linux:certbot_client

Certbot クライアント

$ sudo -s
# cd ~
# dnf install python3-virtualenv
# curl -O https://dl.eff.org/certbot-auto
# chmod a+x certbot-auto
# ./certbot-auto

Bootstrapping dependencies for RedHat-based OSes... (you can skip this with --no-bootstrap)
dnf は /usr/bin/dnf です
dnf はハッシュされています (/usr/bin/dnf)
メタデータの期限切れの最終確認: 1:18:05 時間前の 2019年02月15日 10時47分08秒 に実施しました。
パッケージ gcc-8.2.1-6.fc29.x86_64 は既にインストールされています。
パッケージ augeas-libs-1.10.1-3.fc29.x86_64 は既にインストールされています。
パッケージ openssl-1:1.1.1a-1.fc29.x86_64 は既にインストールされています。
パッケージ openssl-devel-1:1.1.1a-1.fc29.x86_64 は既にインストールされています。
パッケージ libffi-devel-3.1-18.fc29.x86_64 は既にインストールされています。
パッケージ redhat-rpm-config-118-1.fc29.noarch は既にインストールされています。
パッケージ ca-certificates-2018.2.26-2.fc29.noarch は既にインストールされています。
パッケージ python2-libs-2.7.15-11.fc29.x86_64 は既にインストールされています。
パッケージ python2-setuptools-40.4.3-1.fc29.noarch は既にインストールされています。
パッケージ python2-devel-2.7.15-11.fc29.x86_64 は既にインストールされています。
パッケージ python2-virtualenv-16.0.0-5.fc29.noarch は既にインストールされています。
パッケージ python2-tools-2.7.15-11.fc29.x86_64 は既にインストールされています。
パッケージ python2-pip-18.1-1.fc29.noarch は既にインストールされています。
パッケージ mod_ssl-1:2.4.38-2.fc29.x86_64 は既にインストールされています。
依存関係が解決しました。
行うべきことはありません。
完了しました!
Creating virtual environment...
Installing Python packages...
Installation succeeded.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Error while running apachectl configtest.

AH00526: Syntax error on line 101 of /etc/httpd/conf.d/ssl.conf:
SSLCertificateFile: file '/etc/pki/tls/certs/localhost.crt' does not exist or is empty

Certbot doesn't know how to automatically configure the web server on this system. However, it can still get a certificate for you. Please run "certbot-auto certonly" to do so. You'll need to manually configure your web server to use the resulting certificate.

$ sudo dnf install certbot python-certbot-apache

$ certbot --help


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...

Certbot can obtain and install HTTPS/TLS/SSL certificates.  By default,
it will attempt to use a webserver both for obtaining and installing the
certificate. The most common SUBCOMMANDS and flags are:

obtain, install, and renew certificates:
    (default) run   Obtain & install a certificate in your current webserver
    certonly        Obtain or renew a certificate, but do not install it
    renew           Renew all previously obtained certificates that are near
expiry
    enhance         Add security enhancements to your existing configuration
   -d DOMAINS       Comma-separated list of domains to obtain a certificate for

  (the certbot apache plugin is not installed)
  --standalone      Run a standalone webserver for authentication
  (the certbot nginx plugin is not installed)
  --webroot         Place files in a server's webroot folder for authentication
  --manual          Obtain certificates interactively, or using shell script
hooks

   -n               Run non-interactively
  --test-cert       Obtain a test certificate from a staging server
  --dry-run         Test "renew" or "certonly" without saving any certificates
to disk

manage certificates:
    certificates    Display information about certificates you have from Certbot
    revoke          Revoke a certificate (supply --cert-name or --cert-path)
    delete          Delete a certificate (supply --cert-name)

manage your account:
    register        Create an ACME account
    unregister      Deactivate an ACME account
    update_account  Update an ACME account
    show_account    Display account details
  --agree-tos       Agree to the ACME server's Subscriber Agreement
   -m EMAIL         Email address for important account notifications

More detailed help:

  -h, --help [TOPIC]    print this message, or detailed help on a topic;
                        the available TOPICS are:

   all, automation, commands, paths, security, testing, or any of the
   subcommands or plugins (certonly, renew, install, register, nginx,
   apache, standalone, webroot, etc.)
  -h all                print a detailed help page including all topics
  --version             print the version number
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

$ sudo certbot

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Certbot doesn't know how to automatically configure the web server on this system. However, it can still get a certificate for you. Please run "certbot certonly" to do so. You'll need to manually configure your web server to use the resulting certificate.
$ sudo less /var/log/letsencrypt/letsencrypt.log

2019-02-15 11:53:24,221:DEBUG:certbot.main:certbot version: 0.30.2
2019-02-15 11:53:24,222:DEBUG:certbot.main:Arguments: []
2019-02-15 11:53:24,222:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2019-02-15 11:53:24,246:DEBUG:certbot.log:Root logging level set at 20
2019-02-15 11:53:24,247:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2019-02-15 11:53:24,248:DEBUG:certbot.plugins.selection:Requested authenticator None and installer None
2019-02-15 11:53:24,248:DEBUG:certbot.plugins.selection:No candidate plugin
2019-02-15 11:53:24,248:DEBUG:certbot.plugins.selection:Selected authenticator None and installer None

$ sudo certbot certonly --webroot -w /var/www/vhosts/letsencrypt -d monsters-g.com -w /var/www/vhosts/letsencrypt -d www.monsters-g.com


Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): tomoyan@tomoyan.net

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for monsters-g.com
http-01 challenge for www.monsters-g.com
Using the webroot path /var/www/vhosts/letsencrypt for all unmatched domains.
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/www.monsters-g.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/www.monsters-g.com/privkey.pem
   Your cert will expire on 2019-05-16. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

redmine.monsters-g.com サブドメインを追加する場合、既存ドメインに monsters-g.comwww.monsters-g.com のあとに追記する🤔
コマンドラインでは、-w /var/www/vhosts/letsencrypt -d redmine.monsters-g.comを追加で指定する。

$ sudo ls -al /etc/letsencrypt/live

合計 3
drwx------. 1 root root  88  8月 28 06:47 .
drwxr-xr-x. 1 root root 106  8月 28 06:47 ..
-rw-r--r--. 1 root root 740  2月 15  2019 README
drwxr-xr-x  1 root root  94  8月 28 06:47 monsters-g.com
drwxr-xr-x. 1 root root  94  8月 28 06:15 tomoyan.net

$ sudo certbot certonly --force-renew --webroot -w /var/www/vhosts/letsencrypt -d monsters-g.com -w /var/www/vhosts/letsencrypt -d www.monsters-g.com -w /var/www/vhosts/letsencrypt -d redmine.monsters-g.com

Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
An RSA certificate named monsters-g.com already exists. Do you want to update
its key type to ECDSA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(U)pdate key type/(K)eep existing key type: u
Renewing an existing certificate for monsters-g.com and 2 more domains

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/monsters-g.com/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/monsters-g.com/privkey.pem
This certificate expires on 2023-07-02.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Apache の場合は、新しく取得した証明書を有効化する為にリロードする🤔

$ sudo systemctl reload httpd

$ sudo certbot renew --dry-run

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/monsters-g.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Simulating renewal of an existing certificate for monsters-g.com and www.monsters-g.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/tomoyan.net.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Simulating renewal of an existing certificate for tomoyan.net and 3 more domains

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all simulated renewals succeeded: 
  /etc/letsencrypt/live/monsters-g.com/fullchain.pem (success)
  /etc/letsencrypt/live/tomoyan.net/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

$ sudo certbot renew

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/monsters-g.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for monsters-g.com
http-01 challenge for www.monsters-g.com
Waiting for verification...
Cleaning up challenges

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/monsters-g.com/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/tomoyan.net.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for redmine.tomoyan.net
http-01 challenge for repos.tomoyan.net
http-01 challenge for tomoyan.net
http-01 challenge for www.tomoyan.net
Waiting for verification...
Cleaning up challenges

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/tomoyan.net/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/monsters-g.com/fullchain.pem (success)
  /etc/letsencrypt/live/tomoyan.net/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

新しい証明書を反映させるために、Apache をリロードする😉

$ sudo systemctl reload httpd

  • linux/certbot_client.txt
  • 最終更新: 2023/08/28 08:27
  • by ともやん