letsencryptの証明書を更新する方法

letsencryptから証明書の更新案内メールが来ました

letsencrypt(expiry@letsencrypt.org) から、証明書があと10日で失効するから更新しろとメールが来ました。
件名は、Let’s Encrypt certificate expiration notice for domain “xxxxxxxxxx.com”
と書かれていました。

ーーーーーーーーーーーーーーーーーーーー
Hello,

Your certificate (or certificates) for the names listed below will expire in 10 days (on 23 Jan 21 02:09 +0000). Please make sure to renew your certificate before then, or visitors to your website will encounter errors.

We recommend renewing certificates automatically when they have a third of their
total lifetime left. For Let’s Encrypt’s current 90-day certificates, that means
renewing 30 days before expiration. See
https://letsencrypt.org/docs/integration-guide/ for details.

xxxxxxxxxx.com
yyyyyyyy.com
zzzzzzzzzzzzzz.com

For any questions or support, please visit https://community.letsencrypt.org/. Unfortunately, we can’t provide support by email.

For details about when we send these emails, please visit https://letsencrypt.org/docs/expiration-emails/. In particular, note that this reminder email is still sent if you’ve obtained a slightly different certificate by adding or removing names. If you’ve replaced this certificate with a newer one that covers more or fewer names than the list above, you may be able to ignore this message.

If you are receiving this email in error, unsubscribe at http://xxxxxxxxxxxxxxxxx

Regards,
The Let’s Encrypt Team
ーーーーーーーーーーーーーーーーーーーー

書いてある通りですが、メールに記載されているドメインの証明書は、10日後に期限切れになるので、証明書を更新してください。更新しないと、webサイトに訪問した人はエラーになるよと書いてあります。

letsencryptの証明書を更新する

letsencryptの証明書を更新します。
更新は下記のコマンドを実行します。

# certbot renew

うまくいかない場合は、下記コマンドを実行することで強制的に更新することもできます。

# certbot renew --force-renew

実行すると、正常に進んでいれば、下記のログが流れます。

# certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/xxxxxxxxxx.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for xxxxxxxxxx.com
Waiting for verification...
Cleaning up challenges

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/xxxxxxxxxx.com/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/yyyyyyyy.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for yyyyyyyy.com
Waiting for verification...
Cleaning up challenges

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/yyyyyyyy.com/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/zzzzzzzzzzzzzz.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for zzzzzzzzzzzzzz.com
Waiting for verification...
Cleaning up challenges

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/zzzzzzzzzzzzzz.com/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/xxxxxxxxxx.com/fullchain.pem (success)
  /etc/letsencrypt/live/yyyyyyyy.com/fullchain.pem (success)
  /etc/letsencrypt/live/zzzzzzzzzzzzzz.com/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

(success) と出ていたら完了です。今回は、
・xxxxxxxxxx.com
・yyyyyyyy.com
・zzzzzzzzzzzzzz.com
3つのドメインの向き先が1サーバで管理されていたため、3ドメインまとめて更新されました。