- 1. 概要
- 2. 参考サイト
- 3. コマンドの確認
- 4. オプションの見直し
- 5. 更新できるかを確認
1. 概要
「Let's Encrypt」で取得する証明書の有効期間は 90日です。
なぜ、90日なのかという問いには
「証明書の有効期間が90日間な理由 - Let's Encrypt 総合ポータル」(2024年7月24日、SSL エラーでアクセスできなくなってしまいました)
に端的に答えています。
至極、納得のいく話なのです。
で、本日(2017年11月4日)設置しましたので、90日以内で、自動的に更新する仕組みを考えなければならんわけです(笑)。
2. 参考サイト
以下を参考にさせていただきました。
「FreeBSD 11にて、Apache + SSL(Let's Encrypt) + HTTP/2を動かす。」
参考サイトが、「SSL」化されていないのは、掲載サイトは記事を載せているだけということによるものですが、いささか笑えます。
「FreeBSD 11にて、Apache + SSL(Let's Encrypt) + HTTP/2を動かす。」は、「SSL」のオプションよりも「apache」の高速化の記事が興味をひきました。
いずれ試してみたいと思います。
もっと他のサイトも参考にしたのですが、結局どれも記事が古かったり「FreeBSD」のコマンドにはそぐわなかったりしたので、ほぼ自力でやることにしました。
3. コマンドの確認
まずは「help」を眺め直し・・・。
certbot --help
下記のように出力されます。
-------------------------------------------------------------------------------
certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...
Certbot can obtain and install HTTPS/TLS/SSL certificates. By default,
it will attempt to use a webserver both for obtaining and installing the
certificate. The most common SUBCOMMANDS and flags are:
obtain, install, and renew certificates:
(default) run Obtain & install a certificate in your current webserver
certonly Obtain or renew a certificate, but do not install it
renew Renew all previously obtained certificates that are near
expiry
-d DOMAINS Comma-separated list of domains to obtain a certificate for
(the certbot apache plugin is not installed)
--standalone Run a standalone webserver for authentication
(the certbot nginx plugin is not installed)
--webroot Place files in a server's webroot folder for authentication
--manual Obtain certificates interactively, or using shell script
hooks
-n Run non-interactively
--test-cert Obtain a test certificate from a staging server
--dry-run Test "renew" or "certonly" without saving any certificates
to disk
manage certificates:
certificates Display information about certificates you have from Certbot
revoke Revoke a certificate (supply --cert-path)
delete Delete a certificate
manage your account with Let's Encrypt:
register Create a Let's Encrypt ACME account
--agree-tos Agree to the ACME server's Subscriber Agreement
-m EMAIL Email address for important account notifications
More detailed help:
-h, --help [TOPIC] print this message, or detailed help on a topic;
the available TOPICS are:
all, automation, commands, paths, security, testing, or any of the
subcommands or plugins (certonly, renew, install, register, nginx,
apache, standalone, webroot, etc.)
-------------------------------------------------------------------------------
どうも (the certbot apache plugin is not installed) が気になりますので、「certbot apache plugin」をインストールしてみました。
プラグインをインストール後、ヘルプの結果が一部変わりました。
結局のところこのプラグインは、必要はないということがわかりました。
expiry
-d DOMAINS Comma-separated list of domains to obtain a certificate for
--apache Use the Apache plugin for authentication & installation
↑
これが増えた
--standalone Run a standalone webserver for authentication
(the certbot nginx plugin is not installed)
--webroot Place files in a server's webroot folder for authentication
--manual Obtain certificates interactively, or using shell script
で、
certbot renew --standalone --domain ドメイン名 -m 管理者メールアドレス
下記のメッセージが出力されました。
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Currently, the renew verb is capable of either renewing all installed certificates that are due to be renewed or renewing a single certificate specified by its name. If you would like to renew specific certificates by their domains, use the certonly command instead. The renew verb may provide other options for selecting certificates to renew in the future.
なかなか、英語文盲にはつらいところですが、基本的には「まだ、更新の時期になってないよ」「もっと他のオプションを見ろよ」と言っているようです。
4. オプションの見直し
オプションを見直してみます。
certbot --help renew
usage:
certbot renew [--cert-name CERTNAME] [options]
optional arguments:
-h, --help show this help message and exit
-c CONFIG_FILE, --config CONFIG_FILE
path to config file (default:
/usr/local/etc/letsencrypt/cli.ini and
~/.config/letsencrypt/cli.ini)
renew:
The 'renew' subcommand will attempt to renew all certificates (or more
precisely, certificate lineages) you have previously obtained if they are
close to expiry, and print a summary of the results. By default, 'renew'
will reuse the options used to create obtain or most recently successfully
renew each certificate lineage. You can try it with `--dry-run` first. For
more fine-grained control, you can renew individual lineages with the
`certonly` subcommand. Hooks are available to run commands before and
after renewal; see https://certbot.eff.org/docs/using.html#renewal for
more information on these.
--cert-name CERTNAME Certificate name to apply. This name is used by
Certbot for housekeeping and in file paths; it doesn't
affect the content of the certificate itself. To see
certificate names, run 'certbot certificates'. When
creating a new certificate, specifies the new
certificate's name. (default: the first provided
domain or the name of an existing certificate on your
system for the same domains)
--dry-run Perform a test run of the client, obtaining test
(invalid) certificates but not saving them to disk.
This can currently only be used with the 'certonly'
and 'renew' subcommands. Note: Although --dry-run
tries to avoid making any persistent changes on a
system, it is not completely side-effect free: if used
with webserver authenticator plugins like apache and
nginx, it makes and then reverts temporary config
changes in order to obtain test certificates, and
reloads webservers to deploy and then roll back those
changes. It also calls --pre-hook and --post-hook
commands if they are defined because they may be
necessary to accurately simulate renewal. --deploy-
hook commands are not called. (default: False)
--force-renewal, --renew-by-default
If a certificate already exists for the requested
domains, renew it now, regardless of whether it is
near expiry. (Often --keep-until-expiring is more
appropriate). Also implies --expand. (default: False)
--allow-subset-of-names
When performing domain validation, do not consider it
a failure if authorizations can not be obtained for a
strict subset of the requested domains. This may be
useful for allowing renewals for multiple domains to
succeed even if some domains no longer point at this
system. This option cannot be used with --csr.
(default: False)
-q, --quiet Silence all output except errors. Useful for
automation via cron. Implies --non-interactive.
(default: False)
--debug-challenges After setting up challenges, wait for user input
before submitting to CA (default: False)
--preferred-challenges PREF_CHALLS
A sorted, comma delimited list of the preferred
challenge to use during authorization with the most
preferred challenge listed first (Eg, "dns" or "tls-
sni-01,http,dns"). Not all plugins support all
challenges. See
https://certbot.eff.org/docs/using.html#plugins for
details. ACME Challenges are versioned, but if you
pick "http" rather than "http-01", Certbot will select
the latest version automatically. (default: [])
--pre-hook PRE_HOOK Command to be run in a shell before obtaining any
certificates. Intended primarily for renewal, where it
can be used to temporarily shut down a webserver that
might conflict with the standalone plugin. This will
only be called if a certificate is actually to be
obtained/renewed. When renewing several certificates
that have identical pre-hooks, only the first will be
executed. (default: None)
--post-hook POST_HOOK
Command to be run in a shell after attempting to
obtain/renew certificates. Can be used to deploy
renewed certificates, or to restart any servers that
were stopped by --pre-hook. This is only run if an
attempt was made to obtain/renew a certificate. If
multiple renewed certificates have identical post-
hooks, only one will be run. (default: None)
--deploy-hook DEPLOY_HOOK
Command to be run in a shell once for each
successfully issued certificate. For this command, the
shell variable $RENEWED_LINEAGE will point to the
config live subdirectory (for example,
"/etc/letsencrypt/live/example.com") containing the
new certificates and keys; the shell variable
$RENEWED_DOMAINS will contain a space-delimited list
of renewed certificate domains (for example,
"example.com www.example.com" (default: None)
--disable-hook-validation
Ordinarily the commands specified for --pre-hook
/--post-hook/--deploy-hook will be checked for
validity, to see if the programs being run are in the
$PATH, so that mistakes can be caught early, even when
the hooks aren't being run just yet. The validation is
rather simplistic and fails if you use more advanced
shell constructs, so you can use this switch to
disable it. (default: False)
--no-directory-hooks Disable running executables found in Certbot's hook
directories during renewal. (default: False)
で、まぁ、「--force-renewal」「--renew-by-default」を試してみたんですが、うまくいかんのです。
わかったこと
「--standalone」と「--apache」は択一であること。
「certbot-apache」は、「apache2ctl」を動作させようとしているので、やめておこう。
5. 更新できるかを確認
で、やっとこれで強制的に更新することができました。
これが正解
certbot \
renew \ ← 更新オプション
certonly で一度作成しているとその後はドメイン名や
管理者のメールアドレスを指定しなくても更新できることがわかりました
--standalone \ ← FreeBSD ではこれが正しい
--force-renewal \ ← 更新する
--expand \ ← やみくもに更新する
--pre-hook "/usr/local/etc/rc.d/apache24 stop" \
↑
更新前に実行するスクリプト
ポート番号の競合が発生するので必須
--post-hook "/usr/local/etc/rc.d/apache24 start"
↑
更新後に実行するスクリプト
止めておいたので起動します
上記のコマンドの実行結果
Saving debug log to /var/log/letsencrypt/letsencrypt.log
-------------------------------------------------------------------------------
Processing /ディレクトリ名/letsencrypt/renewal/www.sing.ne.jp.conf
-------------------------------------------------------------------------------
Plugins selected: Authenticator standalone, Installer None
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Running pre-hook command: /usr/local/etc/rc.d/apache24 stop
Output from apache24:
Stopping apache24.
Waiting for PIDS: 23724.
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for www.sing.ne.jp
tls-sni-01 challenge for freebsd.sing.ne.jp
Waiting for verification...
Cleaning up challenges
-------------------------------------------------------------------------------
new certificate deployed without reload, fullchain is
/ディレクトリ名/letsencrypt/live/www.sing.ne.jp/fullchain.pem
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Processing /ディレクトリ名/letsencrypt/renewal/freebsd.sing.ne.jp.conf
-------------------------------------------------------------------------------
Plugins selected: Authenticator standalone, Installer None
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Pre-hook command already run, skipping: /usr/local/etc/rc.d/apache24 stop
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for freebsd.sing.ne.jp
Waiting for verification...
Cleaning up challenges
-------------------------------------------------------------------------------
new certificate deployed without reload, fullchain is
/ディレクトリ名/letsencrypt/live/freebsd.sing.ne.jp/fullchain.pem
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Congratulations, all renewals succeeded. The following certs have been renewed:
/ディレクトリ名/letsencrypt/live/www.sing.ne.jp/fullchain.pem (success)
/ディレクトリ名/letsencrypt/live/freebsd.sing.ne.jp/fullchain.pem (success)
-------------------------------------------------------------------------------
Running post-hook command: /usr/local/etc/rc.d/apache24 start
Output from apache24:
Performing sanity check on apache24 configuration:
Starting apache24.
Error output from apache24:
Syntax OK
その後、証明書ファイルが更新されているところを確認しました。
apache で定義している証明書ファイルは実はシンボリックリンクになっていて、参照先を変えることで更新されていく仕組みになっています。
|