4. メンテナンス・トラブルシュート - SSL 無料の証明書を取得 - 証明書取得

 
4.1 取得してみる(失敗)
4.2 再度取得してみる

4.1 取得してみる(失敗)

 さて、前項でめでたく certbot がインストールできましたので、証明書を取得してみたいと思います。  インストール時に下記のように言われていますので standalone というオプションは必須のようです。

===========================================================================

This port installs the "standalone" client only, which does not use and
is not the certbot-auto bootstrap/wrapper script.

The simplest form of usage to obtain certificates is:

 # sudo certbot certonly --standalone -d <domain>, [domain2, ... domainN]>

NOTE:

The client requires the ability to bind on TCP port 80 or 443 (depending
on the --preferred-challenges option used). If a server is running on that
port, it will need to be temporarily stopped so that the standalone server
can listen on that port to complete the challenge authentication process.

For more information on the 'standalone' mode, see:

  https://certbot.eff.org/docs/using.html#standalone

The certbot plugins to support apache and nginx certificate installation
will be made available in the following ports:

 * Apache plugin: security/py-certbot-apache
 * Nginx plugin: security/py-certbot-nginx

===========================================================================
 これはさすがに、試験環境ではできないので、本番環境でどきどきしながらやってみます。  ドメイン名は公開されていて隠すこともないのでそのまま書いちゃいます。  ワイルドカードドメインは対応していないとのこと、サブドメインがあれば、その分、全部記述せよとのことですので

> certbot certonly --standalone -d www.sing.ne.jp -d freebsd.sing.ne.jp
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): ← サーバ管理者のメールアドレスを記述
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org

-------------------------------------------------------------------------------
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf. You must agree
in order to register with the ACME server at
https://acme-v01.api.letsencrypt.org/directory
-------------------------------------------------------------------------------
(A)gree/(C)ancel: A

-------------------------------------------------------------------------------
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about EFF and
our work to encrypt the web, protect its users and defend digital rights.
-------------------------------------------------------------------------------
(Y)es/(N)o: Y
Starting new HTTPS connection (1): supporters.eff.org
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for www.sing.ne.jp
tls-sni-01 challenge for freebsd.sing.ne.jp
Cleaning up challenges
Problem binding to port 443: Could not bind to IPv4 or IPv6.

IMPORTANT NOTES:
 - Your account credentials have been saved in your Certbot
   configuration directory at /usr/local/etc/letsencrypt. You should
   make a secure backup of this folder now. This configuration
   directory will also contain certificates and private keys obtained
   by Certbot so making regular backups of this folder is ideal.

 まぁ、1回目は失敗したわけです。  [Problem binding to port 443: Could not bind to IPv4 or IPv6.] と言われているわけで・・・。  で検索しました。

4.2 再度取得してみる

Let's Encryptの更新に失敗した原因と対処法
 を参考にしまして。  apache を止めた状態で certbot を動かしてみます。

> /usr/local/etc/rc.d/apache24 stop
Stopping apache24.
Waiting for PIDS: 14333.
> certbot certonly --standalone -d www.sing.ne.jp -d freebsd.sing.ne.jp
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for www.sing.ne.jp
tls-sni-01 challenge for freebsd.sing.ne.jp
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /usr/local/etc/letsencrypt/live/www.sing.ne.jp/fullchain.pem
   Your key file has been saved at:
   /usr/local/etc/letsencrypt/live/www.sing.ne.jp/privkey.pem
   Your cert will expire on 2018-02-02. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le
> /usr/local/etc/rc.d/apache24 start
 どうやらうまく取得できたようですが。  /usr/local/etc/letsencrypt の下を見てみる限りでは・・・。www.sing.ne.jp の分しかない。  どうも、ひとつずつ取得しなければならないようなので・・・。

> /usr/local/etc/rc.d/apache24 stop
	・・・
> certbot certonly --standalone -d freebsd.sing.ne.jp

	・・・

> /usr/local/etc/rc.d/apache24 start
 これで、2つともできました。