Let's Encrypt 와일드카드 인증서를 가져와 rancher로 설정
9358 단어 letsencrypt도커rancher
먼저
이 기사는 비망록입니다.
Let’s Encrypt가 왈드 카드 증명에 대응하기를 기다리고 있었다는 것을 문득 기억했으므로, 개발 환경의 Rancher 환경처럼 취득해, 설정해 보았다고 하는 것입니다.
환경
바삭 바삭하고 싶었기 때문에 Ubuntu16.04 컨테이너에서 얻었습니다.
바삭 바삭하고 싶었기 때문에 Ubuntu16.04 컨테이너에서 얻었습니다.
절차
참고한 기사 에 의하면, 공식에서는 「dns-plugin」을 사용하면 쓰고 있습니다만, 귀찮아서 전 기사와 같이 수동으로 취득했습니다.
인증서 취득
CertBot 환경을 만듭니다. 라고 해도, 일회용의 컨테이너이지만.
❯ docker run -it --rm ubuntu:16.04 bash
root@ad7f41c5773c:/# apt update
・・・
Building dependency tree
Reading state information... Done
2 packages can be upgraded. Run 'apt list --upgradable' to see them.
root@ad7f41c5773c:/# apt upgrade < 念のため。。。
Reading package lists... Done
・・・
root@ad7f41c5773c:/# apt install certbot <ここからが本番
・・・
Get:49 http://archive.ubuntu.com/ubuntu xenial-updates/universe amd64 certbot all 0.23.0-1~ubuntu16.04.1 [17.4 kB]
Fetched 16.0 MB in 17s (932 kB/s)
E: Failed to fetch http://61.26.74.210:80/pdata/07e41ece3becb885/archive.ubuntu.com/ubuntu/pool/main/p/python-pbr/python-pbr_1.8.0-4ubuntu1_all.deb Writing more data than expected (15617 > 12552)
E: Unable to fetch some archives, maybe run apt-get update or try with --fix-missing?
root@ad7f41c5773c:/# apt install --fix-missing certbot <再度
・・・
148 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.
root@ad7f41c5773c:/# certbot --version
certbot 0.23.0 < 0.22.0以上なので大丈夫
인증서 취득
root@ad7f41c5773c:/# certbot certonly --manual --preferred-challenges dns -d *.[自分のドメイン] --server https://acme-v02.api.letsencrypt.org/directory
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): [自分のメールアドレス。期限切れ通知が届くので良く見るやつにしないと痛い目見ます]
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
-------------------------------------------------------------------------------
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
-------------------------------------------------------------------------------
(A)gree/(C)ancel: A
-------------------------------------------------------------------------------
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about EFF and
our work to encrypt the web, protect its users and defend digital rights.
-------------------------------------------------------------------------------
(Y)es/(N)o: Y
Starting new HTTPS connection (1): supporters.eff.org
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for [自分のドメインが表示される]
-------------------------------------------------------------------------------
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.
Are you OK with your IP being logged?
-------------------------------------------------------------------------------
(Y)es/(N)o:
(Y)es/(N)o: Y
-------------------------------------------------------------------------------
Please deploy a DNS TXT record under the name
_acme-challenge.[自分のドメインが表示される] with the following value:
xxxxxxxxxxxxxxx-xxxxxxxxxxxxxxxxxxxxxxxxx-x
Before continuing, verify the record is deployed.
-------------------------------------------------------------------------------
Press Enter to Continue < 自分のDNSに上記のテキストレコード追加するまでEnterは触らない。
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/[自分のドメイン]/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/[自分のドメイン]/privkey.pem
Your cert will expire on 2019-08-21. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
root@ad7f41c5773c:/# cd /etc/letsencrypt/live/
root@ad7f41c5773c:/etc/letsencrypt/live# ll
total 12
drwx------ 3 root root 4096 May 23 13:14 ./
drwxr-xr-x 9 root root 4096 May 23 13:14 ../
drwxr-xr-x 2 root root 4096 May 23 13:14 [自分のドメイン]/
root@ad7f41c5773c:/etc/letsencrypt/live# cd [自分のドメイン]/
root@ad7f41c5773c:/etc/letsencrypt/live/[自分のドメイン]# ll
total 12
drwxr-xr-x 2 root root 4096 May 23 13:14 ./
drwx------ 3 root root 4096 May 23 13:14 ../
-rw-r--r-- 1 root root 543 May 23 13:14 README
lrwxrwxrwx 1 root root 39 May 23 13:14 cert.pem -> ../../archive/[自分のドメイン]/cert1.pem
lrwxrwxrwx 1 root root 40 May 23 13:14 chain.pem -> ../../archive/[自分のドメイン]/chain1.pem
lrwxrwxrwx 1 root root 44 May 23 13:14 fullchain.pem -> ../../archive/[自分のドメイン]/fullchain1.pem
lrwxrwxrwx 1 root root 42 May 23 13:14 privkey.pem -> ../../archive/[自分のドメイン]/privkey1.pem
평소와 같이 증명서를 취득할 수 있다.
Azure DNS에 텍스트 레코드 등록
···특히 쓰는 일도 없습니다・・・등록 후에 「Press Enter to Continue」를.
Rancher에 등록
인프라 -> 인증서에서 인증서 추가를 선택합니다.
로 저장합니다. 맞으면 활성화됩니다.
로드 밸런서에 등록
로드 밸런서 편집 화면의 하단 드롭다운에 등록된 인증서가 표시되어야 합니다. 이 때 개별적으로 취득한 증명서의 설정을 제외했습니다.
확인
훌륭합니다. .
잡감
지금까지는 Nginx 경유로 취득하고 있었지만, DNS 조작으로 바삭하게 만들 수 있는 것은 매우 도움이 됩니다. 이번에 설정한 rancher는 개발 환경이기 때문에, 서브 도메인이 많이 있어 SSL 증명서의 설정이 번거로웠습니다만, 와일드 카드 증명서는 멋졌습니다.
앞으로
❯ docker run -it --rm ubuntu:16.04 bash
root@ad7f41c5773c:/# apt update
・・・
Building dependency tree
Reading state information... Done
2 packages can be upgraded. Run 'apt list --upgradable' to see them.
root@ad7f41c5773c:/# apt upgrade < 念のため。。。
Reading package lists... Done
・・・
root@ad7f41c5773c:/# apt install certbot <ここからが本番
・・・
Get:49 http://archive.ubuntu.com/ubuntu xenial-updates/universe amd64 certbot all 0.23.0-1~ubuntu16.04.1 [17.4 kB]
Fetched 16.0 MB in 17s (932 kB/s)
E: Failed to fetch http://61.26.74.210:80/pdata/07e41ece3becb885/archive.ubuntu.com/ubuntu/pool/main/p/python-pbr/python-pbr_1.8.0-4ubuntu1_all.deb Writing more data than expected (15617 > 12552)
E: Unable to fetch some archives, maybe run apt-get update or try with --fix-missing?
root@ad7f41c5773c:/# apt install --fix-missing certbot <再度
・・・
148 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.
root@ad7f41c5773c:/# certbot --version
certbot 0.23.0 < 0.22.0以上なので大丈夫
root@ad7f41c5773c:/# certbot certonly --manual --preferred-challenges dns -d *.[自分のドメイン] --server https://acme-v02.api.letsencrypt.org/directory
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): [自分のメールアドレス。期限切れ通知が届くので良く見るやつにしないと痛い目見ます]
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
-------------------------------------------------------------------------------
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
-------------------------------------------------------------------------------
(A)gree/(C)ancel: A
-------------------------------------------------------------------------------
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about EFF and
our work to encrypt the web, protect its users and defend digital rights.
-------------------------------------------------------------------------------
(Y)es/(N)o: Y
Starting new HTTPS connection (1): supporters.eff.org
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for [自分のドメインが表示される]
-------------------------------------------------------------------------------
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.
Are you OK with your IP being logged?
-------------------------------------------------------------------------------
(Y)es/(N)o:
(Y)es/(N)o: Y
-------------------------------------------------------------------------------
Please deploy a DNS TXT record under the name
_acme-challenge.[自分のドメインが表示される] with the following value:
xxxxxxxxxxxxxxx-xxxxxxxxxxxxxxxxxxxxxxxxx-x
Before continuing, verify the record is deployed.
-------------------------------------------------------------------------------
Press Enter to Continue < 自分のDNSに上記のテキストレコード追加するまでEnterは触らない。
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/[自分のドメイン]/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/[自分のドメイン]/privkey.pem
Your cert will expire on 2019-08-21. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
root@ad7f41c5773c:/# cd /etc/letsencrypt/live/
root@ad7f41c5773c:/etc/letsencrypt/live# ll
total 12
drwx------ 3 root root 4096 May 23 13:14 ./
drwxr-xr-x 9 root root 4096 May 23 13:14 ../
drwxr-xr-x 2 root root 4096 May 23 13:14 [自分のドメイン]/
root@ad7f41c5773c:/etc/letsencrypt/live# cd [自分のドメイン]/
root@ad7f41c5773c:/etc/letsencrypt/live/[自分のドメイン]# ll
total 12
drwxr-xr-x 2 root root 4096 May 23 13:14 ./
drwx------ 3 root root 4096 May 23 13:14 ../
-rw-r--r-- 1 root root 543 May 23 13:14 README
lrwxrwxrwx 1 root root 39 May 23 13:14 cert.pem -> ../../archive/[自分のドメイン]/cert1.pem
lrwxrwxrwx 1 root root 40 May 23 13:14 chain.pem -> ../../archive/[自分のドメイン]/chain1.pem
lrwxrwxrwx 1 root root 44 May 23 13:14 fullchain.pem -> ../../archive/[自分のドメイン]/fullchain1.pem
lrwxrwxrwx 1 root root 42 May 23 13:14 privkey.pem -> ../../archive/[自分のドメイン]/privkey1.pem
지금까지는 Nginx 경유로 취득하고 있었지만, DNS 조작으로 바삭하게 만들 수 있는 것은 매우 도움이 됩니다. 이번에 설정한 rancher는 개발 환경이기 때문에, 서브 도메인이 많이 있어 SSL 증명서의 설정이 번거로웠습니다만, 와일드 카드 증명서는 멋졌습니다.
앞으로
Reference
이 문제에 관하여(Let's Encrypt 와일드카드 인증서를 가져와 rancher로 설정), 우리는 이곳에서 더 많은 자료를 발견하고 링크를 클릭하여 보았다 https://qiita.com/ysogabe/items/1ffc1d381b5770ab57a8텍스트를 자유롭게 공유하거나 복사할 수 있습니다.하지만 이 문서의 URL은 참조 URL로 남겨 두십시오.
우수한 개발자 콘텐츠 발견에 전념 (Collection and Share based on the CC Protocol.)