certbotのバージョンアップ(ACMEv2対応)～HTTPS化と既存証明書の更新～

12400 ワード

certbot HTTPS HTTP HTTP テキストリンク

OSバージョン
- Ubuntu 18.04.3 LTS
- nginx/1.14.0 (Ubuntu)
- centbot
- 更新前 0.23.0
- 更新後 0.31.0

1.certbotのバージョンアップ(ACMEv2対応)

certbot とは？
certificate(証明書)を管理するためのコマンド　
中身はLet’s Encryptという無料SSL証明書を取得、無効化、更新...etcできる便利なもの
ドメインに対して署名を行う=DV（Domain Validation）

なぜバージョンアップが必要か？

Beginning June 1, 2020, we will stop allowing new domains to validate using the ACMEv1 protocol. You should upgrade to an ACMEv2 compatible client before then, or certificate issuance will fail. For most people, simply upgrading to the latest version of your existing client will suffice.

意訳 : 2020/06/01からACMEv1 プロトコルを使用したDV（Domain Validation）ができなくなるのでACMEv2にアップグレードしてください.
⇒証明書の新規取得と更新ができないためバージョンアップ

（１）certbot(letsencrypt)コマンドの消去

certbot消去前に現在のverを確認

certbot --version
certbot 0.23.0

certbotの更新を行いcertbot 0.31.0に変更する.

sudo apt remove letsencrypt

Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages were automatically installed and are no longer required:
  certbot linux-gcp-headers-5.0.0-1025 linux-gcp-headers-5.0.0-1026 linux-gcp-headers-5.0.0-1029
  linux-gcp-headers-5.0.0-1031 linux-gcp-headers-5.0.0-1033 linux-gcp-headers-5.0.0-1034 python-pyicu
  python3-acme python3-certbot python3-configargparse python3-future python3-josepy python3-lib2to3
  python3-mock python3-parsedatetime python3-pbr python3-rfc3339 python3-tz python3-zope.component
  python3-zope.event python3-zope.hookable
Use 'sudo apt autoremove' to remove them.
The following packages will be REMOVED:
  letsencrypt
0 upgraded, 0 newly installed, 1 to remove and 69 not upgraded.
After this operation, 13.3 kB disk space will be freed.
Do you want to continue? [Y/n] Y
Counting objects: 15, done.
Compressing objects: 100% (14/14), done.
Writing objects: 100% (15/15), 4.72 KiB | 2.36 MiB/s, done.
Total 15 (delta 5), reused 0 (delta 0)
remote: Resolving deltas: 100% (5/5), completed with 4 local objects.
To github.com:cdsl-research/jp-website-backup.git
   8df08e0..fb4c6f2  master -> master
(Reading database ... 271035 files and directories currently installed.)
Removing letsencrypt (0.23.0-1) ...

sudo apt remove letsencrypt certbot(certbotが消えなかったので追記)

Reading package lists... Done
Building dependency tree
Reading state information... Done
Package 'letsencrypt' is not installed, so not removed
The following packages were automatically installed and are no longer required:
  linux-gcp-headers-5.0.0-1025 linux-gcp-headers-5.0.0-1026 linux-gcp-headers-5.0.0-1029
  linux-gcp-headers-5.0.0-1031 linux-gcp-headers-5.0.0-1033 linux-gcp-headers-5.0.0-1034 python-pyicu
  python3-acme python3-certbot python3-configargparse python3-future python3-josepy python3-lib2to3
  python3-mock python3-parsedatetime python3-pbr python3-rfc3339 python3-tz python3-zope.component
  python3-zope.event python3-zope.hookable
Use 'sudo apt autoremove' to remove them.
The following packages will be REMOVED:
  certbot
0 upgraded, 0 newly installed, 1 to remove and 68 not upgraded.
After this operation, 52.2 kB disk space will be freed.
Do you want to continue? [Y/n] Y
(Reading database ... 271032 files and directories currently installed.)
Removing certbot (0.23.0-1) ...
Processing triggers for man-db (2.8.3-2ubuntu0.1) ...
Counting objects: 5, done.
Compressing objects: 100% (4/4), done.
Writing objects: 100% (5/5), 459 bytes | 459.00 KiB/s, done.
Total 5 (delta 3), reused 0 (delta 0)
remote: Resolving deltas: 100% (3/3), completed with 3 local objects.
To github.com:cdsl-research/jp-website-backup.git
   fb4c6f2..56d60e5  master -> master

（２)新しくcertbotを入れる

https://certbot.eff.org/lets-encrypt/ubuntubionic-other
上記のサイトに従いCertbot PPAを追加
PPA(=Personal Package Archive)

 sudo apt-get update 
 sudo apt-get install software-properties-common 
 sudo add-apt-repository universe 
 sudo add-apt-repository ppa:certbot/certbot 
 sudo apt-get update-encrypt/ubuntubionic-other

Certbotをインストール

 sudo apt-get install certbot python3-certbot-nginx

certbot現在のverを確認

 certbot --version
 certbot 0.31.0

certbotがcertbot 0.31.0に変更できていれば更新完了.

2.rudder.tak-cslab.orgのHTTPS化, ja.tak-cslab.orgの既存証明書更新

（１）新規取得(HTTPS化)

下記コマンドで新規HTTPSアクセス取得
sudo certbot --nginx

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: ja.tak-cslab.org
2: rudder.tak-cslab.org
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1 2

HTTPSを有効化するか聞かれるので1, 2のどちらも選択
(どちらも有効化するが厳密には, 1のja.tak-cslab.orgは更新, 2のrudder.tak-cslab.orgは新規取得)

（2）既存証明書の更新

1のja.tak-cslab.orgは更新なので既存の証明書を新しい証明書に拡張する.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
You have an existing certificate that contains a portion of the domains you
requested (ref: /etc/letsencrypt/renewal/ja.tak-cslab.org.conf)

It contains these names: ja.tak-cslab.org

You requested these names for the new certificate: ja.tak-cslab.org,
rudder.tak-cslab.org.

Do you want to expand and replace this existing certificate with the new
certificate?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(E)xpand/(C)ancel: E

Expandを選択.

Renewing an existing certificate
Performing the following challenges:
http-01 challenge for ja.tak-cslab.org
http-01 challenge for rudder.tak-cslab.org
Waiting for verification...
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/nginx/conf.d/wp.conf
Deploying Certificate to VirtualHost /etc/nginx/conf.d/rudder.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Redirecting all traffic on port 80 to ssl in /etc/nginx/conf.d/wp.conf
Redirecting all traffic on port 80 to ssl in /etc/nginx/conf.d/rudder.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Your existing certificate has been successfully renewed(=更新できました), and the new certificate
has been installed.(=新しい証明書をインストールできました)

The new certificate covers the following domains: https://ja.tak-cslab.org and
https://rudder.tak-cslab.org

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=ja.tak-cslab.org
https://www.ssllabs.com/ssltest/analyze.html?d=rudder.tak-cslab.org
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/ja.tak-cslab.org/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/ja.tak-cslab.org/privkey.pem
   Your cert will expire on 2020-09-01. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

(3) 証明書の確認

https://ja.tak-cslab.org

https://rudder.tak-cslab.org の証明書の確認

手順・やり方 : https://jp.globalsign.com/ssl-pki-info/ssl_practices/authentification.html

上記URLにアクセスし, アドレスバーの鍵アイコンをクリック
安全な接続をクリック

詳細を表示をクリック

セキュリティの証明書を表示をクリック

すると証明書の確認ができるので確認

certbot更新について

certbotには, 有効期限切れ前に自動的に証明書を更新するcronジョブがあるため再度, certbotを起動する必要はない.

certbotを更新するコマンドは, 以下のいずれかの場所にインストールさせれている.
/etc/crontab/ /etc/cron.*/* systemctl list-timers

今回は/etc/cron.d/certbot内にcertbotを更新するコマンドがインストールされている.

/etc/cron.d/certbot

  # /etc/cron.d/certbot: crontab entries for the certbot package
#
# /etc/cron.d/certbot: crontab entries for the certbot package
#
# Upstream recommends attempting renewal twice a day
#
# Eventually, this will be an opportunity to validate certificates
# haven't been revoked, etc.  Renewal will only occur if expiration
# is within 30 days.
#
# Important Note!  This cronjob will NOT be executed if you are
# running systemd as your init system.  If you are running systemd,
# the cronjob.timer function takes precedence over this cronjob.  For
# more details, see the systemd.timer manpage, or use systemctl show
# certbot.timer.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew
=>12時間ごと(0時と12時)に更新が行われる設定

Author And Source

この問題について(certbotのバージョンアップ(ACMEv2対応)～HTTPS化と既存証明書の更新～), 我々は、より多くの情報をここで見つけました https://qiita.com/yoshi_mf7/items/ab40ee2e0ff05da60f69

著者帰属：元の著者の情報は、元のURLに含まれています。著作権は原作者に属する。

Content is automatically searched and collected through network algorithms . If there is a violation . Please contact us . We will adjust (correct author information ,or delete content ) as soon as possible .