FreeBSDでLet’s Encrypetを使ってHTTPサーバーを動かす
Let’s Encrypetを使って無料のWeb証明書でHTTPサーバーを運用する方法を以降に記載する 一定期間毎に証明書の更新作業を行わなければならないが、無料で使えるため支持者が多い
1.pkgからインストール
[root@www ~]# pkg install py27-certbot
portsだと
[root@www ~]# cd /usr/ports/security/py-certbot
[root@www ~]# make install clean
2.コマンドの在処
[root@www ~]# /usr/local/bin/certbot
3.新規証明書取得
1)「hogehoge123-jp」はドメイン
2)「www.hogehoge123.jp」はWebサーバーホスト名
3)証明書取得コマンド発行
[root@www ~]# certbot certonly -m root@freedom.ne.jp –agree-tos –webroot -w /usr/home/hogehoge123-jp -d www.hogehoge123.jp -d hogehoge123.jp -w /usr/home/hogehoge123-jp
基本的にはこれで作業は終わり
4.次回更新日の確認
このコマンドで次回の証明書更新日を確認しておくと良いだろう
[root@www /]# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
5.証明書のアップデート
更新日の前に以下のコマンドを発行して更新を行っておこう
[root@www /]# certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Processing /usr/local/etc/letsencrypt/renewal/www.hogehoge123.jp.conf
Renewing an existing certificate for www.hogehoge123.jp
Congratulations, all renewals succeeded: /usr/local/etc/letsencrypt/live/www.hogehoge123.jp/fullchain.pem (success)
更新中のログは以下で確認できる
[root@www ~]# cat /var/log/letsencrypt/letsencrypt.log
6.次の更新はいつかを確認する
[root@www /]# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Found the following certs:
Certificate Name: www.hogehoge123.jp
Serial Number: 3e8e33e06b902c201f057fb49edbfb104c7
Key Type: RSA
Domains: www.hogehoge123.jp
Expiry Date: 2024-07-25 22:28:40+00:00 (VALID: 89 days)
Certificate Path: /usr/local/etc/letsencrypt/live/www.hogehoge123.jp/fullchain.pem
Private Key Path: /usr/local/etc/letsencrypt/live/www.hogehoge123.jp/privkey.pem7.いちいち更新日を覚えるより自動更新を有効にする
1)パッケージには更新スクリプトが付属
[root@www ~]# ls -l /usr/local/etc/periodic/weekly/500.certbot-3.9
-r-xr-xr-x 1 root wheel 2494 Apr 16 11:33 /usr/local/etc/periodic/weekly/500.certbot-3.9
2)内容を確認してみる
[root@www ~]# cat /usr/local/etc/periodic/weekly/500.certbot-3.9
|#!/bin/sh
|# Automatically renew Let's Encrypt certificates each week
|#
|# Add the following lines to /etc/periodic.conf:
|#
|# weekly_certbot_enable (bool): Set to "NO" by default
|# weekly_certbot_service (str): If defined, certbot will try to shutdown this
|# service before renewing the certificate, and restart it afterwards.
|# For example, set to "nginx" or "apache24". This is usually used to avoid
|# conflict with the standalone plugin webserver.
|# If any of pre_hook or post_hook is set, this behavior is disabled.
|# weekly_certbot_pre_hook (str): Command to be run in a shell before obtaining
|# any certificates.
|# weekly_certbot_post_hook (str): Command to be run in a shell after
|# attempting to obtain/renew certificates.
|# An example to reload nginx after renewing all certificates.
|# weekly_certbot_post_hook="service nginx onereload"
|# weekly_certbot_deploy_hook (str): Command to be run in a shell once for each
|# successfully issued certificate.
|# weekly_certbot_custom_args (str): Any other misc arguments for the renewal
|# See certbot -h renew for full list
|# An example to force renewal for certificates not due yet
|# weekly_certbot_custom_args="--force-renewal"
|# If there is a global system configuration file, suck it in.
|#
if [ -r /etc/defaults/periodic.conf ] then . /etc/defaults/periodic.conf source_periodic_confs fi
case "$weekly_certbot_enable" in [Yy][Ee][Ss]) echo echo "Renewing Let's Encrypt certificates:"
PRE_HOOK=""
POST_HOOK=""
DEPLOY_HOOK=""
if [ -n "$weekly_certbot_service" ] && \
[ -z "$weekly_certbot_pre_hook" ] && [ -z "$weekly_certbot_post_hook" ];
then
if service "$weekly_certbot_service" onestatus
then
PRE_HOOK="--pre-hook 'service $weekly_certbot_service onestop'"
POST_HOOK="--post-hook 'service $weekly_certbot_service onestart'"
fi
else
if [ -n "$weekly_certbot_pre_hook" ]; then
PRE_HOOK="--pre-hook '$weekly_certbot_pre_hook'"
fi
if [ -n "$weekly_certbot_post_hook" ]; then
POST_HOOK="--post-hook '$weekly_certbot_post_hook'"
fi
fi
if [ -n "$weekly_certbot_deploy_hook" ]; then
DEPLOY_HOOK="--deploy-hook '$weekly_certbot_deploy_hook'"
fi
anticongestion
eval /usr/local/bin/certbot-3.9 renew "$PRE_HOOK" "$POST_HOOK" \
"$DEPLOY_HOOK" "$weekly_certbot_custom_args" --no-random-sleep-on-renew
if [ $? -gt 0 ]
then
echo
echo "Errors were reported when renewing Let's Encrypt certificate(s)."
rc=3
else
rc=0
fi
;;
*) rc=0;;esac
exit $rc
3)更新スクリプトを有効にする場合は以下を行う
[root@www ~]# vi /etc/defaults/periodic.conf
|# 新規追加
|# 500.certbot
weekly_certbot_enable="YES"
4)更新スクリプト実行ログ
[root@www /]# more /var/log/letsencrypt/letsencrypt.log
2024-05-18 07:45:22,021:DEBUG:certbot._internal.main:certbot version: 2.9.0
2024-05-18 07:45:22,022:DEBUG:certbot._internal.main:Location of certbot entry point: /usr/local/bin/certbot
2024-05-18 07:45:22,022:DEBUG:certbot._internal.main:Arguments: []
2024-05-18 07:45:22,022:DEBUG:certbot._internal.main:Discovered plugins:
PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2024-05-18 07:45:22,038:DEBUG:certbot._internal.log:Root logging level set at 30
2024-05-18 07:45:22,070:DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): r3.o.lencr.org:80
2024-05-18 07:45:22,315:DEBUG:urllib3.connectionpool:http://r3.o.lencr.org:80 "POST / HTTP/1.1" 200 503
2024-05-18 07:45:22,319:DEBUG:certbot.ocsp:OCSP response for certificate /usr/local/etc/letsencrypt/live/www.hogehoge123.jp/cert.pem is signed by the
certificate's issuer.
2024-05-18 07:45:22,320:DEBUG:certbot.ocsp:OCSP certificate status for /usr/local/etc/letsencrypt/live/www.hogehoge123.jp/cert.pem is: OCSPCertStatus.GOOD
2024-05-18 07:45:22,330:DEBUG:certbot._internal.display.obj:Notifying user: Found the following certs:
Certificate Name: www.hogehoge123.jp
Serial Number: 3e8e33e06b902c201f057fb49edbfb104c7
Key Type: RSA
Domains: www.hogehoge123.jp
Expiry Date: 2024-07-25 22:28:40+00:00 (VALID: 68 days)
Certificate Path: /usr/local/etc/letsencrypt/live/www.hogehoge123.jp/fullchain.pem
Private Key Path: /usr/local/etc/letsencrypt/live/www.hogehoge123.jp/privkey.pem5)証明書のあるディレクトリは以下
[root@www ~]# cd /usr/local/etc/letsencrypt/live/
[root@www ~]# ls -al
total 16
drwx------ 3 root wheel 512 Aug 5 2022 .
drwxr-xr-x 9 root wheel 512 May 18 07:45 ..
-rw-r--r-- 1 root wheel 740 Aug 5 2022 README
drwxr-xr-x 2 root wheel 512 Apr 27 08:28 www.hogehoge123.jp