無料のLet’s EncryptのSSL証明書は便利で使っている人は多いと思います。ただデメリットとして、証明書の有効期限が短く、90日間(3ヶ月間)になっていますので、定期的な更新が必要です。この記事では、Let’s EncryptのSSL証明書の手動更新の仕方を記載していきます。
期限前になるとメールが届く
Let’s Encrypt Expiry Bot expiry@letsencrypt.org から期限前になると、メールが届きます。このメールは、Let’s Encryptを初期設定する際に入力したアドレス宛に連絡が来ます。忘れにくくなるので、この通知は気付けるメールアドレスに設定しておいた方が楽です。
下記のようなメールが届きました。
+++++++++++++++++++
Hello,
Your certificate (or certificates) for the names listed below will expire in 19 days (on 12 Sep 20 23:43 +0000). Please make sure to renew your certificate before then, or visitors to your website will encounter errors.
We recommend renewing certificates automatically when they have a third of their
total lifetime left. For Let’s Encrypt’s current 90-day certificates, that means
renewing 30 days before expiration. See
https://letsencrypt.org/docs/integration-guide/ for details.
www.XXXXXXXXX.com
For any questions or support, please visit https://community.letsencrypt.org/. Unfortunately, we can’t provide support by email.
For details about when we send these emails, please visit https://letsencrypt.org/docs/expiration-emails/. In particular, note that this reminder email is still sent if you’ve obtained a slightly different certificate by adding or removing names. If you’ve replaced this certificate with a newer one that covers more or fewer names than the list above, you may be able to ignore this message.
If you are receiving this email in error, unsubscribe at http://mandrillapp.com/track/unsub.php?u=30850198&id=468349cc495442fc9604c9780290958b.HTRW6Iut2ASZoKekLl8s4efascM%3D&r=https%3A%2F%2Fmandrillapp.com%2Funsub%3Fmd_email%3Dt%252A%252A%252A%252A%2540s%252A%252A%252A%252A.%252A%252A%252A
Regards,
The Let’s Encrypt Team
+++++++++++++++++++
このメールによると、あと19日でSSLの証明書が失効すると記載されています。
SSL証明書の有効期限確認
該当サーバにログインし、有効期限を確認します。
確かにメールで連絡が来ている通り、残り19日で失効することが分かります。
$ certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
Certificate Name: www.XXXXXXXXX.com
Domains: www.XXXXXXXXX.com
Expiry Date: 2020-09-12 23:43:32+00:00 (VALID: 19 days)
Certificate Path: /etc/letsencrypt/live/www.XXXXXXXXX.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.XXXXXXXXX.com/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
更新前チェック
更新作業を進めます。更新は非常に簡単ですが、何かトラブルがあってはいけないので、–dry-runコマンドを使って、事前に確認をします。–dry-run コマンドをオプションにつけることで、本番に影響を出さずにコマンド実行するテストを行なうことができます。
$ certbot renew --dry-run
certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/www.XXXXXXXXX.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.XXXXXXXXX.com
Using the webroot path /var/www/html/www.XXXXXXXXX.com for all unmatched domains.
Waiting for verification...
Cleaning up challenges
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/www.XXXXXXXXX.com/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)
Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/www.XXXXXXXXX.com/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
IMPORTANT NOTES:
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
実行しました。Congratulations, all renewals succeeded. というメッセージが出ていれば、問題なく完了しています。
更新作業
更新を行ないます。更新の仕方は2種類あるのですが、
- SSL証明書の有効期限が30日未満になっている場合
$ sudo certbot renew
- SSL証明書の有効期限に関わらず、強制的に更新する場合、
$ certbot renew --force-renew
今回は30日未満なので、certbot renew を使います。
$ certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/www.XXXXXXXXX.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.XXXXXXXXX.com
Using the webroot path /var/www/html/www.XXXXXXXXX.com for all unmatched domains.
Waiting for verification...
Cleaning up challenges
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/www.XXXXXXXXX.com/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/www.XXXXXXXXX.com/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all renewals succeededが出ていれば、問題なく完了しました。
apache再起動
最後に、webサーバの再起動を行ないます。
service httpd restart
Redirecting to /bin/systemctl restart httpd.service
これで、作業は全て完了です。