Certbotã®äœ¿çšã«åé¡ãããããã°ãèŠã€ãããã©ããããããªãå ŽåããŸãã¯
æ°æ©èœã®ãªã¯ãšã¹ãã¯ãæåã«ã§å©ããæ±ããŠã¿ãŠãã ãã
https://community.letsencrypt.org/ã ããã«ã¯ã¯ããã«å€§ããªã³ãã¥ããã£ããããŸã
ããªãã®ããè¿
éã«çããããšãã§ãããããžã§ã¯ãã«ç²ŸéããŠãã人ã
質åã
Ubuntu16.04ãµãŒããŒã
2ã€ã®ããŒãžã§ã³ïŒPleskããã±ãŒãžãcertbotãªããžããªããã®certbotããã±ãŒãžã
Certbotããã±ãŒãžããŒãžã§ã³ïŒ0.21.1
ã§ïŒ certbot -d *.works.wtf certonly
ã¢ãŠãïŒ Wildcard domains are not supported: *.works.wtf
LetsEncryptãµã€ãã«ãããšãCertbotã¯ACMEv2APIãšäºææ§ããããŸãã
/var/log/letsencrypt
ä¿åãããŸãã å¿
èŠã«å¿ããŠããã¡ã€ã³ãé»åã¡ãŒã«ãIPã¢ãã¬ã¹ãèªç±ã«ç·šéããŠãã ããã該åœãªãã蚌ææžã®ã¿
DNS-01
ãã£ã¬ã³ãžã䜿çšããå¿
èŠããããŸãã ã€ãŸãããµãŒããŒã䜿çšããã«DNSãŸãŒã³ãå€æŽãå
¬éãããã³æŽæ°ããæ¹æ³ãå¿
èŠã§ãã
ãã®æãæããŠãã ããã
ããã¯åãªããã©ã°ã§ã¯ãããŸãããã
ããããå®éã«ã¯certbot >= 0.22
ãå¿
èŠã§ããæåã®æçš¿ã§ãããèŠéããŠããŸã£ãããšããè©«ã³ããŸãã
OK ....ã©ãããã°ã€ã³ã¹ããŒã«ã§ããŸããïŒ ãœãŒã¹ããã³ã³ãã€ã«ããå¿ èŠããããŸããïŒ
PPAã§å ¬éãããã®ãåŸ ã€ããpipãŸãã¯åæ§ã®ãã®ãä»ããŠã€ã³ã¹ããŒã«ããããå®éã«ãœãŒã¹ãããã«ãããããšãã§ããŸãã
ç§ã¯ããªãã§ãããããç§ã¯ãããå ¬åŒããã±ãŒãžãæŽæ°ãããã®ãåŸ ã¡ããã§ãã ããã«ãããDNSãã£ã¬ã³ãžãé©åã«èšå®ããæ¹æ³ã確èªã§ããŸããããã¯ããã¹ãŠãæ©èœããããšã確èªããããã ãã«ã¯ã€ã«ãã«ãŒãã䜿çšããã«è©Šãããšãã§ããŸãããã®åŸãæŽæ°ãå©çšå¯èœã«ãªããšïŒé·ãã¯ããããªãã¯ãã§ãïŒãæºåãæŽããŸããã¯ã€ã«ãã«ãŒã蚌ææžãååŸããŸãã
ãããããªãã¯ãœãŒã¹ããcertbotã䜿ãããšãã§ããŸã
root<strong i="6">@cs12</strong>:~# git clone https://github.com/certbot/certbot
...
root<strong i="7">@cs12</strong>:~# DOMAIN=example.com
root<strong i="8">@cs12</strong>:~# cd certbot
root<strong i="9">@cs12</strong>:~/certbot# ./certbot-auto certonly --manual -d *.$DOMAIN -d $DOMAIN --agree-tos --manual-public-ip-logging-ok --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory
...
-------------------------------------------------------------------------------
Please deploy a DNS TXT record under the name
_acme-challenge.example.com with the following value:
qqiR_lsa2AjMfoVR16mH4UDbOxy_E02l0K1CNyz1RdI
Before continuing, verify the record is deployed.
-------------------------------------------------------------------------------
Press Enter to Continue
TXTã¬ã³ãŒããè¿œå ããEnterããŒãæŒããŸãã å¥ã®1ã€ã®ã¬ã³ãŒããååŸããŸãã ãããè¿œå ããŸãã
次ã«ãã¬ã³ãŒãããããã€ãããŠãããã©ããã2çªç®ã®ã¿ãŒããã«ãŠã£ã³ããŠã§ç¢ºèªã
root<strong i="15">@cs12</strong>:~# host -t txt _acme-challenge.example.com
_acme-challenge.example.com descriptive text "qqiR_lsa2AjMfoVR16mH4UDbOxy_E02l0K1CNyz1RdI"
_acme-challenge.example.com descriptive text "oMmMa-fDLlebdUhvhMD5MinJ2EeFpdP0F9lUPTShh4w"
ãããããã°ãæ»ã£ãŠEnterããŒãæŒããŸã
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/example.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/example.com/privkey.pem
Your cert will expire on 2018-06-11. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again. To non-interactively renew *all* of your certificates, run
"certbot-auto renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
æŽæ°ïŒèšŒææžã®ã€ã³ã¹ããŒã«ãèšå®ãæŽæ°ã®æé ãèšèŒãããGistã®å®å š
@ArchangeGabrielã«åŸ¹åºçã«çããŠãããŠããããšãïŒ ç§ãã¡ã¯Ubuntuã®ããã±ãŒãžã®æŽæ°ã«åãçµãã§ããããŸããªããªãªãŒã¹ãããããšãé¡ã£ãŠããŸãã
@ohemorangeã©ãããããŸããŠïŒ æ£çŽãªãšãããDNS-01ã®èª²é¡ãäœã§ãããã«ã€ããŠã®æŽå¯ããªããŸãŸãã¯ã€ã«ãã«ãŒã蚌ææžãååŸããããšãã人ã ã®æµå ¥ãèŠãããã®ã§ã¯ãªãããšå¿é ããŸããããæããã«ããã¯èµ·ãããŸããã§ããïŒå°ãªããšãïŒã
@talygurynã®ãã©ããŒã¢ãããšããŠãããŒã¹1 @talygurynã
ã¯ã€ã«ãã«ãŒãã䜿çšããŠé ç¹ã«1ã€ã®èšŒææžãäœæãããšã__ two__ãã£ã¬ã³ãžãçºçããŸãã
-d "example.com, *.example.com"
ã䜿çšããŠ_é ç¹ã®èšŒææžãšé ç¹ã®ã¯ã€ã«ãã«ãŒããæããŠãã ãã_
ããªãã¯äžåºŠã®ãã_twice_ãææŠãããŸãexample.com
ãšåã³ã®ããã®*.example.com
ãããã£ãŠã2çªç®ã®ãã£ã¬ã³ãžã§å€±æãããšã¯æããªãã§ãã ãããå€ãå€æŽããå¿ èŠããããŸãã DNSã«ãã£ã¬ã³ãžãè¿œå ããã ãã§ãã äŒæãåŸ ã£ãŠç¶è¡ãã
ãããããã©ã®ãã¡ã€ã³ããã£ã¬ã³ãžãããŠããããç°¡åã«ç¢ºèªã§ããããã«ãåºåãå€æŽããå¿ èŠããããŸããïŒ
ããã¥ã¡ã³ãïŒ https ïŒ
@AubreyHewes ãåãåé¡ãçºçããŠããŸãã example.com
ãš*.example.com
äž¡æ¹ã«å¯ŸããŠåäžã®èšŒææžãçºè¡ããæ¹æ³ãããããŸããã æ®å¿µãªãããcertbotã§ã¯TXTã¬ã³ãŒãã2åå€æŽããå¿
èŠããããŸãã ããã«ããããã¡ã€ã³ã®1ã€ã§æ€èšŒã倱æããŸãã ãããåé¿ããæ¹æ³ã¯ãããŸããïŒ
@ nathan-aldenäž¡æ¹ã®TXT
ã¬ã³ãŒããåæã«èšå®ããå¿
èŠããããŸãã 2çªç®ã®ãã®ãè¿œå ãããšãã«æåã®ãã®ãåé€ããªãã§ãã ããã
@ nathan-alden
2ã€ã®èª²é¡ããããŸããcertbotã®ãããªãã®_seems_ã¯ãåãTXTãå床å€æŽããããšãæ±ããŠããŸãã ãã ãã2çªç®ã®å€ã¯2çªç®ã®ãã¡ã€ã³çšã§ããããã2çªç®ã®ãã¡ã€ã³ã«æ°ããTXTã¬ã³ãŒããè¿œå ããŸãã
NS
-d "example.com,*.example.com"
ã䜿çšããå Žåãæåã®èª²é¡ã¯example.com
ãããããã«TXTãè¿œå ããŸãã äŒæåŸãç¶è¡ããŸãã
2çªç®ã®èª²é¡ã¯*.example.com
ãããããã«TXTãè¿œå ããŸãã äŒæåŸãç¶è¡ããŸãã
DockerããŒãžã§ã³ã䜿çšããŠè¯ãçµéšãããŸããã è£è¶³ãšããŠãTXTãšã³ããªã®TTLã1åçšåºŠã«èšå®ããŠã2çªç®ã®ãšã³ããªãäŒæãããŸã§1æéåŸ ã€å¿ èŠããªãããã«ããŠãã ããã
docker run -it --name certbot \
-v <certs>:/etc/letsencrypt \
-v <logs>:/var/lib/letsencrypt \
certbot/certbot certonly --manual \
-d *.<domain.com> -d <domain.com> \
--agree-tos \
--manual-public-ip-logging-ok \
--preferred-challenges dns-01 \
--server https://acme-v02.api.letsencrypt.org/directory
äžæè°ã«æãã ãªãdns-01
å¿
èŠãªã®ã§ããã ããŒã80ïŒä»»æã®åœ¢åŒã®http
ãã£ã¬ã³ãžïŒã§ãµãŒããŒãçæããNåã®ã©ã³ãã ãªãµããã¡ã€ã³ãçæããŠæ¥ç¶ããããšã§ã¯ã€ã«ãã«ãŒããã¡ã€ã³ãææããŠããããšã確èªã§ããŸãããïŒ
@ AubreyHewes ãDNSã«å¿ èŠãªãã£ã¬ã³ãž/ã¬ã³ãŒãã¯1ã€ã ãã§ããããšãããããŸãããæ£ãããã®ãæšæž¬ããã ãã§ãã
4ã€ã®ãã¡ã€ã³ãšãã®ã¯ã€ã«ãã«ãŒãã«å¯ŸããŠ1ã€ã®èšŒææžããããŸãã ãã¹ãŠã®ãã¡ã€ã³ã«ã¯ãTXT_acme-challengeã1ã€ã ããããŸãã 3ã€ã®ãã¡ã€ã³ãcertbotåºåã®æåã®ãã£ã¬ã³ãžã§æ©èœããå®è¡ãããã³ã«å€ãåãããã«èŠãããããããªãäžè²«æ§ããããŸããã
4çªç®ã®ãã¡ã€ã³ã¯åºåã®æåã®ã¬ã³ãŒãã§ã¯æ©èœããŸãããã2çªç®ã®ãã¡ã€ã³ã§ã¯æ©èœããŸããããã¯ãcertbotãå®è¡ãããã³ã«å€æŽãããããã§ãã
ç§ã¯ãã®ã³ãã³ãã䜿çšããŸãïŒ
/usr/bin/certbot --renew-by-default certonly --manual --server https://acme-v02.api.letsencrypt.org/directory --preferred-challenges dns-01 -w /usr/share/nginx/letsencrypt-root/ -d *.domain1.sk -d domain1.sk -d *.domain2.sk -d domain2.sk -d *.domain3.sk -d domain3.sk -d *.domain4.sk -d domain4.sk
ç§ã¯è©Šè¡é¯èª€ã§ãããè¡ããŸãã-ç°ãªãå€ãæã€2ã€ã®åãDNSã¬ã³ãŒããæã€ããšãã§ããããšãç¥ããŸããã§ãã:-)次åã¯ãããè©ŠããŸãã
@robertvalik example.com
ãš*.example.com
ãå«ã2ã€ã®ç°ãªãæ€èšŒã«åãTXT
ã¬ã³ãŒãå€ã䜿çšããããšã¯ã§ããŸããã
Let's Encryptã䜿çšãããšãæ¿èªããã°ããã®éãçŸåšã¯30æ¥éåå©çšã§ããŸãã ã¢ã«ãŠã³ããæè¿äœããæ€èšŒããå Žåãå床æ€èšŒããªããŠããããå€ãã®èšŒææžãçºè¡ã§ããŸãã ãã ããCertbotã®å¶éïŒïŒ5342ïŒã«ãããCertbotã¯ãå床ãã§ãã¯ãããªãå Žåã§ããåãTXT
ã¬ã³ãŒããå床èšå®ããããã«èŠæ±ããŸãã
ã€ãŸããååã®1ã€ã«å¯ŸããŠãã§ã«æå¹ãªèªèšŒãååšããŠãããããå¿ èŠãªDNSã¬ã³ãŒããååšããªããªã£ããšããäºå®ã¯åé¡ã§ã¯ãããŸããã§ããã
@ francoism90ããã€ãã®çç±ã§ã¯ã€ã«ãã«ãŒããã¡ã€ã³ãå¿ èŠã«ãªãå ŽåããããŸããéçãµããã¡ã€ã³ãããã€ãæäŸããå Žåãããã°ãç¡éã®ãµããã¡ã€ã³ãæäŸããå ŽåããããŸãïŒãµãŒãã¹ãšããŠã®ãœãããŠã§ã¢ãªã©ïŒã åŸè ã®å ŽåïŒç§ã®å ŽåïŒãDNSãã¡ã€ã«ã«ãã§ã«ã¯ã€ã«ãã«ãŒãããããå®éã«ã¯ã©ã³ãã ãªãµããã¡ã€ã³ãé©åã«è§£æ±ºãããã¯ãã§ãã ãã®ã·ããªãªã§httpãã£ã¬ã³ãžã®åœ¢åŒãæäŸã§ãããã©ããçåã«æã£ãŠããŸãã é 匵ã£ãŠãããŠããããšãïŒ
çºè¡ããŠèšŒææžãçæããããšã«æåããŸãã
./certbot-auto certonly --manual -d *.example.com -d example.com --agree-tos --manual-public-ip-logging-ok --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory
ã©ãããã°èšŒææžãæŽæ°ã§ããã®ãçåã«æã£ãŠããŸã
<> certbot renew
<> certbot-renew
<> certbot-auto renew
æ··ä¹±ããŠããŸãããªã¯ãšã¹ãæã«åãã³ãã³ãã䜿çšããããã ./certbot-auto renew
ãè©ŠããŸãããããããæ£ããæ¹æ³ãã©ããã確èªãããã ãã§ãã
ã¯ã€ã«ãã«ãŒã蚌ææžãèªååã§ããŸããïŒ
@ ufo911ãã¡ããã§ãã ããšãã°ãCertbotã®RFC2136ãã©ã°ã€ã³ã䜿çšã
certbot certonly \
--dns-rfc2136 \
--dns-rfc2136-credentials ~/.secrets/certbot/rfc2136.ini \
--server https://acme-v02.api.letsencrypt.org/directory \
-d example.com \
-d "*.example.com"
ãŸãã¯acme-dnsæåèªèšŒããã¯ïŒ
certbot certonly \
--debug-challenges \
--manual \
--manual-auth-hook /etc/letsencrypt/acme-dns-auth.py \
--server https://acme-v02.api.letsencrypt.org/directory \
-d example.com \
-d "*.example.com"
https://certbot.eff.org/docs/using.html
https://community.letsencrypt.org/t/getting-wildcard-certificates-with-certbot/56285
ãã«ããå¿ èŠãªå Žåã¯ã Let'sEncryptãã©ãŒã©ã ã«ãããã¯ãæçš¿ã§ããŸãã
@mnordhoff
æŽæ°ã®ãã³ã«DNSTXTã¬ã³ãŒããæå¹ã«ããå¿
èŠããããŸããïŒ
@ ufo911ãã¡ãããæŽæ°ã¯ãåã®ãã©ã¡ãŒã¿ãŒãåå©çšããåãªã蚌ææžèŠæ±ã§ãã
@ArchangeGabriel Stangeã¯ãæ°ããTXTã¬ã³ãŒããèšå®ããããã«æ瀺ããŠãããšèšã£ãŠããŸãã
#!/bin/bash
certbot certonly \
--manual \
--agree-tos \
--manual-public-ip-logging-ok \
--preferred-challenges dns-01 \
--server https://acme-v02.api.letsencrypt.org/directory \
-d domain.tld \
-d "*.domain.tld"
ããã¯æ£åžžã§ããïŒ æ°ããããŒã¯ã³ãçæãããã®ã¯ãªãã§ããïŒ
ã¯ã£ããããªãã£ãå Žåã¯ç³ãèš³ãããŸããããã¯ãããªã¯ãšã¹ãããšã«æ°ããTXTã¬ã³ãŒãããããŸãã ããã¯ãã£ã¬ã³ãž/ã¬ã¹ãã³ã¹æ€èšŒã§ããããã£ã¬ã³ãžãåå©çšããããšã¯éåžžã«æªãèãã§ããããã§ãã
ãããã£ãŠãå®éã«ã¯ã蚌ææžãååŸãããšããã«TXTã¬ã³ãŒããåé€ã§ããŸãããæŽæ°ãããã³ã«å ¬éããïŒæåãããšåé€ããïŒæ°ããTXTã¬ã³ãŒãããããŸãã
@ArchangeGabrielããŒãããããç§ã«ãšã£ãŠã®éžæè¢ã ãšã¯æããªãã æ°ããTXTã¬ã³ãŒãã®äœæã¯ãå®äºãããŸã§ã«24æéãããå Žåããããåé¡ãçºçããå Žåã¯ãå€ãã®ããŠã³ã¿ã€ã ãçºçããŸãã
代ããã«äžè¬çãªæ¹æ³ã䜿çšããŸãã :)
確ãã«ãDNSãã£ã¬ã³ãžã¯æãç°¡åãªãã®ã§ã¯ãããŸããã ãã ããã¯ã€ã«ãã«ãŒãã®å Žåãå°ãªããšãçŸæç¹ã§ã¯ãä»ã®å¯èœæ§ã¯ãããŸããã ããšãã°ãã¯ã€ã«ãã«ãŒãã¹ããŒã¹ã®ã©ã³ãã ãªãµããã¡ã€ã³åã«ãã£ã¬ã³ãžãéä¿¡ããããšã§ããã眮ãæããããšãã§ãããã©ããã¯ããããŸããïŒããšãã°ã *.domain.com
ãèŠæ±ããå Žåã somerandomstring.domain.com
ã§ãã£ã¬ã³ãžã¬ã¹ãã³ã¹ãèªã¿åãããšããŸãïŒ *.domain.com
ã¹ããŒã¹å
šäœãå®éã«å¶åŸ¡ã§ããããšã確èªããŸãïŒã ãã®æ¹æ³ã§ã¯ãDNSã§ã¯ã€ã«ãã«ãŒããªãã€ã¬ã¯ãã䜿çšããã ãã§ååã§ãã
@ArchangeGabrielããã¯è¯ããªãã·ã§ã³ã§ããããã®å Žåã§ãDNSæ€èšŒãå¿ èŠã§ããïŒ å®å šãªã¯ã€ã«ãã«ãŒãèšå®ã«å¿ èŠãªãã®ãæäŸããŠããŸããïŒ
ããããç§ã®èãã¯DNSãã£ã¬ã³ãžã®ä»£æ¿æ段ãæäŸããããšã§ãã
ã¯ã€ã«ãã«ãŒããèšå®ããã«ã¯ããã¹ãŠã®ãµããã¡ã€ã³ãå¶åŸ¡ã§ããããšã蚌æããå¿ èŠããããŸãã ãããè¡ãå¯äžã®æçœãªæ¹æ³ã¯ã察å¿ããDNSãŸãŒã³ã®æè¡çæææš©ã蚌æããããšã§ãã
ä»ãç§ã¯ä»ã®ãã£ã¬ã³ãžã¿ã€ãã®ãããªå¥ã®æ¹æ³ãããã®ã§ã¯ãªãããšæã£ãŠããŸãã ã©ã³ãã ãªãµããã¡ã€ã³ãå°ãããšãã¯ã€ã«ãã«ãŒãã®ãªãã€ã¬ã¯ããå¶åŸ¡ã§ããããšã蚌æãããŸãã IETFã«ãšã£ãŠããã§ååãã©ããã¯ããããŸãããã圌ãã¯ããã«ã€ããŠèããŠãããšæããŸããããã€ãã®åé¡ãããã«éããããŸããã
ããšãã°ãç§ã¯ãã®ã±ãŒã¹ãå¯èœãã©ããçåã«æã£ãŠããŸãïŒ
â somespecificsub.domain.comã¯ãç¹å®ã®IPãæããŸãã
â * .domain.comããã³domain.comã¯å¥ã®IPãæããŸãã
ãã®å Žåãsomespecificsub.domain.comãé€ãã¡ã€ã³ãã¡ã€ã³ãšä»»æã®ãµããã¡ã€ã³ã®ãªã¯ãšã¹ãã«å¿çã§ããŸãã ãããŠã*ãdomain.com蚌ææžãæäŸããã®ã¯æ£ãããªããšæããŸãã ãããã£ãŠããããå¯èœã§ããã°ãè¿œå ã®ã»ããã¢ãããå¿ èŠã«ãªããŸãã ã¯ã€ã«ãã«ãŒããã£ã¬ã³ãžã¬ã¹ãã³ã¹ã«å¯ŸããŠã©ã³ãã ãªãµããã¡ã€ã³æ€èšŒãè¡ãããšãèš±å¯ãããŠããããšã瀺ãæ°žç¶çãªTXTã¬ã³ãŒãã®ããã«ã ããããã°ãDNSæ§æã¯ç°¡åã«å¿ããããã¯ã€ã«ãã«ãŒããããç°¡åã«æ€èšŒã§ããŸãã
ãšã«ãããããã«ã€ããŠèª°ãšè©±ãåãã¹ãããã©ã®æç¹ã§ãã®èšå®ãæ€èšããã®ããã¯ã€ã«ãã«ãŒããå®å šã«é ä¿¡ããããã«å¿ èŠãªæ£ç¢ºãªåºæºãããããŸããã ãã®ããã®RFCãèªãã¹ãã ãšæããŸããããã®ããã®æéããããŸããã
æãåèã«ãªãã³ã¡ã³ã
ãããããªãã¯ãœãŒã¹ããcertbotã䜿ãããšãã§ããŸã
TXTã¬ã³ãŒããè¿œå ããEnterããŒãæŒããŸãã å¥ã®1ã€ã®ã¬ã³ãŒããååŸããŸãã ãããè¿œå ããŸãã
次ã«ãã¬ã³ãŒãããããã€ãããŠãããã©ããã2çªç®ã®ã¿ãŒããã«ãŠã£ã³ããŠã§ç¢ºèªã
ãããããã°ãæ»ã£ãŠEnterããŒãæŒããŸã
æŽæ°ïŒèšŒææžã®ã€ã³ã¹ããŒã«ãèšå®ãæŽæ°ã®æé ãèšèŒãããGistã®å®å š