Lightsailのbitnamiインスタンスビルトインのbncert-toolを使うと、Let’sEncryptでリクエストからインストールまでワンストップでやってくれる上に、規定の有効期限(90日)で自動的に証明書の更新までやってくれる
初回作成
bitnami redmineにSSL証明書(Let's Encrypt)を導入する
/opt/bitnami/bncert-toolツールがダイアログで証明書作成のお手伝いをしてくれる
sh
##############################################
# ダイアログ起動
##############################################
sudo /opt/bitnami/bncert-tool
##############################################
# ツールの更新がある場合のガイダンス
##############################################
An updated version is available. Would you like to download it? You would need to run it manually later. [Y/n]: Y
----------------------------------------------------------------------------
Welcome to the Bitnami HTTPS Configuration tool.
----------------------------------------------------------------------------
##############################################
# 対象ドメインを指定する 複数ある場合はスペースで列挙する
# bncert-toolではワイルドカード非対応
##############################################
Domains
Please provide a valid space-separated list of domains for which you wish to
configure your web server.
Domain list []:hoge.com www.hoge.com
##############################################
# すでに同じドメイン名の証明書がインストール済の場合には表示されるが気にせず進む
##############################################
Warning: A certificate for the list of domains you entered already exists. It
will be used instead of generating a new one.
Press [Enter] to continue:
##############################################
# wwwドメインがなくリダイレクトできないが?と言われているが不要であれば気にせず進む
##############################################
Warning: No www domains (e.g. www.example.com) or non-www domains (e.g.
www.example.com) have been provided, so the following redirections will be
disabled: non-www to www, www to non-www.
Press [Enter] to continue:
----------------------------------------------------------------------------
##############################################
# HTTP=>HTTPSリダイレクトさせる
##############################################
Enable/disable redirections
Please select the redirections you wish to enable or disable on your Bitnami
installation.
Enable HTTP to HTTPS redirection [Y/n]: Y
----------------------------------------------------------------------------
##############################################
# バックグラウンドのインストール手順を具体的に説明してくれている
# WEBサーバーをとめる
# 証明書を更新する
# 更新スケジュールをcron登録する
# 登録ドメインへのhttpリクエストをhttpsにリダイレクトする
# WEBサーバーを起動する
##############################################
Changes to perform
The following changes will be performed to your Bitnami installation:
1. Stop web server
2. Configure web server to use an existing Lets Encrypt certificate and renew:
/opt/bitnami/letsencrypt/certificates/tomon-wp.musicsecurities.com.crt
3. Configure a cron job to automatically renew the certificate each month
4. Configure web server name to: tomon-wp.musicsecurities.com
5. Enable HTTP to HTTPS redirection (example: redirect
http://tomon-wp.musicsecurities.com to https://tomon-wp.musicsecurities.com)
6. Start web server once all changes have been performed
Do you agree to these changes? [Y/n]: Y
----------------------------------------------------------------------------
##############################################
# 設定内容の確認とサブスクライブの同意を求めている
##############################################
Create a free HTTPS certificate with Let's Encrypt
Please provide a valid e-mail address for which to associate your Let's Encrypt
certificate.
Domain list: hoge.com www.hoge.com
Server name: hoge.com www.hoge.com
E-mail address []: test@hoge.com
The Let's Encrypt Subscriber Agreement can be found at:
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf
Do you agree to the Let's Encrypt Subscriber Agreement? [Y/n]: Y
----------------------------------------------------------------------------
Performing changes to your installation
The Bitnami HTTPS Configuration Tool will perform any necessary actions to your
Bitnami installation. This may take some time, please be patient.
----------------------------------------------------------------------------
Success
The Bitnami HTTPS Configuration Tool succeeded in modifying your installation.
The configuration report is shown below.
Backup files:
* /opt/bitnami/apache/conf/httpd.conf.back.202211241742
* /opt/bitnami/apache/conf/bitnami/bitnami.conf.back.202211241742
* /opt/bitnami/apache/conf/bitnami/bitnami-ssl.conf.back.202211241742
* /opt/bitnami/apache/conf/vhosts/wordpress-https-vhost.conf.back.202211241742
* /opt/bitnami/apache/conf/vhosts/wordpress-vhost.conf.back.202211241742
Find more details in the log file:
/tmp/bncert-202211241742.log
If you find any issues, please check Bitnami Support forums at:
https://github.com/bitnami/vms
Press [Enter] to continue:
legoコマンドで有効な証明書のリストが確認できる
sh
sudo /opt/bitnami/letsencrypt/lego --path /opt/bitnami/letsencrypt list
Found the following certs:
Certificate Name: hoge.jp
Domains: hoge.jp, www.hoge.jp
Expiry Date: 2024-05-13 14:27:55 +0000 UTC
Certificate Path: /opt/bitnami/letsencrypt/certificates/hoge.jp.crt
crontab
- 初回作成を完了すると、crontabに更新用の
logeコマンドを設定してくれるので、以降は自動更新 - 複数ドメインの場合は
--domainsディレクティブを複数指定する
【SSL】Let’s Encryptで2つ以上のドメインを指定して証明書を発行する方法
crontab
50 3 * * * sudo /opt/bitnami/letsencrypt/lego --path /opt/bitnami/letsencrypt --email="test@hoge.com" --http --http-timeout 30 --http.webroot /opt/bitnami/apps/letsencrypt --domains=hoge.com --domains=www.hoge.com --user-agent bitnami-bncert/1.0.0 renew && sudo /opt/bitnami/apache/bin/httpd -f /opt/bitnami/apache/conf/httpd.conf -k graceful # bncert-autorenew
自動更新できてない
crontabで自動更新を組んだはずが、Let’x Encrypt Expiry Botから有効期限のリマインドメールが入った
Hello,
Your certificate (or certificates) for the names listed below will expire in 19 days (on 2024-02-29). Please make sure to renew your certificate before then, or visitors to your web site will encounter errors.
We recommend renewing certificates automatically when they have a third of their total lifetime left. For Let's Encrypt's current 90-day certificates, that means renewing 30 days before expiration. See https://letsencrypt.org/docs/integration-guide/ for details.
hoge.jp
www.hoge.jp
For details about when we send these emails, please visit: https://letsencrypt.org/docs/expiration-emails/ In particular, note that this reminder email is still sent if you've obtained a slightly different certificate by adding or removing names. If you've replaced this certificate with a newer one that covers more or fewer names than the list above, you may be able to ignore this message.
For any questions or support, please visit: https://community.letsencrypt.org/ Unfortunately, we can't provide support by email.
To learn more about the latest technical and organizational updates from Let's Encrypt, sign up for our newsletter: https://letsencrypt.org/opt-in/
If you are receiving this email in error, unsubscribe at:
http://delivery.letsencrypt.org/track/unsub.php?u=30850198&id=5e5be6988e3c420d8c7aac87504171d2.S7DjHBHYLMMrczOlcrO3VqAyMvw%3D&r=https%3A%2F%2Fmandrillapp.com%2Funsub%3Fmd_email%3Dc%252A%252A%252A%252A%2540m%252A%252A%252A%252A.%252A%252A%252A
Please note that this would also unsubscribe you from other Let's Encrypt service notices, including expiration reminders for any other certificates.
Regards,
The Let's Encrypt Team
crontabのlego更新コマンドを直接叩くとtest@fuga.com(仮)などというアカウントは知らんと言われる
sh
sudo /opt/bitnami/letsencrypt/lego --path /opt/bitnami/letsencrypt --email="test@fuga.com" --http --http-timeout 30 --http.webroot /opt/bitnami/apps/letsencrypt --domains=hoge.com --domains=www.hoge.com --user-agent bitnami-bncert/1.0.0 renew && sudo /opt/bitnami/apache/bin/httpd -f /opt/bitnami/apache/conf/httpd.conf -k graceful
> It produced this output: Account “test@fuga.com” is not registered. Use 'run' to register a new account.
そういえば初回作成時にサブスクライブ登録したメールアドレス=crontabの更新コマンドの--emailを手動で更新したのを思い出し、、runオプションで新しいアカウントを登録する
AWS Lightsail の WordPress の SSL証明書(Let's Encrypt)を更新する
sh
sudo /opt/bitnami/letsencrypt/lego --tls --email="test@fuga.com" --domains="hoge.jp" --domains="www.hoge.jp" --path="/opt/bitnami/letsencrypt" run
すると443ポートが使われているというエラーで怒られる
[hoge.jp] [hoge.jp] acme: error presenting token: could not start HTTPS server for challenge: listen tcp :443: bind: address already in use
[www.hoge.jp] [www.hoge.jp] acme: error presenting token: could not start HTTPS server for challenge: listen tcp :443: bind: address already in use
443: bind: address already in use Err, for subsite of WP Multisite · Issue #833 · go-acme/lego
再度crontabのlego更新コマンドを叩くと今度はアカウントエラーが解消されて証明書の更新が成功した。runコマンドで新しいメールアドレスへの更新は完了していたようだ。
ちょっとよくわからないが、おそらくrenewオプションがapacheの再起動系やら一連の更新オペレーションのフラグになっていそう
sh
sudo /opt/bitnami/letsencrypt/lego --path /opt/bitnami/letsencrypt --email="test@fuga.com" --http --http-timeout 30 --http.webroot /opt/bitnami/apps/letsencrypt --domains=hoge.com --domains=www.hoge.com --user-agent bitnami-bncert/1.0.0 renew && sudo /opt/bitnami/apache/bin/httpd -f /opt/bitnami/apache/conf/httpd.conf -k graceful