Let's Encrypt
2018年07月02日 09時07分
certbot-auto install
$ sudo wget https://dl.eff.org/certbot-auto -O /usr/bin/certbot-auto
$ sudo chmod 755 /usr/bin/certbot-auto
$ certbot-auto --help
certbot-auto execute
$ certbot-auto certonly --webroot -w DOC_ROOT -d DOMAIN -m EMAIL --agree-tos
cron
$ crontab -e
###
### 毎月1日の午前4時に実行
###
# apache
00 04 01 * * /usr/bin/certbot-auto renew --force-renew && systemctl reload httpd
# nginx
# 00 04 01 * * /usr/bin/certbot-auto renew --force-renew && systemctl reload nginx
for conf : apache
<VirtualHost *:443>
:
:
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/DOMAIN/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/DOMAIN/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/DOMAIN/fullchain.pem
:
:
</VirtualHost>
for basic auth : apache
<Directory "/var/www/hoge/.well-known">
<RequireAll>
Require all granted
</RequireAll>
</Directory>
for conf : nginx
server {
:
:
listen 443;
:
:
ssl on;
ssl_certificate /etc/letsencrypt/live/DOMAIN/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/DOMAIN/privkey.pem;
:
:
}
</VirtualHost>
for basic auth : nginx
location ^~ /.well-known/acme-challenge/ {
auth_basic off;
}
certbot-auto wildcard
$ sudo certbot-auto certonly --manual -d *.DOMAIN -m EMAIL --agree-tos --manual-public-ip-logging-ok \
--preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory
-------------------------------------------------------------------------------
Please deploy a DNS TXT record under the name
_acme-challenge.DOMAIN with the following value:
HjceQRWhJ1Bgo-Oy_p6QNlg7Vc0J_buFNVqeTpvdtfc
Before continuing, verify the record is deployed.
-------------------------------------------------------------------------------
DNSのTXTレコードに、上記を設定。その後、何かキーを押すと、ワイルドカード証明書が発行。
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/DOMAIN/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/DOMAIN/privkey.pem
Your cert will expire on YYYY-MM-DD. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again. To non-interactively renew *all* of your certificates, run
"certbot-auto renew"