個人証明書でPostfix.dovecotのSSL運用を行っていたのですがCentOS 5からCentOS 7への移行で、ついでにLet’s Encrypt証明書を設定してみることにしました。
Let’s Encrypt – Free SSL/TLS Certificates
https://letsencrypt.org/
Let’s Encrypt – Documentation
https://letsencrypt.org/docs/
参考サイト(こちらのサイトの手順をそのまま実行しただけなんですが^^;)
Let’s Encryptの証明書をnginxに設定してhttps化した
https://tsuchikazu.net/lets-encrypt-nginx/
CentOS 7でPostfix+DovecotにLet’s Encryptの無料SSL証明書を適用して通信を暗号化する
https://orebibou.com/2016/11/centos-7でpostfixdovecotにlets-encryptの無料ssl証明書を適用して通信を暗/
- Let’s Encrypt clientのインストール
- 証明書の取得
- 証明書更新のテスト
- 証明書更新のタスク設定
- /etc/systemd/system/renew-letsencrypt.serviceの作成
- /etc/systemd/system/renew-letsencrypt.timerの作成
- renew-letsencrypt.timerの有効化
- renew-letsencrypt.timerの開始
- timerの確認
- ログの確認
1 2 3 4 5 6 7 8 |
# git clone https://github.com/letsencrypt/letsencrypt.git Cloning into 'letsencrypt'... remote: Counting objects: 45446, done. remote: Compressing objects: 100% (141/141), done. remote: Total 45446 (delta 73), reused 0 (delta 0), pack-reused 45304 Receiving objects: 100% (45446/45446), 13.57 MiB | 6.29 MiB/s, done. Resolving deltas: 100% (32506/32506), done. # cd letsencrypt/ |
clientのletsencryptとcertbot、何が違うのと思ったら2016年5月まではletsencryptまたはletsencrypt-autoと呼ばれていたんですね。
https://github.com/certbot/certbot
Until May 2016, Certbot was named simply letsencrypt or letsencrypt-auto, depending on install method. Instructions on the Internet, and some pieces of the software, may still refer to this older name.
これからは”git clone https://github.com/certbot/certbot.git”の方がよさそうです。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 |
# ./certbot-auto certonly -d rootlinks.net -m xxxx@xxxxx.co.jp --agree-tos Bootstrapping dependencies for RedHat-based OSes... (you can skip this with --no-bootstrap) yum is /usr/bin/yum (不足のプログラムがyumで自動インストールされました) Complete! Creating virtual environment... Installing Python packages... Installation succeeded. Saving debug log to /var/log/letsencrypt/letsencrypt.log (ドメイン認証の方法:すでにapacheが起動しているのでwebroot) How would you like to authenticate with the ACME CA? ------------------------------------------------------------------------------- 1: Apache Web Server plugin - Beta (apache) 2: Place files in webroot directory (webroot) 3: Spin up a temporary webserver (standalone) ------------------------------------------------------------------------------- Select the appropriate number [1-3] then [enter] (press 'c' to cancel): 2 (どうもメールアドレスを登録するか?とのことなのでNo) ------------------------------------------------------------------------------- Would you be willing to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about EFF and our work to encrypt the web, protect its users and defend digital rights. ------------------------------------------------------------------------------- (Y)es/(N)o: N Obtaining a new certificate Performing the following challenges: http-01 challenge for rootlinks.net (webrootの指定) Select the webroot for rootlinks.net: ------------------------------------------------------------------------------- 1: Enter a new webroot ------------------------------------------------------------------------------- Press 1 [enter] to confirm the selection (press 'c' to cancel): 1 Input the webroot for rootlinks.net: (Enter 'c' to cancel):/var/webroot/ Waiting for verification... Cleaning up challenges Generating key (2048 bits): xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Creating CSR: xxxxxxxxxxxxxxxxxxxxxxxxxxxx IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.pem. Your cert will expire on 2017-07-27. To obtain a new or tweaked version of this certificate in the future, simply run certbot-auto again. To non-interactively renew *all* of your certificates, run "certbot-auto renew" - Your account credentials have been saved in your Certbot configuration directory at xxxxxxxxxxxxx. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le |
こんなに簡単になってたのか。
有効期限が2017-07-27(90日)なので”certbot-auto renew”で更新するようにとのこと。またletsencrypt関連のファイルは厳重に管理してバックアップしときなさいですね。
取り敢えず大丈夫そうです。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 |
# ./certbot-auto renew --dry-run Saving debug log to /var/log/letsencrypt/letsencrypt.log ------------------------------------------------------------------------------- Processing xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.conf ------------------------------------------------------------------------------- Cert not due for renewal, but simulating renewal for dry run Renewing an existing certificate Performing the following challenges: http-01 challenge for rootlinks.net Waiting for verification... Cleaning up challenges Generating key (2048 bits), not saving to file Creating CSR: not saving to file ------------------------------------------------------------------------------- new certificate deployed without reload, fullchain is xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.pem ------------------------------------------------------------------------------- ** DRY RUN: simulating 'certbot renew' close to cert expiry ** (The test certificates below have not been saved.) Congratulations, all renewals succeeded. The following certs have been renewed: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.pem (success) ** DRY RUN: simulating 'certbot renew' close to cert expiry ** (The test certificates above have not been saved.) |
Using systemd Timers to Renew Let’s Encrypt Certificates
https://mjanja.ch/2016/07/using-systemd-timers-to-renew-lets-encrypt-certificates/
Renewing certificates
https://certbot.eff.org/docs/using.html#renewing-certificates
1 2 3 4 5 6 7 8 9 |
# vi /etc/systemd/system/renew-letsencrypt.service # cat /etc/systemd/system/renew-letsencrypt.service [Unit] Description=Renew Let's Encrypt certificates [Service] Type=oneshot # check for renewal, only start/stop nginx if certs need to be renewed ExecStart=/usr/local/bin/letsencrypt/certbot-auto renew --renew-hook "/bin/systemctl restart postfix" |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
# vi /etc/systemd/system/renew-letsencrypt.timer # cat /etc/systemd/system/renew-letsencrypt.timer [Unit] Description=Daily renewal of Let's Encrypt's certificates [Timer] # once a day, at 3AM OnCalendar=*-*-* 03:00:00 # Be kind to the Let's Encrypt servers: add a random delay of 0-3600 seconds RandomizedDelaySec=3600 Persistent=true [Install] WantedBy=timers.target |
1 2 3 4 5 |
# systemctl enable renew-letsencrypt.timer Created symlink from /etc/systemd/system/timers.target.wants/renew-letsencrypt.timer to /etc/systemd/system/renew-letsencrypt.timer. # systemctl list-unit-files | grep letsencrypt renew-letsencrypt.service static renew-letsencrypt.timer enabled |
1 |
# systemctl start renew-letsencrypt.timer |
1 2 3 4 5 6 7 |
# systemctl list-timers NEXT LEFT LAST PASSED UNIT ACTIVATES Fri 2017-04-28 21:25:06 JST 8h left Thu 2017-04-27 21:25:06 JST 15h ago systemd-tmpfiles-clean.timer systemd-tmpfiles-clean.service Sat 2017-04-29 03:40:21 JST 14h left n/a n/a renew-letsencrypt.timer renew-letsencrypt.service 2 timers listed. Pass --all to see loaded but inactive timers, too. |
一度も実行していないのでログはありません。
1 2 |
# journalctl -u renew-letsencrypt -- No entries -- |
certbotサイトにはrenewを1日2回実行するのを推奨していますね。
https://certbot.eff.org/#centosrhel7-other
Note:
if you’re setting up a cron or systemd job, we recommend running it twice per day (it won’t do anything until your certificates are due for renewal or revoked, but running it regularly would give your site a chance of staying online in case a Let’s Encrypt-initiated revocation happened for some reason). Please select a random minute within the hour for your renewal tasks.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 |
# ./certbot-auto --help certbot-auto [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ... Certbot can obtain and install HTTPS/TLS/SSL certificates. By default, it will attempt to use a webserver both for obtaining and installing the cert. The most common SUBCOMMANDS and flags are: obtain, install, and renew certificates: (default) run Obtain & install a cert in your current webserver certonly Obtain or renew a cert, but do not install it renew Renew all previously obtained certs that are near expiry -d DOMAINS Comma-separated list of domains to obtain a cert for --apache Use the Apache plugin for authentication & installation --standalone Run a standalone webserver for authentication --nginx Use the Nginx plugin for authentication & installation --webroot Place files in a server's webroot folder for authentication --manual Obtain certs interactively, or using shell script hooks -n Run non-interactively --test-cert Obtain a test cert from a staging server --dry-run Test "renew" or "certonly" without saving any certs to disk manage certificates: certificates Display information about certs you have from Certbot revoke Revoke a certificate (supply --cert-path) delete Delete a certificate manage your account with Let's Encrypt: register Create a Let's Encrypt ACME account --agree-tos Agree to the ACME server's Subscriber Agreement -m EMAIL Email address for important account notifications More detailed help: -h, --help [TOPIC] print this message, or detailed help on a topic; the available TOPICS are: all, automation, commands, paths, security, testing, or any of the subcommands or plugins (certonly, renew, install, register, nginx, apache, standalone, webroot, etc.) |
追記(2017年4月29日)
ログを確認したところ実行されていました。
更新の必要が無いのでスキップしてhookするプログラムは実行されていません。
想定の動作は更新があればpostfixを再起動なんですが、これだけがちょっと心配。
1 2 3 4 5 6 7 8 9 10 11 12 |
# journalctl -u renew-letsencrypt Apr 29 02:46:30 host systemd[1]: Starting Renew Let's Encrypt certificates... Apr 29 02:46:33 host certbot-auto[18935]: Saving debug log to /var/log/letsencrypt/letsencrypt.log Apr 29 02:46:33 host certbot-auto[18935]: Cert not yet due for renewal Apr 29 02:46:33 host certbot-auto[18935]: ------------------------------------------------------------------------------- Apr 29 02:46:33 host certbot-auto[18935]: Processing xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.conf Apr 29 02:46:33 host certbot-auto[18935]: ------------------------------------------------------------------------------- Apr 29 02:46:33 host certbot-auto[18935]: The following certs are not due for renewal yet: Apr 29 02:46:33 host certbot-auto[18935]: /xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/fullchain.pem (skipped) Apr 29 02:46:33 host certbot-auto[18935]: No renewals were attempted. Apr 29 02:46:33 host certbot-auto[18935]: No hooks were run. Apr 29 02:46:33 host systemd[1]: Started Renew Let's Encrypt certificates. |