Let’s Encrypt の証明書の更新を自動化する手順 (cron)

セキュリティ

Let’s Encrypt の証明書を更新する certbot renew コマンドをcron を利用して、定期的に実行するようにする

cron を設定する前にシミュレーション

シミュレーションとして実行する

 –dry-run オプションを指定して実際に証明書の更新を行わずに指定方法が正しいか検証。

–dry-run オプションは、際には証明書の更新を行わないので指定方法の検証が終わるまではオプションをつけて実行。

#certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/www.****.jp.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.****.jp.conf
Waiting for verification...
Cleaning up challenges

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/www.****.jp.conf/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 中略
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/www.****.jp.conf/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.

最小限の指定方法

#crontab -e

記述方法:毎月1日AM3時に実行

0 3 1 * * /usr/bin/certbot renew

標準出力と標準エラー出力の出力先を指定

0 3 1 * * /usr/bin/certbot renew >> /var/log/******/certbot_renew.log 2>&1

Let's Encrypt 
Certbot クライアントをインストール # yum install certbot SSL 証明書を取得 # certbot certonly --standalone -d www.anchorworks.jp オプション説明cert...
www.anchorworks.co.jp
2022.12.09
タイトルとURLをコピーしました