Let’s EncryptのSSL/TLSサーバ証明書を取得する方法

SSL/TLSサーバ証明書は，認証局（CA：Certification Authority）によって発行されます．認証局は，第三者機関であり申請した申請者がドメインを所持しているかを確認して証明書を発行します．認証局には無料/有料の両者がありますが，暗号化に関するセキュリティレベルは全く同じです．違いは，証明書の内容であり，企業の情報などを付加することができます． 個人の用途では無料の認証局で十分であり ，ここではLet’s Encryptという認証局を使用します．

Let's Encrypt について Let’s Encrypt は、公共の利益のために運営されている、フリーで自動化されたオープンな認証局 (certificate authority; CA) です。インターネット・セキュリティ・研究グ.

前提条件

ベスト・プラクティス - 80 番ポートを開放しようウェブサーバーへアクセスする 80 番ポートがファイアウォールでブロックされているため、HTTP-01 タイプのチャレンジを使用している人が問題につまずくという報告をときど.

SSL/TLSサーバ証明書の発行

パッケージのインストール Debian/Ubuntuの場合 apt install certbot CentOS/RHELの場合 yum install -y certbot 証明書の発行 certbot certonly --webroot -w /var/www/html -d bar.com

メールアドレスを foo@example.com ，DNSを bar.com と表記しています．適宜，自分の環境に合わせて変更してください． /var/www/html がない場合， mkdir -p /var/www/html で作成します．

Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator webroot, Installer None Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): foo@example.com - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must agree in order to register with the ACME server at https://acme-v02.api.letsencrypt.org/directory - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (A)gree/(C)ancel: A - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Would you be willing to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: Y Obtaining a new certificate Performing the following challenges: http-01 challenge for bar.com Using the webroot path /var/www/html for all unmatched domains. Waiting for verification. Cleaning up challenges IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/bar.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/bar.com/privkey.pem Your cert will expire on 2022-05-24. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le

privkey.pem ， fullchain.pem ， chain.pem ， cert.pem ， README

SSL/TLSサーバ証明書の更新

SSL/TLSサーバ証明書には期限があるため，定期的に更新する必要があります．Let’s Encryptで発行される証明書の 有効期限は90日間です ．

証明書を有効期限を確認 certbot certificates Saving debug log to /var/log/letsencrypt/letsencrypt.log - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Found the following certs: Certificate Name: bar.com Domains: bar.com Expiry Date: 2022-05-24 15:36:37+00:00 (VALID: 88 days) Certificate Path: /etc/letsencrypt/live/bar.com/fullchain.pem Private Key Path: /etc/letsencrypt/live/bar.com/privkey.pem - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 手動で証明書の有効期限を更新する certbot renew

証明書の更新は30日前から可能になります．今回は証明書の発行して間もないため，”Cert not yet due for renewal”というメッセージが出ており，更新がスキップされています．

Saving debug log to /var/log/letsencrypt/letsencrypt.log - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Processing /etc/letsencrypt/renewal/bar.com.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Cert not yet due for renewal - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - The following certs are not due for renewal yet: /etc/letsencrypt/live/bar.com/fullchain.pem expires on 2022-05-24 (skipped) No renewals were attempted. 更新可能かをチェックする certbot renew --dry-run Saving debug log to /var/log/letsencrypt/letsencrypt.log - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Processing /etc/letsencrypt/renewal/bar.com.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Cert not due for renewal, but simulating renewal for dry run Plugins selected: Authenticator webroot, Installer None Renewing an existing certificate Performing the following challenges: http-01 challenge for bar.com Using the webroot path /var/www/html for all unmatched domains. Waiting for verification. Cleaning up challenges - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - new certificate deployed without reload, fullchain is /etc/letsencrypt/live/bar.com/fullchain.pem - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ** DRY RUN: simulating 'certbot renew' close to cert expiry ** (The test certificates below have not been saved.) Congratulations, all renewals succeeded. The following certs have been renewed: /etc/letsencrypt/live/bar.com/fullchain.pem (success) ** DRY RUN: simulating 'certbot renew' close to cert expiry ** (The test certificates above have not been saved.) IMPORTANT NOTES: - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder i

Rate Limits Let’s Encrypt provides rate limits to ensure fair usage by as many people as possible. We believe these rate limits are high enough to work for most people by d.

自動で証明書の有効期限を更新する crontab -e

開いたファイルの末尾に以下のような記述します．毎月1日の3時に crertbot renew を実行するという意味です．

0 3 1 * * certbot renew スケジューラ（cron）の起動確認

設定後に cron が起動していることを確認しておきます．

systemctl is-active cron active

active となっていない場合，下記コマンドで， cron を実行します

systemctl start cron

📎📎📎📎📎📎📎📎📎📎