上記の自分の覚書を参考に進めていくと
[root@(ホスト名) ~]# certbot --apache -d [ドメイン名 (http://無しの状態)] Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator apache, Installer apache Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): info@[取得ドメイン] Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must agree in order to register with the ACME server at https://acme-v02.api.letsencrypt.org/directory - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (A)gree/(C)ancel: A - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Would you be willing to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: Y Starting new HTTPS connection (1): supporters.eff.org Obtaining a new certificate Performing the following challenges: http-01 challenge for [取得ドメイン] Cleaning up challenges Unable to find a virtual host listening on port 80 which is currently needed for Certbot to prove to the CA that you control your domain. Please add a virtual host for port 80. IMPORTANT NOTES: - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. [root@(ホスト名) ~]#
という風に、
virtual host を80番ポートに追加してくださいというエラーが出た。
そこで、上記覚書にある通り、Virtualhostを追記し、
[root@(ホスト名) ~]# certbot --apache -d [ドメイン名 (http://無しの状態)] Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator apache, Installer apache Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org Obtaining a new certificate Performing the following challenges: http-01 challenge for [ドメイン名 (http://無しの状態)] Waiting for verification... Cleaning up challenges Created an SSL vhost at /etc/httpd/conf/httpd-le-ssl.conf Deploying Certificate to VirtualHost /etc/httpd/conf/httpd-le-ssl.conf Enabling site /etc/httpd/conf/httpd-le-ssl.conf by adding Include to root configuration Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: No redirect - Make no further changes to the webserver configuration. 2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for new sites, or if you're confident your site works on HTTPS. You can undo this change by editing your web server's configuration. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2 Redirecting vhost in /etc/httpd/conf/httpd.conf to ssl vhost in /etc/httpd/conf/httpd-le-ssl.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Congratulations! You have successfully enabled https://[ドメイン名 (http://無しの状態)] You should test your configuration at: https://www.ssllabs.com/ssltest/analyze.html?d=[ドメイン名 (http://無しの状態)] - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/[ドメイン名 (http://無しの状態)]/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/[ドメイン名 (http://無しの状態)]/privkey.pem Your cert will expire on 2020-08-10. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le [root@(ホスト名) ~]# systemctl restart httpd [root@(ホスト名) ~]#
後はcron
今回は、rootユーザーではなく、 一般ユーザーの方で登録を試みる。 (* さくらさんの記事で、rootユーザーでやるべきだという事が発覚)
書籍のP.190を参考にして
cronの設定 (一般ユーザーで実行)
$ crontab -e (vimが起動し、編集) $ crontab -l 00 05 * * * certbot renew
/var/spool/cronディレクトリ以下の確認 (rootで実行)
# ls -la /var/spool/cron/* -rw------- 1 [User] [User] 26 May 13 13:22 /var/spool/cron/[User]
Let’s Encrypt SSL証明書の更新 これでSSL証明書が使えるようになったわけですが、先述したとおり証明書の有効期限は三ヶ月です。 期限がやってくる前に、更新作業を忘れず行いましょう。 rootユーザーで以下のコマンドを実行すると更新できます。 (ただし、証明書の有効期限の残りが30日未満の場合のみ更新されます。それ以上の期限が残っている場合は更新されません。) # certbot renew もし、有効期限までの残り日数に関係なく、すぐに証明書を更新したい場合は、 –force-renew オプションを使います。 # certbot renew --force-renew
したがって、rootでcertbot renew --force-renew
cronの設定 (rootユーザーで実行)
$ crontab -e (vimが起動し、編集) $ crontab -l 00 05 * * * root certbot renew --force-renew
--force-renewオプションの実行結果の違い
なし
[root@(ホスト) ~]# certbot renew Saving debug log to /var/log/letsencrypt/letsencrypt.log - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Processing /etc/letsencrypt/renewal/(取得ドメイン).conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Cert not yet due for renewal - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - The following certs are not due for renewal yet: /etc/letsencrypt/live/(取得ドメイン)/fullchain.pem expires on 2020-08-10 (skipped) No renewals were attempted. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - [root@(ホスト) ~]#
--force-renewオプション付き
[root@(ホスト) ~]# certbot renew --force-renew Saving debug log to /var/log/letsencrypt/letsencrypt.log - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Processing /etc/letsencrypt/renewal/(取得ドメイン).conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Plugins selected: Authenticator apache, Installer apache Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org Renewing an existing certificate - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - new certificate deployed with reload of apache server; fullchain is /etc/letsencrypt/live/(取得ドメイン)/fullchain.pem - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Congratulations, all renewals succeeded. The following certs have been renewed: /etc/letsencrypt/live/(取得ドメイン)/fullchain.pem (success) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - [root@(ホスト) ~]#
