有効期限の確認
[root@example ~]# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
Certificate Name: example
Serial Number: 49f082d83bf7403eed28e28a64879b024cb
Key Type: RSA
Domains: example
Expiry Date: 2021-10-20 10:26:46+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/example/fullchain.pem
Private Key Path: /etc/letsencrypt/live/example/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
[root@example ~]#
Expiry Date: 2021-10-20 10:26:46+00:00 (VALID: 89 days)
↑の箇所に有効期限がでる
更新できるかテスト
certbot renew +--dry-run
更新コマンドとオプションを付けて実行、実際には更新されない
[root@example ~]# certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/example.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Account registered.
Simulating renewal of an existing certificate for example
Performing the following challenges:
http-01 challenge for example
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification...
Cleaning up challenges
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/example/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all simulated renewals succeeded:
/etc/letsencrypt/live/example/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
[root@example ~]#
Congratulations, all renewals succeeded
こちらのメッセージが出ていれば
certbotでletsencryptが更新できる状態
optionを付けてのテスト1
--force-renew
更新期限に関係なく強制的に更新
[root@example ~]#certbot renew --force-renew --dry-run --webroot-path /var/www/html --post-hook "systemctl reload nginx"
略
Congratulations, all simulated renewals succeeded:
/etc/letsencrypt/live/example/fullchain.pem (success)
が表示されて、テスト実行成功
optionを付けてのテスト2
--deploy-hook
実際には更新した時のみnginxを再起動したい
--dry-runのオプションを付けている段階では
エラーとして飛ばされる
[root@example ~] certbot renew --force-renew --dry-run --webroot-path /var/www/html --deploy-hook "systemctl reload nginx" >> /var/log/letsencrypt.log
略
Congratulations, all simulated renewals succeeded:
/etc/letsencrypt/live/example/fullchain.pem (success)
cronが起動しているか確認
[root@example ~]# service crond status
Active: active (running)で起動している
cronの設定
/etc/cron.d配下にletsencryptファイルを作成し、
下記コマンドを記述(テスト実行の--dry-runを付けない)
毎月29日4:00に実行の設定の場合
00 4 29 * * certbot renew --force-renew --webroot-path /var/www/html --deploy-hook "systemctl reload nginx" >> /var/log/letsencrypt.log
[分] [時] [日] [月] [曜日] [コマンド]
毎月29日4:00にletsencrypt証明書を更新する
certbotが証明書更新の処理を終わった後のみnginxを再起動する。
/var/log/letsencrypt.logにlogを追記する
参考
https://qiita.com/katsukii/items/d5f90a6e4592d1414f99
https://qiita.com/tmatsumot/items/aca49d99558d2646ef36#letsencrypt%E3%81%A3%E3%81%A6