1. Letsencrypt/certbot/manual_mode/dns-01
| /auth-hook /ubuntu /ubuntu/wiki.dnsz.org /ubuntu/wildcard /w3.qmail.jp /wildcard |
/wildcard /ubuntu /w3.qmail.jp
manual modeで証明書を取得する場合、
- DNSレコードを設定するのが容易であれば、(普通はそうだろう)
DNSを使った方がいい。(APIが用意されているならなおのこと
- webサーバーを止める必要がない。
2. moin.qmail.jp
tss host (pound)
#certbot certonly --manual --preferred-challenges dns-01 -d moin.qmail.jp
証明書のインストール時にwebサーバーを一時的に停止するのは必要だが。
-- ToshinoriMaeno 2019-01-22 14:26:57
3. sakura.qmail.jp
- moin2.qmail.jp も同様だが。
# certbot certonly --manual --preferred-challenges dns-01 -d sakura.qmail.jp Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator manual, Installer None Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org Obtaining a new certificate Performing the following challenges: dns-01 challenge for sakura.qmail.jp - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - NOTE: The IP of this machine will be publicly logged as having requested this certificate. If you're running certbot in manual mode on a machine that is not your server, please ensure you're okay with that. Are you OK with your IP being logged? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: y - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please deploy a DNS TXT record under the name _acme-challenge.sakura.qmail.jp with the following value: B2_BLBgOtMPgELtaEj7c3sQm-bculY28hkw7adgO9i8 Before continuing, verify the record is deployed.
<<< ここでTXTレコード設定を行う。APIが用意されていれば、便利 >>
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue Waiting for verification... Cleaning up challenges IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /usr/local/etc/letsencrypt/live/sakura.qmail.jp/fullchain.pem Your key file has been saved at: /usr/local/etc/letsencrypt/live/sakura.qmail.jp/privkey.pem Your cert will expire on 2020-03-28. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
4. 更新処理
更新処理とその自動化を考慮するなら、webサーバー業者を経由する証明書を使うのがいいかも。
- その場合はhttpを使えばいい。サーバー業者はDNSサービスまで抱えこむ必要はない。
-- ToshinoriMaeno 2019-01-22 14:31:42
DNSを使っていても、更新の自動化が特に難しいということはないだろう。(API)