SSL証明書の更新
Amazon Lightsail の WordPress インスタンスで HTTPS を有効化する | Lightsail ドキュメント
Lightsail wordpress bitnami SSL と自動更新の設定メモ | gworks web site
Amazon LightsailのBitnamiインスタンスのbncertツールは、Let’sEncryptでサーバー証明書の取得からインストールまでワンストップでやってくれる上に更新設定まで組んでやってくれる便利ツール。
初回作成
bitnami redmineにSSL証明書(Let's Encrypt)を導入する
/opt/bitnami/bncert-toolツールがダイアログで証明書作成のお手伝いをしてくれる
##############################################
# ダイアログ起動
##############################################
sudo /opt/bitnami/bncert-tool
##############################################
# ツールの更新がある場合のガイダンス
##############################################
An updated version is available. Would you like to download it? You would need to run it manually later. [Y/n]: Y
----------------------------------------------------------------------------
Welcome to the Bitnami HTTPS Configuration tool.
----------------------------------------------------------------------------
##############################################
# 対象ドメインを指定する 複数ある場合はスペースで列挙する
# bncert-toolではワイルドカード非対応
##############################################
Domains
Please provide a valid space-separated list of domains for which you wish to
configure your web server.
Domain list []:hoge.com www.hoge.com
##############################################
# すでに同じドメイン名の証明書がインストール済の場合には表示されるが気にせず進む
##############################################
Warning: A certificate for the list of domains you entered already exists. It
will be used instead of generating a new one.
Press [Enter] to continue:
##############################################
# wwwドメインがなくリダイレクトできないが?と言われているが不要であれば気にせず進む
##############################################
Warning: No www domains (e.g. www.example.com) or non-www domains (e.g.
www.example.com) have been provided, so the following redirections will be
disabled: non-www to www, www to non-www.
Press [Enter] to continue:
----------------------------------------------------------------------------
##############################################
# HTTP=>HTTPSリダイレクトさせる
##############################################
Enable/disable redirections
Please select the redirections you wish to enable or disable on your Bitnami
installation.
Enable HTTP to HTTPS redirection [Y/n]: Y
----------------------------------------------------------------------------
##############################################
# バックグラウンドのインストール手順を具体的に説明してくれている
# WEBサーバーをとめる
# 証明書を更新する
# 更新スケジュールをcron登録する
# 登録ドメインへのhttpリクエストをhttpsにリダイレクトする
# WEBサーバーを起動する
##############################################
Changes to perform
The following changes will be performed to your Bitnami installation:
1. Stop web server
2. Configure web server to use an existing Lets Encrypt certificate and renew:
/opt/bitnami/letsencrypt/certificates/tomon-wp.musicsecurities.com.crt
3. Configure a cron job to automatically renew the certificate each month
4. Configure web server name to: tomon-wp.musicsecurities.com
5. Enable HTTP to HTTPS redirection (example: redirect
http://tomon-wp.musicsecurities.com to https://tomon-wp.musicsecurities.com)
6. Start web server once all changes have been performed
Do you agree to these changes? [Y/n]: Y
----------------------------------------------------------------------------
##############################################
# 設定内容の確認とサブスクライブの同意を求めている
##############################################
Create a free HTTPS certificate with Let's Encrypt
Please provide a valid e-mail address for which to associate your Let's Encrypt
certificate.
Domain list: hoge.com www.hoge.com
Server name: hoge.com www.hoge.com
E-mail address []: test@hoge.com
The Let's Encrypt Subscriber Agreement can be found at:
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf
Do you agree to the Let's Encrypt Subscriber Agreement? [Y/n]: Y
----------------------------------------------------------------------------
Performing changes to your installation
The Bitnami HTTPS Configuration Tool will perform any necessary actions to your
Bitnami installation. This may take some time, please be patient.
----------------------------------------------------------------------------
Success
The Bitnami HTTPS Configuration Tool succeeded in modifying your installation.
The configuration report is shown below.
Backup files:
* /opt/bitnami/apache/conf/httpd.conf.back.202211241742
* /opt/bitnami/apache/conf/bitnami/bitnami.conf.back.202211241742
* /opt/bitnami/apache/conf/bitnami/bitnami-ssl.conf.back.202211241742
* /opt/bitnami/apache/conf/vhosts/wordpress-https-vhost.conf.back.202211241742
* /opt/bitnami/apache/conf/vhosts/wordpress-vhost.conf.back.202211241742
Find more details in the log file:
/tmp/bncert-202211241742.log
If you find any issues, please check Bitnami Support forums at:
https://github.com/bitnami/vms
Press [Enter] to continue:
legoコマンドで有効な証明書のリストが確認できる
sudo /opt/bitnami/letsencrypt/lego --path /opt/bitnami/letsencrypt list
Found the following certs:
Certificate Name: hoge.jp
Domains: hoge.jp, www.hoge.jp
Expiry Date: 2024-05-13 14:27:55 +0000 UTC
Certificate Path: /opt/bitnami/letsencrypt/certificates/hoge.jp.crt
crontab
- 初回作成を完了すると、crontabに更新用の
legoコマンドを設定してくれるので、以降は自動更新 - 複数ドメインの場合は
--domainsディレクティブを複数指定する
【SSL】Let’s Encryptで2つ以上のドメインを指定して証明書を発行する方法
50 3 * * * sudo /opt/bitnami/letsencrypt/lego --path /opt/bitnami/letsencrypt --email="test@hoge.com" --http --http-timeout 30 --http.webroot /opt/bitnami/apps/letsencrypt --domains=hoge.com --domains=www.hoge.com --user-agent bitnami-bncert/1.0.0 renew && sudo /opt/bitnami/apache/bin/httpd -f /opt/bitnami/apache/conf/httpd.conf -k graceful # bncert-autorenew
自動更新できてない
crontabで自動更新を組んだはずが、Let’x Encrypt Expiry Botから有効期限のリマインドメールが入った
Hello,
Your certificate (or certificates) for the names listed below will expire in 19 days (on 2024-02-29). Please make sure to renew your certificate before then, or visitors to your web site will encounter errors.
We recommend renewing certificates automatically when they have a third of their total lifetime left. For Let's Encrypt's current 90-day certificates, that means renewing 30 days before expiration. See https://letsencrypt.org/docs/integration-guide/ for details.
hoge.jp
www.hoge.jp
For details about when we send these emails, please visit: https://letsencrypt.org/docs/expiration-emails/ In particular, note that this reminder email is still sent if you've obtained a slightly different certificate by adding or removing names. If you've replaced this certificate with a newer one that covers more or fewer names than the list above, you may be able to ignore this message.
For any questions or support, please visit: https://community.letsencrypt.org/ Unfortunately, we can't provide support by email.
To learn more about the latest technical and organizational updates from Let's Encrypt, sign up for our newsletter: https://letsencrypt.org/opt-in/
If you are receiving this email in error, unsubscribe at:
http://delivery.letsencrypt.org/track/unsub.php?u=30850198&id=5e5be6988e3c420d8c7aac87504171d2.S7DjHBHYLMMrczOlcrO3VqAyMvw%3D&r=https%3A%2F%2Fmandrillapp.com%2Funsub%3Fmd_email%3Dc%252A%252A%252A%252A%2540m%252A%252A%252A%252A.%252A%252A%252A
Please note that this would also unsubscribe you from other Let's Encrypt service notices, including expiration reminders for any other certificates.
Regards,
The Let's Encrypt Team
crontabのlego更新コマンドを直接叩くとtest@fuga.com(仮)などというアカウントは知らんと言われる
sudo /opt/bitnami/letsencrypt/lego --path /opt/bitnami/letsencrypt --email="test@fuga.com" --http --http-timeout 30 --http.webroot /opt/bitnami/apps/letsencrypt --domains=hoge.com --domains=www.hoge.com --user-agent bitnami-bncert/1.0.0 renew && sudo /opt/bitnami/apache/bin/httpd -f /opt/bitnami/apache/conf/httpd.conf -k graceful
> It produced this output: Account “test@fuga.com” is not registered. Use 'run' to register a new account.
そういえば初回作成時にサブスクライブ登録したメールアドレス=crontabの更新コマンドの--emailを手動で更新したのを思い出し、、runオプションで新しいアカウントを登録する
AWS Lightsail の WordPress の SSL証明書(Let's Encrypt)を更新する
sudo /opt/bitnami/letsencrypt/lego --tls --email="test@fuga.com" --domains="hoge.jp" --domains="www.hoge.jp" --path="/opt/bitnami/letsencrypt" run
すると443ポートが使われているというエラーで怒られる
[hoge.jp] [hoge.jp] acme: error presenting token: could not start HTTPS server for challenge: listen tcp :443: bind: address already in use
[www.hoge.jp] [www.hoge.jp] acme: error presenting token: could not start HTTPS server for challenge: listen tcp :443: bind: address already in use
443: bind: address already in use Err, for subsite of WP Multisite · Issue #833 · go-acme/lego
再度crontabのlego更新コマンドを叩くと今度はアカウントエラーが解消されて証明書の更新が成功した。runコマンドで新しいメールアドレスへの更新は完了していたようだ。
ちょっとよくわからないが、おそらくrenewオプションがapacheの再起動系やら一連の更新オペレーションのフラグになっていそう
sudo /opt/bitnami/letsencrypt/lego --path /opt/bitnami/letsencrypt --email="test@fuga.com" --http --http-timeout 30 --http.webroot /opt/bitnami/apps/letsencrypt --domains=hoge.com --domains=www.hoge.com --user-agent bitnami-bncert/1.0.0 renew && sudo /opt/bitnami/apache/bin/httpd -f /opt/bitnami/apache/conf/httpd.conf -k graceful
0 Comments:
コメントを投稿