/ ssl

Lets'Encryptの証明書が期限切れになっていた

Lets'Encryptの証明書が期限切れになっていたので作り直した。
renewの方法が悪かったような気もする。以前に certbot-auto はインストールしていたので、インストールについては省略。

作り直す証明書は下記の3つ。

  1. ikenie3.org
  2. www.ikenie3.org
  3. blog.ikenie3.org
# rootになる
$ sudo su -

# 既存の証明書をバックアップ(nginxを再起動するとき使うかもしれない
$ mv /etc/letsencrypt /etc/letsencrypt.back 

証明書作成の対話モードを開始

$ certbot-auto certonly -d ikenie3.org,www.ikenie3.org,blog.ikenie3.org

証明書の認証方法を決める。nginxを使って認証したいので1

How would you like to authenticate with the ACME CA?
-------------------------------------------------------------------------------
1: Place files in webroot directory (webroot)
2: Spin up a temporary webserver (standalone)
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): <自分が使いたい認証方法>1

メールアドレスを登録

Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel):<自分のメールアドレス>

規約に承諾

-------------------------------------------------------------------------------
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf. You must agree
in order to register with the ACME server at
https://acme-v01.api.letsencrypt.org/directory
-------------------------------------------------------------------------------
(A)gree/(C)ancel: a

メーリングリストに入る?

-------------------------------------------------------------------------------
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about EFF and
our work to encrypt the web, protect its users and defend digital rights.
-------------------------------------------------------------------------------
(Y)es/(N)o: <任意>

証明書作成開始

Obtaining a new certificate
Performing the following challenges:
http-01 challenge for ikenie3.org
http-01 challenge for www.ikenie3.org
http-01 challenge for blog.ikenie3.org

blog.ikenie3.orgのwebrootのパスを入力

Select the webroot for ikenie3.org:
-------------------------------------------------------------------------------
1: Enter a new webroot
-------------------------------------------------------------------------------
Press 1 [enter] to confirm the selection (press 'c' to cancel): 1

blog.ikenie3.orgのwebrootのパスを入力

Input the webroot for ikenie3.org: (Enter 'c' to cancel):/path/to/www.ikenie3.org

Select the webroot for www.ikenie3.org:
-------------------------------------------------------------------------------
1: Enter a new webroot
2: /path/to/www.ikenie3.org
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2

blog.ikenie3.orgのwebrootのパスを入力

Select the webroot for blog.ikenie3.org:
-------------------------------------------------------------------------------
1: Enter a new webroot
2: /path/to/www.ikenie3.org
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2

証明書検証

Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0000_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0000_csr-certbot.pem

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/ikenie3.org/fullchain.pem. Your cert will
   expire on 2017-05-14. To obtain a new or tweaked version of this
   certificate in the future, simply run certbot-auto again. To
   non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - If you lose your account credentials, you can recover through
   e-mails sent to org.ikenie3@gmail.com.
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

/etc/letsencrypt/live/ikenie3.org/fullchain.pem

に証明書ができました。

nginx再起動

# 設定ファイルのチェック
$ nginx -t

# nginxの再起動 しなくてもいい
$ /etc/init.d/nginx restart

敗因

証明書が切れていた敗因は、前回いろいろと設定したときにstandaloneモードで設定してしまっていた気がする。
standaloneモードで証明書を作成した場合、nginxが起動している場合はcertbot-autoコマンドがwebサーバを立てられずに失敗して終わるのかなと思っています。
次の証明書有効期限日は5/14ということなので、5/15に確認しようと思います。