Table of Contents
DNSサーバ使用して、Let’s Encryptの証明書取得
2025/10/26 証明書の更新確認をcron⇒systemctlに変更
インストール
# dnf install certbot python3-certbot-dns-rfc2136DDNS対応
DDNSキーの生成
# ddns-confgen -k certbot-key -r /dev/urandom
-------------------------------------------------------------
# To activate this key, place the following in named.conf, and
# in a separate keyfile on the system or systems from which nsupdate
# will be run:
key "certbot-key" {
algorithm hmac-sha256;
secret "VryzjtrLza//MekqxhVS/AkjklujjwLcPSqn0000+O0=";
};
# Then, in the "zone" statement for each zone you wish to dynamically
# update, place an "update-policy" statement granting update permission
# to this key. For example, the following statement grants this key
# permission to update any name within the zone:
update-policy {
grant certbot-key zonesub ANY;
};
# After the keyfile has been placed, the following command will
# execute nsupdate using this key:
nsupdate -k <keyfile>
-------------------------------------------------------------TSGキーファイルの作成
# mkdir /var/named/keys
# vi /var/named/keys/certbot-key
--------------------------------------------------------------------
key "certbot-key" {
algorithm hmac-sha256;
secret "VryzjtrLza//MekqxhVS/AkjklujjwLcPSqn0000+O0=";
};
--------------------------------------------------------------------
# chown -R named:named /var/named/keys
# chmod 600 /var/named/keys
# chmod 400 /var/named/keys/certbot-keynamed.conf
・TGSキーの追加
・certbot-keyがincludeできなかったので直接記載(T_T)
・ステートメントでDDNSできるゾーンを追加
・in-viewを使用して内向き(local)から外向き(world)に同じゾーンを使用する。
# vi /etc/named.conf
--------------------------------------------------------------
#include "/var/named/keys/certbot-key";
key "certbot-key" {
algorithm hmac-sha256;
secret "VryzjtrLza//MekqxhVS/AkjklujjwLcPSqn0000+O0=";
};
view "local" {
zone "_acme-challenge.chinaz.org" {
type master;
file "dynamic-dns/_acme-challenge.chinaz.org.zone";
allow-transfer { localhost; localnets; };
check-names ignore;
allow-query { any; }; ←AD2022.03.27
update-policy {
grant certbot-key name _acme-challenge.chinaz.org. TXT;
};
};
view "world" {
zone "_acme-challenge.chinaz.org" {
in-view local;
};
--------------------------------------------------------------ゾーンファイルの追加
mkdir /var/named/dynamic-dns
# vi /var/named/dynamic-dns/_acme-challenge.chinaz.org.zone
--------------------------------------------------------------
$TTL 1D
@ IN SOA ns.chinaz.org. root.ns.chinaz.org. (
6 ; serial
3600 ; refresh (1 hour)
600 ; retry (10 minutes)
1209600 ; expire (2 weeks)
60 ; minimum (1 minute)
)
;
IN NS ns.chinaz.org.
--------------------------------------------------------------
# chown -R named:named /var/named/dynamic-dns
# chmod 770 /var/named/dynamic-dns/
# chmod 640 /var/named/dynamic-dns/_acme-challenge.chinaz.org.zone構文チェック
# named-checkzone _acme-challenge.chinaz.org /var/named/dynamic-dns/_acme-challenge.chinaz.org.zone
# named-checkconf /etc/named.confサービスの再起動起動
systemctl restart named-chroot動作確認
Dynamic DNSの動作確認
txtの登録
nsupdate -d -k /var/named/keys/certbot-key
update add _acme-challenge.chinaz.org. 3600 in txt test
send
quittxtの削除
nsupdate -d -k /var/named/keys/certbot-key
update delete _acme-challenge.chinaz.org. 3600 in txt test
send
quit登録されたか確認
dig @127.0.0.1 TXT _acme-challenge.chinaz.orgCertbotの設定
# vi /etc/letsencrypt/rfc2136.ini
--------------------------------------------------------------
# _acme-challenge.example.orgゾーンのmasterサーバのアドレス
dns_rfc2136_server = 210.136.17.172
# アクセスするポート番号
dns_rfc2136_port = 53
# 認証鍵の名前
dns_rfc2136_name = certbot-key.
# 認証鍵の値
dns_rfc2136_secret = VryzjtrLza//MekqxhVS/AkjklujjwLcPSqn0000+O0=
# 鍵の生成に用いたアルゴリズム
dns_rfc2136_algorithm = HMAC-SHA256
--------------------------------------------------------------
# chmod 600 /etc/letsencrypt/rfc2136.iniアカウントの作成
# certbot certonly --dns-rfc2136 --dns-rfc2136-credentials /etc/letsencrypt/rfc2136.ini -d '*.chinaz.org'
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator dns-rfc2136, Installer None
Enter email address (used for urgent renewal and security notices)
(Enter 'c' to cancel): aki@chinaz.org
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-staging-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: a
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for chinaz.org
Unsafe permissions on credentials configuration file: /etc/letsencrypt/rfc2136.ini
Cleaning up challenges
Encountered exception during recovery: certbot.errors.PluginError: Encountered error deleting TXT record: The peer didn't know the key we used
Encountered error adding TXT record: The peer didn't know the key we used
IMPORTANT NOTES:
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.証明書の設定
場所の確認
# cd /etc/letsencrypt/live/chinaz.org/
# ll
合計 4
-rw-r--r-- 1 root root 692 12月 31 18:32 README
lrwxrwxrwx 1 root root 34 12月 31 18:32 cert.pem -> ../../archive/chinaz.org/cert1.pem
lrwxrwxrwx 1 root root 35 12月 31 18:32 chain.pem -> ../../archive/chinaz.org/chain1.pem
lrwxrwxrwx 1 root root 39 12月 31 18:32 fullchain.pem -> ../../archive/chinaz.org/fullchain1.pem
lrwxrwxrwx 1 root root 37 12月 31 18:32 privkey.pem -> ../../archive/chinaz.org/privkey1.pemApacheの設定
# vi /etc/httpd/conf.d/ssl.conf
----------------------------------------------------------------------
SSLCertificateFile /etc/letsencrypt/live/chinaz.org/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/chinaz.org/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/chinaz.org/chain.pem
----------------------------------------------------------------------postfixの設定
# vi /etc/postfix/main.cf
----------------------------------------------------------------------
smtpd_tls_cert_file = /etc/letsencrypt/live/chinaz.org/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/chinaz.org/privkey.pem
----------------------------------------------------------------------dovecotの設定
# vi /etc/dovecot/conf.d/10-ssl.conf
----------------------------------------------------------------------
ssl_cert = </etc/letsencrypt/live/chinaz.org/fullchain.pem
ssl_key = </etc/letsencrypt/live/chinaz.org/privkey.pem
----------------------------------------------------------------------SSL 証明書の自動更新の有効化(timerを有効化)
# systemctl enable certbot-renew.timer証明書の更新が成功時に実施する処理
関連するサービスの再起動と証明書を圧縮してバックアップ
# vi /etc/sysconfig/certbot
--------------------------------------------------------------
# An example to run a script to alert each cert would be:
# DEPLOY_HOOK="--deploy-hook /usr/local/bin/cert-notifier.sh"
DEPLOY_HOOK="--deploy-hook 'systemctl restart httpd ; systemctl restart postfix ; systemctl restart dovecot; /usr/local/sbin/backupssl.sh'"
--------------------------------------------------------------
# vi /usr/local/sbin/backupssl.sh
--------------------------------------------------------------
#! /bin/sh↲
tar czf /home/china/doc/backup/letsencrypt.tar.gz -C /etc letsencrypt-↲
--------------------------------------------------------------参考URL
CentOS8で構築する自宅サーバ:dnsサーバの構築 その2 Let’s Encryptで証明書を取得! | 気ままな旅日記
certbotでワイルドカード証明書を作る環境構築 #CentOS – Qiita
CertbotとBINDの組み合わせでLet’s Encryptのワイルドカード証明書を取得・更新する #Let’sEncrypt – Qiita
Mattermost の SSL 証明書の更新を Certbot タイマーで行う|荒川仁志
certbotによるSSL認証局の自動更新方法
AlmaLinuxでcertbotを正しくインストールする方法