1. 概要
さて、前項で、めでたく「certbot」がインストールできましたので、証明書を取得します。
2. 取得(失敗)
初回は、失敗しました。
インストール時に下記のように言われていますので、「standalone」というオプションは必須のようです。
===========================================================================
This port installs the "standalone" client only, which does not use and
is not the certbot-auto bootstrap/wrapper script.
The simplest form of usage to obtain certificates is:
# sudo certbot certonly --standalone -d <domain>, [domain2, ... domainN]>
NOTE:
The client requires the ability to bind on TCP port 80 or 443 (depending
on the --preferred-challenges option used). If a server is running on that
port, it will need to be temporarily stopped so that the standalone server
can listen on that port to complete the challenge authentication process.
For more information on the 'standalone' mode, see:
https://certbot.eff.org/docs/using.html#standalone
The certbot plugins to support apache and nginx certificate installation
will be made available in the following ports:
* Apache plugin: security/py-certbot-apache
* Nginx plugin: security/py-certbot-nginx
===========================================================================
これはさすがに、試験環境ではできないので、本番環境でどきどきしながらやってみます。
ドメイン名は公開されていて隠すこともないのでそのまま書いちゃいます。
ワイルドカードドメインは対応していないとのこと、サブドメインがあれば、その分、全部記述せよとのことですので
$ certbot certonly --standalone -d www.sing.ne.jp -d freebsd.sing.ne.jp
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): ← サーバ管理者のメールアドレスを記述
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
-------------------------------------------------------------------------------
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf. You must agree
in order to register with the ACME server at
https://acme-v01.api.letsencrypt.org/directory
-------------------------------------------------------------------------------
(A)gree/(C)ancel: A
-------------------------------------------------------------------------------
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about EFF and
our work to encrypt the web, protect its users and defend digital rights.
-------------------------------------------------------------------------------
(Y)es/(N)o: Y
Starting new HTTPS connection (1): supporters.eff.org
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for www.sing.ne.jp
tls-sni-01 challenge for freebsd.sing.ne.jp
Cleaning up challenges
Problem binding to port 443: Could not bind to IPv4 or IPv6.
IMPORTANT NOTES:
- Your account credentials have been saved in your Certbot
configuration directory at /usr/local/etc/letsencrypt. You should
make a secure backup of this folder now. This configuration
directory will also contain certificates and private keys obtained
by Certbot so making regular backups of this folder is ideal.
まぁ、1回目は失敗したわけです。
[Problem binding to port 443: Could not bind to IPv4 or IPv6.] と言われているわけで・・・。
で検索しました。
3. 再度取得
「Let's Encryptの更新に失敗した原因と対処法」
を参考にしまして。
「apache」を止めた状態で、「certbot」を動かしてみます。
「apache」の停止。
service apache24 stop
証明書の取得。
certbot certonly --standalone -d www.sing.ne.jp -d freebsd.sing.ne.jp
下記のようなメッセージが出力されます。
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for www.sing.ne.jp
tls-sni-01 challenge for freebsd.sing.ne.jp
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/usr/local/etc/letsencrypt/live/www.sing.ne.jp/fullchain.pem
Your key file has been saved at:
/usr/local/etc/letsencrypt/live/www.sing.ne.jp/privkey.pem
Your cert will expire on 2018-02-02. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
「apache」を起動。
service apache24 start
どうやらうまく取得できたようですが。
「/usr/local/etc/letsencrypt」の下を見てみる限りでは・・・。
「www.sing.ne.jp」の分しかない。
ひとつずつ取得しなければならないようなので、同様の手順でもう一つの方を取得します。
これで、2つともできました。
4. 取得(2023年12月22日)
久々に。新しいものを取得しようとしたら、手順が変わっているようです。
なので、記録しておきます。
「apache」の停止。
service apache24 stop
証明書の取得。
certbot certonly --standalone -d ドメイン名
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices)
(Enter 'c' to cancel):
とメールアドレスの入力を求められます。
メールアドレスを入力して Enter。
しても、だめだったので、メールアドレスなしのオプションで。
certbot certonly --register-unsafely-without-email --standalone -d ドメイン名
下記のようなログが出力されまして。
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for ドメイン名
Successfully received certificate.
Certificate is saved at: /usr/local/etc/letsencrypt/live/ドメイン名/fullchain.pem
Key is saved at: /usr/local/etc/letsencrypt/live/ドメイン名/privkey.pem
This certificate expires on 2024-03-20.
These files will be updated when the certificate renews.
NEXT STEPS:
- The certificate will need to be renewed before it expires. Certbot can automatically renew the certificate in the background, but you may need to take steps to enable that functionality. See https://certbot.org/renewal-setup for instructions.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
* Donating to EFF: https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
取得できました。
「apache」を起動。
service apache24 start