5. メンテナンス・トラブルシュート - SSL 無料の証明書を取得 - 更新の確認

 
5.1 有効期間
5.2 参考サイト
5.3 コマンドの確認
5.4 オプションの見直し
5.5 更新できるかを確認

5.1 有効期間

 Let's Encrypt で取得する証明書の有効期間は 90日です。  なぜ、90日なのかという問いには
証明書の有効期間が90日間な理由
 に端的に答えています。  至極、納得のいく話なのです。  で、本日(2017年11月4日)設置しましたので、90日以内で、自動的に更新する仕組みを考えなければならんわけです(笑)。

5.2 参考サイト

 以下を参考にさせていただきました。
FreeBSD 11にて、Apache + SSL(Let's Encrypt) + HTTP/2を動かす。
 参考サイトが SSL 化されていないのは、掲載サイトは記事を載せているだけということによるものですが、いささか笑えます。  「FreeBSD 11にて、Apache + SSL(Let's Encrypt) + HTTP/2を動かす。」は、SSL のオプションよりも apache の高速化の記事が興味をひきました。いずれ試してみたいと思います。  もっと他のサイトも参考にしたのですが、結局どれも記事が古かったり FreeBSD のコマンドにはそぐわなかったりしたので、ほぼ自力でやることにしました。

5.3 コマンドの確認

 まずは help を眺め直し・・・。

> certbot --help

-------------------------------------------------------------------------------

  certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...

Certbot can obtain and install HTTPS/TLS/SSL certificates.  By default,
it will attempt to use a webserver both for obtaining and installing the
certificate. The most common SUBCOMMANDS and flags are:

obtain, install, and renew certificates:
    (default) run   Obtain & install a certificate in your current webserver
    certonly        Obtain or renew a certificate, but do not install it
    renew           Renew all previously obtained certificates that are near
expiry
   -d DOMAINS       Comma-separated list of domains to obtain a certificate for

  (the certbot apache plugin is not installed)
  --standalone      Run a standalone webserver for authentication
  (the certbot nginx plugin is not installed)
  --webroot         Place files in a server's webroot folder for authentication
  --manual          Obtain certificates interactively, or using shell script
hooks

   -n               Run non-interactively
  --test-cert       Obtain a test certificate from a staging server
  --dry-run         Test "renew" or "certonly" without saving any certificates
to disk

manage certificates:
    certificates    Display information about certificates you have from Certbot
    revoke          Revoke a certificate (supply --cert-path)
    delete          Delete a certificate

manage your account with Let's Encrypt:
    register        Create a Let's Encrypt ACME account
  --agree-tos       Agree to the ACME server's Subscriber Agreement
   -m EMAIL         Email address for important account notifications

More detailed help:

  -h, --help [TOPIC]    print this message, or detailed help on a topic;
                        the available TOPICS are:

   all, automation, commands, paths, security, testing, or any of the
   subcommands or plugins (certonly, renew, install, register, nginx,
   apache, standalone, webroot, etc.)
-------------------------------------------------------------------------------
 どうも (the certbot apache plugin is not installed) が気になりますので、certbot apache plugin をインストールしてみました。  プラグインをインストール後、ヘルプの結果が一部変わりました。  結局のところこのプラグインは、必要はないということがわかりました。

expiry
   -d DOMAINS       Comma-separated list of domains to obtain a certificate for

  --apache          Use the Apache plugin for authentication & installation
  ↑
  これが増えた

  --standalone      Run a standalone webserver for authentication
  (the certbot nginx plugin is not installed)
  --webroot         Place files in a server's webroot folder for authentication
  --manual          Obtain certificates interactively, or using shell script
 で、

> certbot renew --standalone --domain ドメイン名 -m 管理者メールアドレス
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Currently, the renew verb is capable of either renewing all installed certificates that are due to be renewed or renewing a single certificate specified by its name. If you would like to renew specific certificates by their domains, use the certonly command instead. The renew verb may provide other options for selecting certificates to renew in the future.
 なかなか、英語文盲にはつらいところですが、基本的には「まだ、更新の時期になってないよ」「もっと他のオプションを見ろよ」と言っているようです。

5.4 オプションの見直し


> certbot --help renew
usage:

  certbot renew [--cert-name CERTNAME] [options]

optional arguments:
  -h, --help            show this help message and exit
  -c CONFIG_FILE, --config CONFIG_FILE
                        path to config file (default:
                        /usr/local/etc/letsencrypt/cli.ini and
                        ~/.config/letsencrypt/cli.ini)

renew:
  The 'renew' subcommand will attempt to renew all certificates (or more
  precisely, certificate lineages) you have previously obtained if they are
  close to expiry, and print a summary of the results. By default, 'renew'
  will reuse the options used to create obtain or most recently successfully
  renew each certificate lineage. You can try it with `--dry-run` first. For
  more fine-grained control, you can renew individual lineages with the
  `certonly` subcommand. Hooks are available to run commands before and
  after renewal; see https://certbot.eff.org/docs/using.html#renewal for
  more information on these.

  --cert-name CERTNAME  Certificate name to apply. This name is used by
                        Certbot for housekeeping and in file paths; it doesn't
                        affect the content of the certificate itself. To see
                        certificate names, run 'certbot certificates'. When
                        creating a new certificate, specifies the new
                        certificate's name. (default: the first provided
                        domain or the name of an existing certificate on your
                        system for the same domains)
  --dry-run             Perform a test run of the client, obtaining test
                        (invalid) certificates but not saving them to disk.
                        This can currently only be used with the 'certonly'
                        and 'renew' subcommands. Note: Although --dry-run
                        tries to avoid making any persistent changes on a
                        system, it is not completely side-effect free: if used
                        with webserver authenticator plugins like apache and
                        nginx, it makes and then reverts temporary config
                        changes in order to obtain test certificates, and
                        reloads webservers to deploy and then roll back those
                        changes. It also calls --pre-hook and --post-hook
                        commands if they are defined because they may be
                        necessary to accurately simulate renewal. --deploy-
                        hook commands are not called. (default: False)
  --force-renewal, --renew-by-default
                        If a certificate already exists for the requested
                        domains, renew it now, regardless of whether it is
                        near expiry. (Often --keep-until-expiring is more
                        appropriate). Also implies --expand. (default: False)
  --allow-subset-of-names
                        When performing domain validation, do not consider it
                        a failure if authorizations can not be obtained for a
                        strict subset of the requested domains. This may be
                        useful for allowing renewals for multiple domains to
                        succeed even if some domains no longer point at this
                        system. This option cannot be used with --csr.
                        (default: False)
  -q, --quiet           Silence all output except errors. Useful for
                        automation via cron. Implies --non-interactive.
                        (default: False)
  --debug-challenges    After setting up challenges, wait for user input
                        before submitting to CA (default: False)
  --preferred-challenges PREF_CHALLS
                        A sorted, comma delimited list of the preferred
                        challenge to use during authorization with the most
                        preferred challenge listed first (Eg, "dns" or "tls-
                        sni-01,http,dns"). Not all plugins support all
                        challenges. See
                        https://certbot.eff.org/docs/using.html#plugins for
                        details. ACME Challenges are versioned, but if you
                        pick "http" rather than "http-01", Certbot will select
                        the latest version automatically. (default: [])
  --pre-hook PRE_HOOK   Command to be run in a shell before obtaining any
                        certificates. Intended primarily for renewal, where it
                        can be used to temporarily shut down a webserver that
                        might conflict with the standalone plugin. This will
                        only be called if a certificate is actually to be
                        obtained/renewed. When renewing several certificates
                        that have identical pre-hooks, only the first will be
                        executed. (default: None)
  --post-hook POST_HOOK
                        Command to be run in a shell after attempting to
                        obtain/renew certificates. Can be used to deploy
                        renewed certificates, or to restart any servers that
                        were stopped by --pre-hook. This is only run if an
                        attempt was made to obtain/renew a certificate. If
                        multiple renewed certificates have identical post-
                        hooks, only one will be run. (default: None)
  --deploy-hook DEPLOY_HOOK
                        Command to be run in a shell once for each
                        successfully issued certificate. For this command, the
                        shell variable $RENEWED_LINEAGE will point to the
                        config live subdirectory (for example,
                        "/etc/letsencrypt/live/example.com") containing the
                        new certificates and keys; the shell variable
                        $RENEWED_DOMAINS will contain a space-delimited list
                        of renewed certificate domains (for example,
                        "example.com www.example.com" (default: None)
  --disable-hook-validation
                        Ordinarily the commands specified for --pre-hook
                        /--post-hook/--deploy-hook will be checked for
                        validity, to see if the programs being run are in the
                        $PATH, so that mistakes can be caught early, even when
                        the hooks aren't being run just yet. The validation is
                        rather simplistic and fails if you use more advanced
                        shell constructs, so you can use this switch to
                        disable it. (default: False)
  --no-directory-hooks  Disable running executables found in Certbot's hook
                        directories during renewal. (default: False)
 で、まぁ、--force-renewal --renew-by-default を試してみたんですが、うまくいかんのです。  わかったこと  --standalone--apache は択一であること。  certbot-apacheapache2ctl を動作させようとしているので、やめておこう。

5.5 更新できるかを確認

 で、やっとこれで強制的に更新することができました。  これが正解

> certbot \
	renew \					←	更新オプション
								certonly で一度作成しているとその後はドメイン名や
								管理者のメールアドレスを指定しなくても更新できることがわかりました
	--standalone \			←	FreeBSD ではこれが正しい
	--force-renewal \		←	更新する
	--expand \				←	やみくもに更新する
	--pre-hook "/usr/local/etc/rc.d/apache24 stop" \
	↑
	更新前に実行するスクリプト
	ポート番号の競合が発生するので必須

	--post-hook "/usr/local/etc/rc.d/apache24 start"
	↑
	更新後に実行するスクリプト
	止めておいたので起動します
 上記のコマンドの実行結果

Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /ディレクトリ名/letsencrypt/renewal/www.sing.ne.jp.conf
-------------------------------------------------------------------------------
Plugins selected: Authenticator standalone, Installer None
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Running pre-hook command: /usr/local/etc/rc.d/apache24 stop
Output from apache24:
Stopping apache24.
Waiting for PIDS: 23724.

Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for www.sing.ne.jp
tls-sni-01 challenge for freebsd.sing.ne.jp
Waiting for verification...
Cleaning up challenges

-------------------------------------------------------------------------------
new certificate deployed without reload, fullchain is
/ディレクトリ名/letsencrypt/live/www.sing.ne.jp/fullchain.pem
-------------------------------------------------------------------------------

-------------------------------------------------------------------------------
Processing /ディレクトリ名/letsencrypt/renewal/freebsd.sing.ne.jp.conf
-------------------------------------------------------------------------------
Plugins selected: Authenticator standalone, Installer None
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Pre-hook command already run, skipping: /usr/local/etc/rc.d/apache24 stop
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for freebsd.sing.ne.jp
Waiting for verification...
Cleaning up challenges

-------------------------------------------------------------------------------
new certificate deployed without reload, fullchain is
/ディレクトリ名/letsencrypt/live/freebsd.sing.ne.jp/fullchain.pem
-------------------------------------------------------------------------------

-------------------------------------------------------------------------------

Congratulations, all renewals succeeded. The following certs have been renewed:
  /ディレクトリ名/letsencrypt/live/www.sing.ne.jp/fullchain.pem (success)
  /ディレクトリ名/letsencrypt/live/freebsd.sing.ne.jp/fullchain.pem (success)
-------------------------------------------------------------------------------
Running post-hook command: /usr/local/etc/rc.d/apache24 start
Output from apache24:
Performing sanity check on apache24 configuration:
Starting apache24.

Error output from apache24:
Syntax OK

 その後、証明書ファイルが更新されていることろ確認しました。  apache で定義している証明書ファイルは実はシンボリックリンクになっていて、参照先を変えることで更新されていく仕組みになっています。