ブログ

投稿一覧

Let's Encrypt

2018年07月02日 09時07分

certbot-auto install


$ sudo wget https://dl.eff.org/certbot-auto -O /usr/bin/certbot-auto
$ sudo chmod 755 /usr/bin/certbot-auto
$ certbot-auto --help


certbot-auto execute


$ certbot-auto certonly --webroot -w DOC_ROOT -d DOMAIN -m EMAIL --agree-tos


cron


$ crontab -e
###
### 毎月1日の午前4時に実行
###

# apache
00 04 01 * * /usr/bin/certbot-auto renew --force-renew && systemctl reload httpd

# nginx
# 00 04 01 * * /usr/bin/certbot-auto renew --force-renew && systemctl reload nginx


for conf : apache


<VirtualHost *:443>
    :
    :
    SSLEngine on
    SSLCertificateFile      /etc/letsencrypt/live/DOMAIN/cert.pem
    SSLCertificateKeyFile   /etc/letsencrypt/live/DOMAIN/privkey.pem
    SSLCertificateChainFile /etc/letsencrypt/live/DOMAIN/fullchain.pem
    :
    :
</VirtualHost>


for basic auth : apache


<Directory "/var/www/hoge/.well-known">
    <RequireAll>
        Require all granted
    </RequireAll>
</Directory>


for conf : nginx


server {
    :
    :
    listen 443;
    :
    :
    ssl                  on;
    ssl_certificate      /etc/letsencrypt/live/DOMAIN/fullchain.pem;
    ssl_certificate_key  /etc/letsencrypt/live/DOMAIN/privkey.pem;
    :
    :
}
</VirtualHost>


for basic auth : nginx


location ^~ /.well-known/acme-challenge/ {
    auth_basic off;
}


certbot-auto wildcard


$ sudo certbot-auto certonly --manual -d *.DOMAIN -m EMAIL --agree-tos --manual-public-ip-logging-ok \
  --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory

-------------------------------------------------------------------------------
Please deploy a DNS TXT record under the name
_acme-challenge.DOMAIN with the following value:

HjceQRWhJ1Bgo-Oy_p6QNlg7Vc0J_buFNVqeTpvdtfc

Before continuing, verify the record is deployed.
-------------------------------------------------------------------------------

DNSのTXTレコードに、上記を設定。その後、何かキーを押すと、ワイルドカード証明書が発行。

 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/DOMAIN/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/DOMAIN/privkey.pem
   Your cert will expire on YYYY-MM-DD. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again. To non-interactively renew *all* of your certificates, run
   "certbot-auto renew"



PAGE TOP