Let’s Encrypt でのSSL証明書作成

無償でSSL証明書を発行できるLet’s Encrypt。HTTPS対応は必須になりつつある。
ちなみにこのブログもLet’s Encrypt でSSL証明書を取得している。
Let’s Encrypt の使い方を基に実際にやってみた。
バージョンが変わると一部実装が変わるので、最新はコマンド一覧を参考にしてほしい。
証明書を取得したいFQDNをwww.hogehoge.com、そのDocumentRootが/var/www/www.hogehoge.com/ として記載する。
証明書を発行する場合
Webサーバを停止した状態で、証明書を取得する場合
$ sudo ./certbot-auto certonly –standalone -d www.hogehoge.com
Webサーバを停止せずに証明書を発行する場合
$ sudo ./certbot-auto certonly –webroot -w /var/www/www.hogehoge.com/ -d www.hogehoge.com
x Saving debug log to /var/log/letsencrypt/letsencrypt.log x
x Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org x
x Obtaining a new certificate x
x Performing the following challenges: x
x http-01 challenge for zaiteku.jp x
x Using the webroot path /var/www/www.hogehoge.com/ for x
x all unmatched domains. x
x Waiting for verification… x
x Cleaning up challenges x
x Generating key (2048 bits): x
x /etc/letsencrypt/keys/****_key-certbot.pem x
x Creating CSR: /etc/letsencrypt/csr/****_csr-certbot.pem
IMPORTANT NOTES:
– Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/www.hogehoge.com/fullchain.pem. Your cert will
expire on YYYY-MM-DD(有効期限). To obtain a new or tweaked version of this
certificate in the future, simply run certbot-auto again. To
non-interactively renew *all* of your certificates, run
“certbot-auto renew”
– If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
証明書を更新する場合
$ sudo ./certbot-auto renew
ただ、この場合にはWebサーバを停止させる必要がある。
Saving debug log to /var/log/letsencrypt/letsencrypt.log
——————————————————————————-
Processing /etc/letsencrypt/renewal/www.hogehoge.com.conf
——————————————————————————-
Cert is due for renewal, auto-renewing…
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for www.hogehoge.com
——————————————————————————-
Port 443 is already in use by another process. This will prevent us from binding
to that port. Please stop the process that is populating the port in question
and try again. For automated renewal, you may want to use a script that stops
and starts your webserver. You can find an example at
https://certbot.eff.org/docs/using.html#renewal . Alternatively you can use the
webroot plugin to renew without needing to stop and start your webserver.
——————————————————————————-
Cleaning up challenges
Attempting to renew cert from /etc/letsencrypt/renewal/www.hogehoge.com.conf produced an unexpected error: At least one of the required ports is already taken.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/www.hogehoge.com/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)
無停止による証明書の更新方法について
下記コマンドで無停止で実行しようと思ったがうまくいかない
$ sudo ./certbot-auto renew –webroot -w /var/www/www.hogehoge.com/ -d www.hogehoge.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Currently, the renew verb is only capable of renewing all installed certificates that are due to be renewed; individual domains cannot be specified with this action. If you would like to renew specific certificates, use the certonly command. The renew verb may provide other options for selecting certificates to renew in the future.
下記コマンドでWebサーバの停止→証明書の更新→Webサーバの開始が可能(証明書の更新対象がない場合には再起動しない)
$ sudo ./certbot-auto renew –pre-hook “systemctl stop httpd” –post-hook “systemctl start httpd”
1.更新対象がある場合は次のようになる。
——————————————————————————-
Processing /etc/letsencrypt/renewal/www.hogehoge.com.conf
——————————————————————————-
Cert is due for renewal, auto-renewing…
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Running pre-hook command: systemctl stop httpd
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.hogehoge.com
Waiting for verification…
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0004_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0004_csr-certbot.pem
——————————————————————————-
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/www.hogehoge.com/fullchain.pem
——————————————————————————-
2.更新対象がない場合には下記のようになる。
Saving debug log to /var/log/letsencrypt/letsencrypt.log
——————————————————————————-
Processing /etc/letsencrypt/renewal/www.hogehoge.com.conf
——————————————————————————-
Cert not yet due for renewal
The following certs are not due for renewal yet:
/etc/letsencrypt/live/www.hogehoge.com/fullchain.pem (skipped)
No renewals were attempted.
No renewals attempted, so not running post-hook

コメントを残す

メールアドレスが公開されることはありません。 * が付いている欄は必須項目です