先日、CentOS 7でLet’s Encrypt証明書発行の記事を記載しました。
この後にCentOSにはepel repositoryにcertbotと言うクライアントがあることを知りました。
Certbot
https://certbot.eff.org/
このサイトでシステムとソフトウェアを選択すればcertbotの使用方法が確認できます。
Apache on CentOS/RHEL 7
https://certbot.eff.org/#centosrhel7-apache
epel repositoryをインストールすれば簡単にインストールできます。
1 |
# yum -y install epel-release |
インストール
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 |
# yum info certbot Available Packages Name : certbot Arch : noarch Version : 0.12.0 Release : 4.el7 Size : 19 k Repo : epel/x86_64 Summary : A free, automated certificate authority client URL : https://pypi.python.org/pypi/certbot License : ASL 2.0 Description : certbot is a free, automated certificate authority that aims : to lower the barriers to entry for encrypting all HTTP traffic on the internet. # yum -y install certbot (snip) Installed: certbot.noarch 0:0.12.0-4.el7 Dependency Installed: dialog.x86_64 0:1.2-4.20130523.el7 pyOpenSSL.x86_64 0:0.13.1-3.el7 python-cffi.x86_64 0:1.6.0-5.el7 python-enum34.noarch 0:1.0.4-1.el7 python-idna.noarch 0:2.0-1.el7 python-ipaddress.noarch 0:1.0.16-2.el7 python-ndg_httpsclient.noarch 0:0.3.2-1.el7 python-parsedatetime.noarch 0:1.5-3.el7 python-ply.noarch 0:3.4-10.el7 python-psutil.x86_64 0:2.2.1-1.el7 python-pycparser.noarch 0:2.14-1.el7 python-requests.noarch 0:2.6.0-1.el7_1 python-six.noarch 0:1.9.0-2.el7 python-urllib3.noarch 0:1.10.2-2.el7_1 python-zope-component.noarch 1:4.1.0-1.el7 python-zope-event.noarch 0:4.0.3-2.el7 python-zope-interface.x86_64 0:4.0.5-4.el7 python2-acme.noarch 0:0.12.0-2.el7 python2-certbot.noarch 0:0.12.0-4.el7 python2-configargparse.noarch 0:0.11.0-1.el7 python2-cryptography.x86_64 0:1.3.1-3.el7 python2-dialog.noarch 0:3.3.0-6.el7 python2-future.noarch 0:0.16.0-2.el7 python2-mock.noarch 0:1.0.1-9.el7 python2-pyasn1.noarch 0:0.1.9-7.el7 python2-pyrfc3339.noarch 0:1.0-2.el7 pytz.noarch 0:2012d-5.el7 Complete! |
epel repoでインストールするとsystemd関連のファイルも作成してくれます。
1 2 3 |
# systemctl list-unit-files | grep certbot certbot-renew.service static certbot-renew.timer disabled |
コマンドはcertbotになります。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 |
# certbot --help certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ... Certbot can obtain and install HTTPS/TLS/SSL certificates. By default, it will attempt to use a webserver both for obtaining and installing the cert. The most common SUBCOMMANDS and flags are: obtain, install, and renew certificates: (default) run Obtain & install a cert in your current webserver certonly Obtain or renew a cert, but do not install it renew Renew all previously obtained certs that are near expiry -d DOMAINS Comma-separated list of domains to obtain a cert for (the certbot apache plugin is not installed) --standalone Run a standalone webserver for authentication (the certbot nginx plugin is not installed) --webroot Place files in a server's webroot folder for authentication --manual Obtain certs interactively, or using shell script hooks -n Run non-interactively --test-cert Obtain a test cert from a staging server --dry-run Test "renew" or "certonly" without saving any certs to disk manage certificates: certificates Display information about certs you have from Certbot revoke Revoke a certificate (supply --cert-path) delete Delete a certificate manage your account with Let's Encrypt: register Create a Let's Encrypt ACME account --agree-tos Agree to the ACME server's Subscriber Agreement -m EMAIL Email address for important account notifications More detailed help: -h, --help [TOPIC] print this message, or detailed help on a topic; the available TOPICS are: all, automation, commands, paths, security, testing, or any of the subcommands or plugins (certonly, renew, install, register, nginx, apache, standalone, webroot, etc.) |
但しepelでのバージョンは2017年4月28日現在まだ0.12.0で最新のgitでは0.13.0になります。
gitで取得した証明書は0.13なのでこれをcertbot 0.12で扱うと警告がでます。
Attempting to parse the version 0.13.0 renewal configuration file found at /etc/letsencrypt/renewal/xxxxxxxxx.conf with version 0.12.0 of Certbot. This might not work.
基本的な使用方法は同じだと思うのでepelでインストールした方が保守が楽かも。