Ubuntu
認証局

Ubuntu18.04 Let's Encrypt

2019.05.12

独自ドメインでサーバーを運営するならSSL化が必要か…ということで、Let's Encryptからのワイルドカード指定で証明書を発行してもらうことにした。どうやら、難しくはなさそうなんだけれど…



広告

マルチドメイン対応の証明書発行

インストール

Let's Encrypt 総合ポータル(非公式解説サイト) で概要をさらっと見て作業を開始。
今日の時点ではUbuntu18.04でもリポジトリからインストールできた。

$ sudo apt install letsencrypt

 

実行するコマンド

結論からすると、ドメインとワイルドカード付きドメインを対象として、手動で、マルチドメインに対応したサーバーにdns-01という方法で認証してもらった。

カットアンドトライ。最初にメールアドレスを聞かれてみたり、利用規約を承諾したりしていたのだけれど、色々なエラーが出て止まり、やり方を変えて止まり…以下のような実行結果になった。

DNSにTXTレコードを用意するわけだが、2レコード用意して順に設定してみたところ、待ち時間なく登録ができたような。たまたまかもしれないけれど。2021/02/21追記。

$ sudo certbot certonly -d hogeserver.hogeddns.jp -d *.hogeserver.hogeddns.jp --server https://acme-v02.api.letsencrypt.org/directory --manual --preferred-challenges dns-01
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None

-------------------------------------------------------------------------------
You have an existing certificate that contains a portion of the domains you
requested (ref: /etc/letsencrypt/renewal/hogeserver.hogeddns.jp.conf)

It contains these names: *.hogeserver.hogeddns.jp

You requested these names for the new certificate: hogeserver.hogeddns.jp, *.hogeserver.hogeddns.jp.

Do you want to expand and replace this existing certificate with the new
certificate?
-------------------------------------------------------------------------------
(E)xpand/(C)ancel: E
Renewing an existing certificate
Performing the following challenges:
dns-01 challenge for hogeserver.hogeddns.jp
dns-01 challenge for hogeserver.hogeddns.jp

-------------------------------------------------------------------------------
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
-------------------------------------------------------------------------------
(Y)es/(N)o: Y

-------------------------------------------------------------------------------
Please deploy a DNS TXT record under the name
_acme-challenge.hogeserver.hogeddns.jp with the following value:

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Before continuing, verify the record is deployed.
-------------------------------------------------------------------------------
Press Enter to Continue[上記の値をDynamicDNSのTXTレコードに登録してEnter]

-------------------------------------------------------------------------------
Please deploy a DNS TXT record under the name
_acme-challenge.hogeserver.hogeddns.jp with the following value:

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ← 2つめのTXTレコードを用意して登録したところ、待ち時間なく更新できそうな予感。

Before continuing, verify the record is deployed.
-------------------------------------------------------------------------------
Press Enter to Continue[慌てすぎた?再度TXTを更新してEnter]
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/hogeserver.hogeddns.jp/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/hogeserver.hogeddns.jp/privkey.pem
   Your cert will expire on 2019-08-10. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

ちょっと自動化が厳しいので、今後しばらくは時々手で処理。

DNSに登録したTXTレコードが反映されているか確認

こんなコマンドを実行してみた。実際にどのように見えるのかが確認できるので、ぼーっと待っていなくてもすみそう。

$ dig @8.8.8.8 -t txt _acme-challenge.hogeserver.hogeddns.jp
…
;; ANSWER SECTION:
_acme-challenge.hogeserver.hogeddns.jp. 299 IN      TXT     "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
…

 

やってみたこと

マルチドメインな証明書を取得しようとしてやってみたことを書く。

テスト

テスト実行してみたらエラーが出た。

$ sudo certbot
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Certbot doesn't know how to automatically configure the web server on this system. However, it can still get a certificate for you. Please run "certbot certonly" to do so. You'll need to manually configure your web server to use the resulting certificate.

最初からつまずいた感じだが…かつてあったテストみたいのはなくなったのかしら?

2019-05-12 10:50:58,570:DEBUG:certbot.main:certbot version: 0.23.0
2019-05-12 10:50:58,571:DEBUG:certbot.main:Arguments: []
2019-05-12 10:50:58,572:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2019-05-12 10:50:58,640:DEBUG:certbot.log:Root logging level set at 20
2019-05-12 10:50:58,641:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2019-05-12 10:50:58,814:DEBUG:certbot.plugins.selection:Requested authenticator None and installer None
2019-05-12 10:50:58,815:DEBUG:certbot.plugins.selection:No candidate plugin
2019-05-12 10:50:58,815:DEBUG:certbot.plugins.selection:Selected authenticator None and installer None

 

Webサーバー上でコマンド実行

証明書を利用するサブコマンドで…

  • Apacheの自動設定を行う。
  • Webサーバー上でこのコマンド実行して*.hogeserver.hogeddns.jpの証明書を取得する。
    その際の認証には/var/www/htmlディレクトリを利用する。

としてみた。

$ sudo certbot certonly --webroot -w /var/www/html -d *.hogeserver.hogeddns.jp
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): webmaster@hogeserver.hogeddns.net

-------------------------------------------------------------------------------
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v01.api.letsencrypt.org/directory
-------------------------------------------------------------------------------
(A)gree/(C)ancel: A

-------------------------------------------------------------------------------
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about EFF and
our work to encrypt the web, protect its users and defend digital rights.
-------------------------------------------------------------------------------
(Y)es/(N)o: Y
Obtaining a new certificate
The currently selected ACME CA endpoint does not support issuing wildcard certificates.

IMPORTANT NOTES:
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.

認証サーバーが対応していないと。
Qiita / letsencryptでワイルドカード認証を取るぞ![Ubuntu 18.04][nginx v1.15]
Qiita / Let's Encrypt (certbot) でワイルドカード証明書できた!

マルチドメイン対応サーバーによる発行

じゃあ、対応しているサーバーを設定しよう。

$ sudo certbot certonly --webroot -w /var/www/html -d *.hogeserver.hogeddns.jp --server https://acme-v02.api.letsencrypt.org/directory
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): webmaster@hogeserver.hogeddns.net

-------------------------------------------------------------------------------
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v01.api.letsencrypt.org/directory
-------------------------------------------------------------------------------
(A)gree/(C)ancel: A

-------------------------------------------------------------------------------
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about EFF and
our work to encrypt the web, protect its users and defend digital rights.
-------------------------------------------------------------------------------
(Y)es/(N)o: Y
Obtaining a new certificate
Performing the following challenges:
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.

IMPORTANT NOTES:
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.

 

マルチドメイン対応サーバーによるDNS認証

DNS認証が必要だ、と。
本日も乙 / CertbotでDNSによる認証(DNS-01)で無料のSSL/TLS証明書を取得する

$ sudo certbot certonly -d *.hogeserver.hogeddns.jp --server https://acme-v02.api.letsencrypt.org/directory --manual --preferred-challenges dns-01
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for hogeserver.hogeddns.jp

-------------------------------------------------------------------------------
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
-------------------------------------------------------------------------------
(Y)es/(N)o: Y

-------------------------------------------------------------------------------
Please deploy a DNS TXT record under the name
_acme-challenge.hogeserver.hogeddns.jp with the following value:

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx 

Before continuing, verify the record is deployed.
-------------------------------------------------------------------------------
Press Enter to Continue[上記の値をDynamicDNSのTXTレコードとして登録してからEnter]
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/hogeserver.hogeddns.jp/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/hogeserver.hogeddns.jp/privkey.pem
   Your cert will expire on 2019-08-10. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

$

できた。Apacheでできあがった証明書を使うように設定する → あれ? ワイルドカード証明書って、hogeserver.hogeddns.jpそのものには効果がないの?

やり直し…

ということで、一番最初に書いた実行結果となった。

Apacheの自動設定

Apacheの設定を自動で行ってくれそうなプラグインがあるので追加でインストール。
いずれできるようになるかもしれないので、メモとして残すレベル。
Let's encrypt / Certbot missing Apache plugin

$ sudo apt install python3-certbot-apache
$ sudo certbot --apache
広告
rohhie

コメントはこちらから お気軽にどうぞ ~ 投稿に関するご意見・感想・他