Lesencrypt認証と自動更新

1.certbot-nginxのインストールと認証のための準備

$ sudo pacman -S certbot-nginx

$ sudo nano /etc/nginx/nginx.conf

マルチドメインを無効にして、443での認証のみとする。

$ sudo nginx -t

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

$ sudo systemctl restart nginx

2.認証及びnginxの設定変更

$ sudo certbot certonly –email メールアドレス –nginx -w /usr/share/nginx/html -d ドメイン名

いよいよ認証手続きに入りました。途中入力するのは、利用規約への同意とElectronic Frontierからのメールの送信への同意?だけです。

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx

——————————————————————————-
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf. You must agree
in order to register with the ACME server at
https://acme-v01.api.letsencrypt.org/directory
——————————————————————————-
(A)gree/(C)ancel: A


2017/10/02 15:34:42 [notice] 1592#1592: signal process started
Waiting for verification…
Cleaning up challenges
2017/10/02 15:34:47 [notice] 1595#1595: signal process started

以下が表示されれば正常に認証されています。重要なのは赤色の部分

IMPORTANT NOTES:

:公証鍵の保存先
– Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/ドメイン/fullchain.pem

:秘密鍵の保存先
Your key file has been saved at:
/etc/letsencrypt/live/ドメイン/privkey.pem

:有効期限
Your cert will expire on 2017-12-31. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
“certbot renew”
– Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
– If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

$ sudo nano /etc/nginx/nginx.conf


server {
# serverブロックに新たに加筆
ssl_certificate /etc/letsencrypt/live/ドメイン/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/ドメイン/privkey.pem;

}

$ sudo nginx -t

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

$ sudo systemctl restart nginx

3.自動更新

letencrypt認証によるsslキーは90日間有効(この例では12月31日まで)であり、その前に# certbot renew コマンドで手動更新できるが、自動更新できるようにしたい。

sudo nano /etc/systemd/system/certbot.service


[Unit] Description=Let's Encrypt renewal

[Service] Type=oneshot ExecStart=/usr/bin/certbot renew --pre-hook "/usr/bin/systemctl stop nginx.service" --post-hook "/usr/bin/systemctl start nginx.service" --quiet --agree-tos

ExecStartPost=/bin/systemctl reload nginx.service

$ sudo nano /etc/systemd/system/certbot.timer


[Unit] Description=Daily renewal of Let's Encrypt's certificates

[Timer] OnCalendar=daily RandomizedDelaySec=1day Persistent=true

[Install] WantedBy=timers.target

$ sudo systemctl start certbot.timer

$ sudo systemctl enable certbot.timer

Created symlink /etc/systemd/system/timers.target.wants/certbot.timer → /etc/systemd/system/certbot.timer.

コメントを残す

メールアドレスが公開されることはありません。 * が付いている欄は必須項目です