CentOS7でLet's Encryptを使って、SSL/TLSサーバ証明書を作成
環境
$ cat /etc/redhat-release CentOS Linux release 7.5.1804 (Core)
cartbotをインストール
$ yum install certbot
証明書の発行
証明書の発行をします、インストールはしません certonly
$ certbot certonly --standalone -d mail.tsmsogn.work -m root@tsmsogn.work --agree-tos Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator standalone, Installer None Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org Obtaining a new certificate Performing the following challenges: http-01 challenge for mail.tsmsogn.work Waiting for verification... Cleaning up challenges IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/mail.tsmsogn.work/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/mail.tsmsogn.work/privkey.pem Your cert will expire on 2018-12-26. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
Let's Encryptの証明書の期限は90日間なので、renewする
$ certbot renew -q --deploy-hook "echo YES"
ここでは --deploy-hook
を使って、更新が成功したときだけ YES
しています
このようなものを cron などで動かしてやれば、証明書の自動更新 && サービスの再起動をできると思います
https://media.readthedocs.org/pdf/letsencrypt/latest/letsencrypt.pdf
--pre-hook and --post-hook hooks run before and after every renewal attempt. If you want your hook to run only after a successful renewal, use --deploy-hook in a command like this.
トラブルシューティング
$ certbot certonly --standalone -d mail.tsmsogn.work -m root@tsmsogn.work --agree-tos Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator standalone, Installer None Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org Obtaining a new certificate Performing the following challenges: http-01 challenge for mail.tsmsogn.work Cleaning up challenges Problem binding to port 80: Could not bind to IPv4 or IPv6.
standalone?モードだと 80ポートが空いてないと、ダメらしい
docker が動いていたので、一旦停止*1
*1:本番環境のサーバだとどうやって入れるのだろう