ワイルドカードでLet’s Encrypt を設定する
環境
cat /etc/redhat-release
CentOS release 6.8 (Final)
certbot-autoを取得する
curl https://dl.eff.org/certbot-auto -o /usr/bin/certbot-auto
chmod 700 /usr/bin/certbot-auto
コマンド実行
/usr/bin/certbot-auto certonly --manual \
-d *.rexius.co.jp \
--preferred-challenges dns-01 \
--server https://acme-v02.api.letsencrypt.org/directory
途中でyumが走り必要なパッケージがインストールされる
コマンド実行中にtxtレコードが出てくるのでそれをvaluedomainに設定
txt _acme-challenge XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
反映後にコマンドを実行する
apacheの設定を変更
ServerAdmin webmaster@dummy-host.example.com
DocumentRoot "/home/htdocs/rexius.co.jp"
ServerName *.rexius.co.jp
ServerAlias *.rexius.co.jp
ErrorLog "logs/rexius.co.jp-error_log"
CustomLog "logs/rexius.co.jp-access_log" common
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/rexius.co.jp/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/rexius.co.jp/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/rexius.co.jp/chain.pem
更新コマンドでコケたのでマニュアル更新
/usr/bin/certbot-auto certonly
Saving debug log to /var/log/letsencrypt/letsencrypt.log
How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Apache Web Server plugin (apache)
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-3] then [enter] (press 'c' to cancel): 1
Plugins selected: Authenticator apache, Installer None
Please enter in your domain name(s) (comma and/or space separated) (Enter 'c'
to cancel): *.rexius.co.jp
Cert not yet due for renewal
You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/rexius.co.jp.conf)
What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Keep the existing certificate for now
2: Renew & replace the cert (limit ~5 per 7 days)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Renewing an existing certificate
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/rexius.co.jp/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/rexius.co.jp/privkey.pem
Your cert will expire on 2019-06-26. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again. To non-interactively renew *all* of your certificates, run
"certbot-auto renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
30日以内なら更新してApacheを再起動
certbot-auto renew -q --no-self-upgrade --post-hook "service httpd reload"
上記だと発行直後なのでエラーが出てこないので強制的に発行
certbot-auto renew -q --force-renewal --post-hook "service httpd reload"
crontabに設定
00 07 * * * certbot-auto renew -q --no-self-upgrade --post-hook "service httpd reload"
毎日朝7時に自動更新
Follow me!
- カテゴリー
- WEB技術
