certbot의 버전 업(ACMEv2 대응)~HTTPS화와 기존 증명서의 갱신~
- 우분투 18.04.3 LTS
- nginx/1.14.0 (Ubuntu)
- centbot
- 갱신 전 0.23.0
- 갱신 후 0.31.0
1.certbot의 버전 업(ACMEv2 대응)
certbot이란?
certificate(인증서)를 관리하기 위한 명령
내용은 Let’s Encrypt라는 무료 SSL 인증서를 취득, 무효화, 갱신...etc 할 수 있는 편리한 것
도메인에 서명하기 = DV(Domain Validation)
왜 버전 업그레이드가 필요합니까?
Beginning June 1, 2020, we will stop allowing new domains to validate using the ACMEv1 protocol. You should upgrade to an ACMEv2 compatible client before then, or certificate issuance will fail. For most people, simply upgrading to the latest version of will suffice.
의역 : 2020/06/01에서 ACMEv1 프로토콜을 사용하여 DV (Domain Validation)를 사용할 수 없으므로 ACMEv2로 업그레이드하십시오.
⇒증명서의 신규 취득과 갱신을 할 수 없기 때문에 버전 업
(1) certbot (letsencrypt) 명령 지우기
certbot 지우기 전에 현재 ver 확인
certbot --version
certbot 0.23.0
certbot을 업데이트하고 certbot 0.31.0
로 변경하십시오.
sudo apt remove letsencrypt
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages were automatically installed and are no longer required:
certbot linux-gcp-headers-5.0.0-1025 linux-gcp-headers-5.0.0-1026 linux-gcp-headers-5.0.0-1029
linux-gcp-headers-5.0.0-1031 linux-gcp-headers-5.0.0-1033 linux-gcp-headers-5.0.0-1034 python-pyicu
python3-acme python3-certbot python3-configargparse python3-future python3-josepy python3-lib2to3
python3-mock python3-parsedatetime python3-pbr python3-rfc3339 python3-tz python3-zope.component
python3-zope.event python3-zope.hookable
Use 'sudo apt autoremove' to remove them.
The following packages will be REMOVED:
letsencrypt
0 upgraded, 0 newly installed, 1 to remove and 69 not upgraded.
After this operation, 13.3 kB disk space will be freed.
Do you want to continue? [Y/n] Y
Counting objects: 15, done.
Compressing objects: 100% (14/14), done.
Writing objects: 100% (15/15), 4.72 KiB | 2.36 MiB/s, done.
Total 15 (delta 5), reused 0 (delta 0)
remote: Resolving deltas: 100% (5/5), completed with 4 local objects.
To github.com:cdsl-research/jp-website-backup.git
8df08e0..fb4c6f2 master -> master
(Reading database ... 271035 files and directories currently installed.)
Removing letsencrypt (0.23.0-1) ...
sudo apt remove letsencrypt certbot
(certbot이 사라지지 않았기 때문에 추가)
Reading package lists... Done
Building dependency tree
Reading state information... Done
Package 'letsencrypt' is not installed, so not removed
The following packages were automatically installed and are no longer required:
linux-gcp-headers-5.0.0-1025 linux-gcp-headers-5.0.0-1026 linux-gcp-headers-5.0.0-1029
linux-gcp-headers-5.0.0-1031 linux-gcp-headers-5.0.0-1033 linux-gcp-headers-5.0.0-1034 python-pyicu
python3-acme python3-certbot python3-configargparse python3-future python3-josepy python3-lib2to3
python3-mock python3-parsedatetime python3-pbr python3-rfc3339 python3-tz python3-zope.component
python3-zope.event python3-zope.hookable
Use 'sudo apt autoremove' to remove them.
The following packages will be REMOVED:
certbot
0 upgraded, 0 newly installed, 1 to remove and 68 not upgraded.
After this operation, 52.2 kB disk space will be freed.
Do you want to continue? [Y/n] Y
(Reading database ... 271032 files and directories currently installed.)
Removing certbot (0.23.0-1) ...
Processing triggers for man-db (2.8.3-2ubuntu0.1) ...
Counting objects: 5, done.
Compressing objects: 100% (4/4), done.
Writing objects: 100% (5/5), 459 bytes | 459.00 KiB/s, done.
Total 5 (delta 3), reused 0 (delta 0)
remote: Resolving deltas: 100% (3/3), completed with 3 local objects.
To github.com:cdsl-research/jp-website-backup.git
fb4c6f2..56d60e5 master -> master
(2)새로운certbot을 넣는다
htps : // 세트 보트 t. 엣 f. 오 rg / ぇ ts-en crypt / 우분 츠비 오니 c - 오테 r
위 사이트에 따라 Certbot PPA 추가
PPA(=Personal Package Archive)
sudo apt-get update
sudo apt-get install software-properties-common
sudo add-apt-repository universe
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update-encrypt/ubuntubionic-other
Certbot 설치
sudo apt-get install certbot python3-certbot-nginx
certbot 현재 ver 확인
certbot --version
certbot 0.31.0
certbot이 certbot 0.31.0
로 변경되면 업데이트가 완료됩니다.
2.rudder.tak-cslab.org의 HTTPS화, ko.tak-cslab.org의 기존 인증서 갱신
(1) 신규 취득(HTTPS화)
아래 명령으로 새로운 HTTPS 액세스 획득sudo certbot --nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: ja.tak-cslab.org
2: rudder.tak-cslab.org
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1 2
HTTPS를 활성화하거나 듣기 때문에 1, 2 둘 다 선택
(둘 다 활성화하지만 엄밀히 말하면, 1의 ja.tak-cslab.org는 갱신, 2의 rudder.tak-cslab.org는 새로운 취득)
(2) 기존 인증서 갱신
1의 ko.tak-cslab.org는 업데이트이므로 기존 인증서를 새 인증서로 확장합니다.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
You have an existing certificate that contains a portion of the domains you
requested (ref: /etc/letsencrypt/renewal/ja.tak-cslab.org.conf)
It contains these names: ja.tak-cslab.org
You requested these names for the new certificate: ja.tak-cslab.org,
rudder.tak-cslab.org.
Do you want to expand and replace this existing certificate with the new
certificate?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(E)xpand/(C)ancel: E
Expand를 선택하십시오.
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for ja.tak-cslab.org
http-01 challenge for rudder.tak-cslab.org
Waiting for verification...
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/nginx/conf.d/wp.conf
Deploying Certificate to VirtualHost /etc/nginx/conf.d/rudder.conf
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Redirecting all traffic on port 80 to ssl in /etc/nginx/conf.d/wp.conf
Redirecting all traffic on port 80 to ssl in /etc/nginx/conf.d/rudder.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Your existing certificate has been successfully renewed(=更新できました), and the new certificate
has been installed.(=新しい証明書をインストールできました)
The new certificate covers the following domains: https://ja.tak-cslab.org and
https://rudder.tak-cslab.org
You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=ja.tak-cslab.org
https://www.ssllabs.com/ssltest/analyze.html?d=rudder.tak-cslab.org
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/ja.tak-cslab.org/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/ja.tak-cslab.org/privkey.pem
Your cert will expire on 2020-09-01. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the "certonly" option. To non-interactively renew *all* of
your certificates, run "certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
(3) 인증서 확인
htps : // 그럼. k-css b. 오 rg
htps: // 루드 r. k-css b. 오 rg 인증서 확인
절차 · 방법 : htps : // jp. g ぉ 바 1 g. 이 m/sslp키-인후/sl_p등c치세s/아우테펜치후카치온. HTML
위 URL로 이동하여 주소 표시 줄의 키 아이콘을 클릭하십시오.
보안 연결을 클릭
세부정보 보기를 클릭합니다.
보안 인증서 보기를 클릭합니다.
그러면 인증서를 확인할 수 있으므로 확인
certbot 업데이트 정보
certbot에는 유효 기간이 만료되기 전에 인증서를 자동으로 업데이트하는 cron 작업이 있으므로 certbot을 다시 시작할 필요가 없습니다.
certbot을 업데이트하는 명령은 다음 위치 중 하나에 설치됩니다.
/etc/crontab/
/etc/cron.*/*
systemctl list-timers
이번에는 /etc/cron.d/certbot
에 certbot을 업데이트하는 명령이 설치되어 있습니다.
/etc/cron.d/certbot # /etc/cron.d/certbot: crontab entries for the certbot package
#
# /etc/cron.d/certbot: crontab entries for the certbot package
#
# Upstream recommends attempting renewal twice a day
#
# Eventually, this will be an opportunity to validate certificates
# haven't been revoked, etc. Renewal will only occur if expiration
# is within 30 days.
#
# Important Note! This cronjob will NOT be executed if you are
# running systemd as your init system. If you are running systemd,
# the cronjob.timer function takes precedence over this cronjob. For
# more details, see the systemd.timer manpage, or use systemctl show
# certbot.timer.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew
=>12時間ごと(0時と12時)に更新が行われる設定
Reference
이 문제에 관하여(certbot의 버전 업(ACMEv2 대응)~HTTPS화와 기존 증명서의 갱신~), 우리는 이곳에서 더 많은 자료를 발견하고 링크를 클릭하여 보았다
https://qiita.com/yoshi_mf7/items/ab40ee2e0ff05da60f69
텍스트를 자유롭게 공유하거나 복사할 수 있습니다.하지만 이 문서의 URL은 참조 URL로 남겨 두십시오.
우수한 개발자 콘텐츠 발견에 전념
(Collection and Share based on the CC Protocol.)
certbot --version
certbot 0.23.0
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages were automatically installed and are no longer required:
certbot linux-gcp-headers-5.0.0-1025 linux-gcp-headers-5.0.0-1026 linux-gcp-headers-5.0.0-1029
linux-gcp-headers-5.0.0-1031 linux-gcp-headers-5.0.0-1033 linux-gcp-headers-5.0.0-1034 python-pyicu
python3-acme python3-certbot python3-configargparse python3-future python3-josepy python3-lib2to3
python3-mock python3-parsedatetime python3-pbr python3-rfc3339 python3-tz python3-zope.component
python3-zope.event python3-zope.hookable
Use 'sudo apt autoremove' to remove them.
The following packages will be REMOVED:
letsencrypt
0 upgraded, 0 newly installed, 1 to remove and 69 not upgraded.
After this operation, 13.3 kB disk space will be freed.
Do you want to continue? [Y/n] Y
Counting objects: 15, done.
Compressing objects: 100% (14/14), done.
Writing objects: 100% (15/15), 4.72 KiB | 2.36 MiB/s, done.
Total 15 (delta 5), reused 0 (delta 0)
remote: Resolving deltas: 100% (5/5), completed with 4 local objects.
To github.com:cdsl-research/jp-website-backup.git
8df08e0..fb4c6f2 master -> master
(Reading database ... 271035 files and directories currently installed.)
Removing letsencrypt (0.23.0-1) ...
Reading package lists... Done
Building dependency tree
Reading state information... Done
Package 'letsencrypt' is not installed, so not removed
The following packages were automatically installed and are no longer required:
linux-gcp-headers-5.0.0-1025 linux-gcp-headers-5.0.0-1026 linux-gcp-headers-5.0.0-1029
linux-gcp-headers-5.0.0-1031 linux-gcp-headers-5.0.0-1033 linux-gcp-headers-5.0.0-1034 python-pyicu
python3-acme python3-certbot python3-configargparse python3-future python3-josepy python3-lib2to3
python3-mock python3-parsedatetime python3-pbr python3-rfc3339 python3-tz python3-zope.component
python3-zope.event python3-zope.hookable
Use 'sudo apt autoremove' to remove them.
The following packages will be REMOVED:
certbot
0 upgraded, 0 newly installed, 1 to remove and 68 not upgraded.
After this operation, 52.2 kB disk space will be freed.
Do you want to continue? [Y/n] Y
(Reading database ... 271032 files and directories currently installed.)
Removing certbot (0.23.0-1) ...
Processing triggers for man-db (2.8.3-2ubuntu0.1) ...
Counting objects: 5, done.
Compressing objects: 100% (4/4), done.
Writing objects: 100% (5/5), 459 bytes | 459.00 KiB/s, done.
Total 5 (delta 3), reused 0 (delta 0)
remote: Resolving deltas: 100% (3/3), completed with 3 local objects.
To github.com:cdsl-research/jp-website-backup.git
fb4c6f2..56d60e5 master -> master
sudo apt-get update
sudo apt-get install software-properties-common
sudo add-apt-repository universe
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update-encrypt/ubuntubionic-other
sudo apt-get install certbot python3-certbot-nginx
certbot --version
certbot 0.31.0
(1) 신규 취득(HTTPS화)
아래 명령으로 새로운 HTTPS 액세스 획득
sudo certbot --nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: ja.tak-cslab.org
2: rudder.tak-cslab.org
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1 2
HTTPS를 활성화하거나 듣기 때문에 1, 2 둘 다 선택
(둘 다 활성화하지만 엄밀히 말하면, 1의 ja.tak-cslab.org는 갱신, 2의 rudder.tak-cslab.org는 새로운 취득)
(2) 기존 인증서 갱신
1의 ko.tak-cslab.org는 업데이트이므로 기존 인증서를 새 인증서로 확장합니다.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
You have an existing certificate that contains a portion of the domains you
requested (ref: /etc/letsencrypt/renewal/ja.tak-cslab.org.conf)
It contains these names: ja.tak-cslab.org
You requested these names for the new certificate: ja.tak-cslab.org,
rudder.tak-cslab.org.
Do you want to expand and replace this existing certificate with the new
certificate?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(E)xpand/(C)ancel: E
Expand를 선택하십시오.
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for ja.tak-cslab.org
http-01 challenge for rudder.tak-cslab.org
Waiting for verification...
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/nginx/conf.d/wp.conf
Deploying Certificate to VirtualHost /etc/nginx/conf.d/rudder.conf
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Redirecting all traffic on port 80 to ssl in /etc/nginx/conf.d/wp.conf
Redirecting all traffic on port 80 to ssl in /etc/nginx/conf.d/rudder.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Your existing certificate has been successfully renewed(=更新できました), and the new certificate
has been installed.(=新しい証明書をインストールできました)
The new certificate covers the following domains: https://ja.tak-cslab.org and
https://rudder.tak-cslab.org
You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=ja.tak-cslab.org
https://www.ssllabs.com/ssltest/analyze.html?d=rudder.tak-cslab.org
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/ja.tak-cslab.org/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/ja.tak-cslab.org/privkey.pem
Your cert will expire on 2020-09-01. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the "certonly" option. To non-interactively renew *all* of
your certificates, run "certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
(3) 인증서 확인
htps : // 그럼. k-css b. 오 rg
htps: // 루드 r. k-css b. 오 rg 인증서 확인
절차 · 방법 : htps : // jp. g ぉ 바 1 g. 이 m/sslp키-인후/sl_p등c치세s/아우테펜치후카치온. HTML
위 URL로 이동하여 주소 표시 줄의 키 아이콘을 클릭하십시오.
보안 연결을 클릭
세부정보 보기를 클릭합니다.
보안 인증서 보기를 클릭합니다.
그러면 인증서를 확인할 수 있으므로 확인
certbot 업데이트 정보
certbot에는 유효 기간이 만료되기 전에 인증서를 자동으로 업데이트하는 cron 작업이 있으므로 certbot을 다시 시작할 필요가 없습니다.
certbot을 업데이트하는 명령은 다음 위치 중 하나에 설치됩니다.
/etc/crontab/
/etc/cron.*/*
systemctl list-timers
이번에는
/etc/cron.d/certbot
에 certbot을 업데이트하는 명령이 설치되어 있습니다./etc/cron.d/certbot
# /etc/cron.d/certbot: crontab entries for the certbot package
#
# /etc/cron.d/certbot: crontab entries for the certbot package
#
# Upstream recommends attempting renewal twice a day
#
# Eventually, this will be an opportunity to validate certificates
# haven't been revoked, etc. Renewal will only occur if expiration
# is within 30 days.
#
# Important Note! This cronjob will NOT be executed if you are
# running systemd as your init system. If you are running systemd,
# the cronjob.timer function takes precedence over this cronjob. For
# more details, see the systemd.timer manpage, or use systemctl show
# certbot.timer.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew
=>12時間ごと(0時と12時)に更新が行われる設定
Reference
이 문제에 관하여(certbot의 버전 업(ACMEv2 대응)~HTTPS화와 기존 증명서의 갱신~), 우리는 이곳에서 더 많은 자료를 발견하고 링크를 클릭하여 보았다 https://qiita.com/yoshi_mf7/items/ab40ee2e0ff05da60f69텍스트를 자유롭게 공유하거나 복사할 수 있습니다.하지만 이 문서의 URL은 참조 URL로 남겨 두십시오.
우수한 개발자 콘텐츠 발견에 전념 (Collection and Share based on the CC Protocol.)