters-g.com
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Processing /etc/letsencrypt/renewal/tomoyan.net.conf
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Simulating renewal of an existing certificate for tomoyan.net and 3 more domains
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Congratulations, all simulated renewals succeeded:
+  /etc/letsencrypt/live/monsters-g.com/fullchain.pem (success)
+  /etc/letsencrypt/live/tomoyan.net/fullchain.pem (success)
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+</pre></html></WRAP>
+</WRAP>
+===== 証明書更新の実行 =====
+<WRAP color_term>
+<WRAP color_command><html><pre>
+$ sudo certbot renew
+</pre></html></WRAP>
+<WRAP color_result_long><html><pre>
+Saving debug log to /var/log/letsencrypt/letsencrypt.log
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Processing /etc/letsencrypt/renewal/monsters-g.com.conf
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+Cert is due for renewal, auto-renewing...
 Plugins selected: Authenticator webroot, Installer None
-Obtaining a new certificate
+Renewing an existing certificate
 Performing the following challenges:
 http-01 challenge for monsters-g.com
-Using the webroot path /var/www/html for all unmatched domains.
+http-01 challenge for www.monsters-g.com
 Waiting for verification...
 Cleaning up challenges
-Failed authorization procedure. monsters-g.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://www.tomoyan.net.well-known/acme-challenge/7aQcZPghit_VT2lp1DvkULSFPC4zPru8fVCPZaF5P8A: Error getting validation data
-IMPORTANT NOTES:
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - The following errors were reported by the server:
+new certificate deployed without reload, fullchain is
+/etc/letsencrypt/live/monsters-g.com/fullchain.pem
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-   Domain: monsters-g.com
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-   Type:   connection
+Processing /etc/letsencrypt/renewal/tomoyan.net.conf
-   Detail: Fetching
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-   http://www.tomoyan.net.well-known/acme-challenge/7aQcZPghit_VT2lp1DvkULSFPC4zPru8fVCPZaF5P8A:
+Cert is due for renewal, auto-renewing...
-   Error getting validation data
+Plugins selected: Authenticator webroot, Installer None
+Renewing an existing certificate
+Performing the following challenges:
+http-01 challenge for redmine.tomoyan.net
+http-01 challenge for repos.tomoyan.net
+http-01 challenge for tomoyan.net
+http-01 challenge for www.tomoyan.net
+Waiting for verification...
+Cleaning up challenges
-   To fix these errors, please make sure that your domain name was
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-   entered correctly and the DNS A/AAAA record(s) for that domain
+new certificate deployed without reload, fullchain is
-   contain(s) the right IP address. Additionally, please check that
+/etc/letsencrypt/live/tomoyan.net/fullchain.pem
-   your computer has a publicly routable IP address and that no
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-   firewalls are preventing the server from communicating with the
-   client. If you're using the webroot plugin, you should also verify
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-   that you are serving files from the webroot path you provided.
-</code>
+Congratulations, all renewals succeeded. The following certs have been renewed:
+  /etc/letsencrypt/live/monsters-g.com/fullchain.pem (success)
+  /etc/letsencrypt/live/tomoyan.net/fullchain.pem (success)
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+</pre></html></WRAP>
 </WRAP>
+新しい証明書を反映させるために、Apache をリロードする😉\\
+<WRAP color_term>
+<WRAP color_command><html><pre>
+$ sudo systemctl reload httpd
+</pre></html></WRAP>
+</WRAP>