certbot

Table of Content

DNSサーバ使用して、Let’s Encryptの証明書取得

インストール

# dnf install certbot python3-certbot-dns-rfc2136

DDNS対応

DDNSキーの生成

# ddns-confgen -k certbot-key -r /dev/urandom
-------------------------------------------------------------
# To activate this key, place the following in named.conf, and
# in a separate keyfile on the system or systems from which nsupdate
# will be run:
key "certbot-key" {
        algorithm hmac-sha256;
        secret "VryzjtrLza//MekqxhVS/AkjklujjwLcPSqn0000+O0=";
};

# Then, in the "zone" statement for each zone you wish to dynamically
# update, place an "update-policy" statement granting update permission
# to this key.  For example, the following statement grants this key
# permission to update any name within the zone:
update-policy {
        grant certbot-key zonesub ANY;
};

# After the keyfile has been placed, the following command will
# execute nsupdate using this key:
nsupdate -k <keyfile>
-------------------------------------------------------------

TSGキーファイルの作成

# mkdir /var/named/keys
# vi /var/named/keys/certbot-key
--------------------------------------------------------------------
key "certbot-key" {
        algorithm hmac-sha256;
        secret "VryzjtrLza//MekqxhVS/AkjklujjwLcPSqn0000+O0=";
};
--------------------------------------------------------------------
# chown -R named:named /var/named/keys
# chmod 600 /var/named/keys
# chmod 400 /var/named/keys/certbot-key

named.conf

・TGSキーの追加
・certbot-keyがincludeできなかったので直接記載(T_T)
・ステートメントでDDNSできるゾーンを追加
・in-viewを使用して内向き(local)から外向き(world)に同じゾーンを使用する。

# vi /etc/named.conf
--------------------------------------------------------------
#include "/var/named/keys/certbot-key";
key "certbot-key" {
        algorithm hmac-sha256;
        secret "VryzjtrLza//MekqxhVS/AkjklujjwLcPSqn0000+O0=";
};

options {
        allow-query     { any; };

view "local" {
        zone "_acme-challenge.chinaz.org" {
                type master;
                file "dynamic-dns/_acme-challenge.chinaz.org.zone";
                allow-transfer { localhost; localnets; };
                check-names ignore;
                update-policy {
                        grant certbot-key name _acme-challenge.chinaz.org. TXT;
                };
        };

view "world" {
        zone "_acme-challenge.chinaz.org" {
                in-view local;
        };
--------------------------------------------------------------

ゾーンファイルの追加

mkdir /var/named/dynamic-dns
# vi /var/named/dynamic-dns/_acme-challenge.chinaz.org.zone
--------------------------------------------------------------
$TTL    1D

@               IN      SOA ns.chinaz.org. root.ns.chinaz.org. (
                                6          ; serial
                                3600       ; refresh (1 hour)
                                600        ; retry (10 minutes)
                                1209600    ; expire (2 weeks)
                                60         ; minimum (1 minute)
                                )
;
                IN      NS      ns.chinaz.org.
--------------------------------------------------------------
# chown -R named:named /var/named/dynamic-dns
# chmod 770 /var/named/dynamic-dns/
# chmod 640 /var/named/dynamic-dns/_acme-challenge.chinaz.org.zone

構文チェック

# named-checkzone _acme-challenge.chinaz.org /var/named/dynamic-dns/_acme-challenge.chinaz.org.zone
# named-checkconf /etc/named.conf

サービスの再起動起動

systemctl restart named-chroot

動作確認

Dynamic DNSの動作確認

txtの登録

nsupdate -d -k /var/named/keys/certbot-key
update add _acme-challenge.chinaz.org. 3600 in txt test
send
quit

txtの削除

nsupdate -d -k /var/named/keys/certbot-key
update delete _acme-challenge.chinaz.org. 3600 in txt test
send
quit

登録されたか確認

dig @127.0.0.1 TXT _acme-challenge.chinaz.org

Certbotの設定

# vi /etc/letsencrypt/rfc2136.ini
--------------------------------------------------------------
# _acme-challenge.example.orgゾーンのmasterサーバのアドレス
dns_rfc2136_server = 210.136.17.172
# アクセスするポート番号
dns_rfc2136_port = 53
# 認証鍵の名前
dns_rfc2136_name = certbot-key.
# 認証鍵の値
dns_rfc2136_secret = VryzjtrLza//MekqxhVS/AkjklujjwLcPSqn0000+O0=
# 鍵の生成に用いたアルゴリズム
dns_rfc2136_algorithm = HMAC-SHA256
--------------------------------------------------------------
# chmod 600 /etc/letsencrypt/rfc2136.ini

アカウントの作成

# certbot certonly --dns-rfc2136 --dns-rfc2136-credentials /etc/letsencrypt/rfc2136.ini -d '*.chinaz.org'
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator dns-rfc2136, Installer None
Enter email address (used for urgent renewal and security notices)
 (Enter 'c' to cancel): aki@chinaz.org

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-staging-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: a

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for chinaz.org
Unsafe permissions on credentials configuration file: /etc/letsencrypt/rfc2136.ini
Cleaning up challenges
Encountered exception during recovery: certbot.errors.PluginError: Encountered error deleting TXT record: The peer didn't know the key we used
Encountered error adding TXT record: The peer didn't know the key we used

IMPORTANT NOTES:
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.

証明書の設定

場所の確認

# cd /etc/letsencrypt/live/chinaz.org/
# ll
合計 4
-rw-r--r-- 1 root root 692 12月 31 18:32 README
lrwxrwxrwx 1 root root  34 12月 31 18:32 cert.pem -> ../../archive/chinaz.org/cert1.pem
lrwxrwxrwx 1 root root  35 12月 31 18:32 chain.pem -> ../../archive/chinaz.org/chain1.pem
lrwxrwxrwx 1 root root  39 12月 31 18:32 fullchain.pem -> ../../archive/chinaz.org/fullchain1.pem
lrwxrwxrwx 1 root root  37 12月 31 18:32 privkey.pem -> ../../archive/chinaz.org/privkey1.pem

Apacheの設定

# vi /etc/httpd/conf.d/ssl.conf
----------------------------------------------------------------------
SSLCertificateFile /etc/letsencrypt/live/chinaz.org/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/chinaz.org/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/chinaz.org/chain.pem
----------------------------------------------------------------------

postfixの設定

# vi /etc/postfix/main.cf
----------------------------------------------------------------------
smtpd_tls_cert_file = /etc/letsencrypt/live/chinaz.org/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/chinaz.org/privkey.pem
----------------------------------------------------------------------

dovecotの設定

# vi /etc/dovecot/conf.d/10-ssl.conf
----------------------------------------------------------------------
ssl_cert = </etc/letsencrypt/live/chinaz.org/fullchain.pem
ssl_key = </etc/letsencrypt/live/chinaz.org/privkey.pem
----------------------------------------------------------------------

更新処理のスクリプト

# vi /usr/local/sbin/certbot.sh
--------------------------------------------------------------
#!/bin/sh

/usr/bin/certbot renew -q --deploy-hook "systemctl restart httpd ; systemctl restart postfix ; systemctl restart dovecot" --dns-rfc2136-propagation-seconds 180
--------------------------------------------------------------
# ln -s /usr/local/sbin/certbot.sh /etc/cron.daily/cretboy.sh

※更新処理のスクリプトは手動での確認のみ

定期タスク(cron)でエラー

2021/09/19
cronに登録したスクリプトで、エラーが発生
LOGに下記のstatusが"400"のメッセージがあり、タイムアウトと思われたので、コマンドに待機時間を拡張するオプション「 --dns-rfc2136-propagation-seconds 180 」を追加後に手動で、正常動作することを確認
※オプション未指定時は、60秒なの暫定で倍の180を指定

Failed to renew certificate chinaz.org with error: Some challenges have failed.
All renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/chinaz.org/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)
# vi letsencrypt.log
2021-09-19 15:12:20,233:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Sun, 19 Sep 2021 06:12:20 GMT
Content-Type: application/json
Content-Length: 662
Connection: keep-alive
Boulder-Requester: xxxx
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0001xxxxxxxxxxxxx
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "chinaz.org"
  },
  "status": "invalid",
  "expires": "2021-09-26T06:11:18Z",
  "challenges": [
    {
      "type": "dns-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:dns",
        "detail": "DNS problem: NXDOMAIN looking up TXT for _acme-challenge.chinaz.org - check that a DNS record exists for this domain",
        "status": 400
      },
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/32353274330/xxxx",
      "token": "xxxxxxxxxxxxx",
      "validated": "2021-09-19T06:12:18Z"
    }
  ],
  "wildcard": true
}

コメントを残す

メールアドレスが公開されることはありません。 * が付いている欄は必須項目です