雑記

2000|01|
2003|05|06|07|08|09|10|11|12|
2004|01|02|03|04|05|06|07|09|10|11|12|
2005|01|02|03|04|05|06|07|08|09|10|11|12|
2006|01|02|03|04|05|06|07|08|09|10|11|
2007|01|03|04|05|06|07|08|09|10|11|12|
2008|01|02|03|04|05|06|07|09|11|
2009|02|03|05|06|07|08|10|11|12|
2010|01|03|04|05|06|07|08|09|10|
2011|05|06|09|10|
2012|03|07|09|12|
2013|01|02|04|05|07|08|10|11|
2014|04|05|08|10|12|
2015|01|05|
2016|09|
2024|06|
2025|01|

2024-06-15 Let's encrypt導入メモ [長年日記]

今更ながら、このサイトをLet's encryptでSSL証明書の自動更新に対応させたので、作業メモ。

  • certbot のFreeBSD pkgをインストール
# pkg install py38-certbot
  • SSL証明書取得

certbot certonly コマンドに以下のオプションをつけると、サーバの検証から証明書の取得まで自動で終わります。

--noninteractive
対話不要
--config-dir
証明書などを置くディレクトリ
--agree-tos
ACME server’s Subscriber Agreementへの同意
--no-eff-email
お知らせメールは受け取らない
--webroot
検証をWebで行う
-w
DocumentRootのパス
-d
証明書を取得するドメイン(FQDN)
-m
管理者のメールアドレス
# certbot certonly --noninteractive --config-dir /sandbox/usr/local/etc/letsencrypt --agree-tos --no-eff-email --webroot -w /sandbox/home/www/htdocs-onsky -d www.on-sky.net -m hs@on-sky.net
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for on-sky.net

Successfully received certificate.
Certificate is saved at: /sandbox/usr/local/etc/letsencrypt/live/on-sky.net/fullchain.pem
Key is saved at:         /sandbox/usr/local/etc/letsencrypt/live/on-sky.net/privkey.pem
This certificate expires on 2024-09-13.
These files will be updated when the certificate renews.

NEXT STEPS:
- The certificate will need to be renewed before it expires. Certbot can automatically renew the certificate in the background, but you may need to take steps to enable that functionality. See https://certbot.org/ renewal-setup for instructions.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  • Apache のVirtualHost内の証明書パスを変更
  SSLCertificateFile "/usr/local/etc/letsencrypt/live/on-sky.net/fullchain.pem"
  SSLCertificateKeyFile "/usr/local/etc/letsencrypt/live/on-sky.net/privkey.pem"
  • 証明書の更新cron jobの登録
# vim /etc/periodic.conf
-----
weekly_certbot_enable="YES"
weekly_certbot_post_hook="/usr/local/etc/rc.d/SBapache reload"
weekly_certbot_custom_args="--config-dir /sandbox/usr/local/etc/letsencrypt"
-----
  • (おまけ)nagios による証明書期限切れの監視
    • commands.cfg(3週間で注意、7日で警告)
# SSL expiration
define command{
   command_name check_ssl_validity
   command_line $USER1$/check_ssl_validity -I $HOSTADDRESS$ -H $ARG1$ -c 7 -w 21
}
    • localhost.conf
# www.on-sky.net Let's Encrypt
define service{
    :
    check_command       check_ssl_validity!www.on-sky.net
}