環境

cat /etc/redhat-release
CentOS release 6.8 (Final)

certbot-autoを取得する

curl https://dl.eff.org/certbot-auto -o /usr/bin/certbot-auto
chmod 700 /usr/bin/certbot-auto

コマンド実行

/usr/bin/certbot-auto certonly --manual \
-d *.rexius.co.jp \
--preferred-challenges dns-01 \
--server https://acme-v02.api.letsencrypt.org/directory

途中でyumが走り必要なパッケージがインストールされる
コマンド実行中にtxtレコードが出てくるのでそれをvaluedomainに設定

txt _acme-challenge XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

反映後にコマンドを実行する

apacheの設定を変更


ServerAdmin webmaster@dummy-host.example.com
DocumentRoot "/home/htdocs/rexius.co.jp"
ServerName *.rexius.co.jp
ServerAlias *.rexius.co.jp
ErrorLog "logs/rexius.co.jp-error_log"
CustomLog "logs/rexius.co.jp-access_log" common
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/rexius.co.jp/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/rexius.co.jp/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/rexius.co.jp/chain.pem

更新コマンドでコケたのでマニュアル更新

/usr/bin/certbot-auto certonly

Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Apache Web Server plugin (apache)
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-3] then [enter] (press 'c' to cancel): 1

Plugins selected: Authenticator apache, Installer None
Please enter in your domain name(s) (comma and/or space separated) (Enter 'c'
to cancel): *.rexius.co.jp

Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/rexius.co.jp.conf)

What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Keep the existing certificate for now
2: Renew & replace the cert (limit ~5 per 7 days)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2

Renewing an existing certificate

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/rexius.co.jp/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/rexius.co.jp/privkey.pem
Your cert will expire on 2019-06-26. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again. To non-interactively renew *all* of your certificates, run
"certbot-auto renew"
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

30日以内なら更新してApacheを再起動
certbot-auto renew -q --no-self-upgrade --post-hook "service httpd reload"

上記だと発行直後なのでエラーが出てこないので強制的に発行
certbot-auto renew -q --force-renewal --post-hook "service httpd reload"

crontabに設定

00 07 * * * certbot-auto renew -q --no-self-upgrade --post-hook "service httpd reload"
毎日朝7時に自動更新