前回は、SSL証明書の有効期限が切れた際の対処方法を書いたが、今回は、期限切れを起こさないようにする対策を書きます。
おすすめ記事
まずは、更新のテストをする方法
# certbot renew --dry-run Saving debug log to /var/log/letsencrypt/letsencrypt.log - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Processing /etc/letsencrypt/renewal/www.maruweb.jp.net.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Attempting to parse the version 0.32.0 renewal configuration file found at /etc/letsencrypt/renewal/www.maruweb.jp.net.conf with version 0.31.0 of Certbot. This might not work. Cert not due for renewal, but simulating renewal for dry run Plugins selected: Authenticator standalone, Installer None Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org Renewing an existing certificate Performing the following challenges: http-01 challenge for www.maruweb.jp.net Waiting for verification... Cleaning up challenges Resetting dropped connection: acme-staging-v02.api.letsencrypt.org - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - new certificate deployed without reload, fullchain is /etc/letsencrypt/live/www.maruweb.jp.net/fullchain.pem - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ** DRY RUN: simulating 'certbot renew' close to cert expiry ** (The test certificates below have not been saved.) Congratulations, all renewals succeeded. The following certs have been renewed: /etc/letsencrypt/live/www.maruweb.jp.net/fullchain.pem (success) ** DRY RUN: simulating 'certbot renew' close to cert expiry ** (The test certificates above have not been saved.) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1行目:オプションの–dry-runを付けることでSSL証明書更新のテストができます。
27行目:成功しました。
30行目:テストなので実際の更新(保存)は行われません。と、あります。
オプションの–dry-runを付けずに実行すると更新されます。
ただし、有効期限が30日以内でないと更新されないようです。
有効期限までの30日制限に関係なく即時更新したい場合
# certbot renew --force-renew Saving debug log to /var/log/letsencrypt/letsencrypt.log - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Processing /etc/letsencrypt/renewal/www.maruweb.jp.net.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Attempting to parse the version 0.32.0 renewal configuration file found at /etc/letsencrypt/renewal/www.maruweb.jp.net.conf with version 0.31.0 of Certbot. This might not work. Plugins selected: Authenticator standalone, Installer None Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org Renewing an existing certificate Resetting dropped connection: acme-v02.api.letsencrypt.org - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - new certificate deployed without reload, fullchain is /etc/letsencrypt/live/www.maruweb.jp.net/fullchain.pem - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Congratulations, all renewals succeeded. The following certs have been renewed: /etc/letsencrypt/live/www.maruweb.jp.net/fullchain.pem (success) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1行目:即時更新したい場合は、オプションに–force-renewを付けます。
20行目:成功しました。
有効期限の確認
# certbot certificates Saving debug log to /var/log/letsencrypt/letsencrypt.log - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Found the following certs: Certificate Name: www.maruweb.jp.net Domains: www.maruweb.jp.net Expiry Date: 2019-07-12 13:32:59+00:00 (VALID: 89 days) Certificate Path: /etc/letsencrypt/live/www.maruweb.jp.net/fullchain.pem Private Key Path: /etc/letsencrypt/live/www.maruweb.jp.net/privkey.pem - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
8行目:有効期限が2019/7/12までで、残り日数が89日となりました。
証明書を更新後にはWebサーバの設定ファイルを再読み込みする必要があります。
# systemctl reload httpd.service
自動更新設定
とりあえず、cronに設定しているもので更新されるかどうか様子見します。
恐らく、前回のOSエラー(pipのエラー?)が原因なのではと推測…
cronに設定しているサーバ証明書自動更新設定はリンク先のスクリプトを使用させてもらっています。