◆ 今更ながら、このサイトをLet's encryptでSSL証明書の自動更新に対応させたので、作業メモ。
# pkg install py38-certbot
certbot certonly コマンドに以下のオプションをつけると、サーバの検証から証明書の取得まで自動で終わります。
# certbot certonly --noninteractive --config-dir /sandbox/usr/local/etc/letsencrypt --agree-tos --no-eff-email --webroot -w /sandbox/home/www/htdocs-onsky -d www.on-sky.net -m hs@on-sky.net Saving debug log to /var/log/letsencrypt/letsencrypt.log Requesting a certificate for on-sky.net Successfully received certificate. Certificate is saved at: /sandbox/usr/local/etc/letsencrypt/live/on-sky.net/fullchain.pem Key is saved at: /sandbox/usr/local/etc/letsencrypt/live/on-sky.net/privkey.pem This certificate expires on 2024-09-13. These files will be updated when the certificate renews. NEXT STEPS: - The certificate will need to be renewed before it expires. Certbot can automatically renew the certificate in the background, but you may need to take steps to enable that functionality. See https://certbot.org/ renewal-setup for instructions. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - If you like Certbot, please consider supporting our work by: * Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate * Donating to EFF: https://eff.org/donate-le - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
SSLCertificateFile "/usr/local/etc/letsencrypt/live/on-sky.net/fullchain.pem" SSLCertificateKeyFile "/usr/local/etc/letsencrypt/live/on-sky.net/privkey.pem"
# vim /etc/periodic.conf ----- weekly_certbot_enable="YES" weekly_certbot_post_hook="/usr/local/etc/rc.d/SBapache reload" weekly_certbot_custom_args="--config-dir /sandbox/usr/local/etc/letsencrypt" -----
# SSL expiration define command{ command_name check_ssl_validity command_line $USER1$/check_ssl_validity -I $HOSTADDRESS$ -H $ARG1$ -c 7 -w 21 }
# www.on-sky.net Let's Encrypt define service{ : check_command check_ssl_validity!www.on-sky.net }