Table of Contents
DNSサーバ使用して、Let’s Encryptの証明書取得
インストール
# dnf install certbot python3-certbot-dns-rfc2136
DDNS対応
DDNSキーの生成
# ddns-confgen -k certbot-key -r /dev/urandom
-------------------------------------------------------------
# To activate this key, place the following in named.conf, and
# in a separate keyfile on the system or systems from which nsupdate
# will be run:
key "certbot-key" {
algorithm hmac-sha256;
secret "VryzjtrLza//MekqxhVS/AkjklujjwLcPSqn0000+O0=";
};
# Then, in the "zone" statement for each zone you wish to dynamically
# update, place an "update-policy" statement granting update permission
# to this key. For example, the following statement grants this key
# permission to update any name within the zone:
update-policy {
grant certbot-key zonesub ANY;
};
# After the keyfile has been placed, the following command will
# execute nsupdate using this key:
nsupdate -k <keyfile>
-------------------------------------------------------------
TSGキーファイルの作成
# mkdir /var/named/keys
# vi /var/named/keys/certbot-key
--------------------------------------------------------------------
key "certbot-key" {
algorithm hmac-sha256;
secret "VryzjtrLza//MekqxhVS/AkjklujjwLcPSqn0000+O0=";
};
--------------------------------------------------------------------
# chown -R named:named /var/named/keys
# chmod 600 /var/named/keys
# chmod 400 /var/named/keys/certbot-key
named.conf
・TGSキーの追加
・certbot-keyがincludeできなかったので直接記載(T_T)
・ステートメントでDDNSできるゾーンを追加
・in-viewを使用して内向き(local)から外向き(world)に同じゾーンを使用する。
# vi /etc/named.conf
--------------------------------------------------------------
#include "/var/named/keys/certbot-key";
key "certbot-key" {
algorithm hmac-sha256;
secret "VryzjtrLza//MekqxhVS/AkjklujjwLcPSqn0000+O0=";
};
view "local" {
zone "_acme-challenge.chinaz.org" {
type master;
file "dynamic-dns/_acme-challenge.chinaz.org.zone";
allow-transfer { localhost; localnets; };
check-names ignore;
allow-query { any; }; ←AD2022.03.27
update-policy {
grant certbot-key name _acme-challenge.chinaz.org. TXT;
};
};
view "world" {
zone "_acme-challenge.chinaz.org" {
in-view local;
};
--------------------------------------------------------------
ゾーンファイルの追加
mkdir /var/named/dynamic-dns
# vi /var/named/dynamic-dns/_acme-challenge.chinaz.org.zone
--------------------------------------------------------------
$TTL 1D
@ IN SOA ns.chinaz.org. root.ns.chinaz.org. (
6 ; serial
3600 ; refresh (1 hour)
600 ; retry (10 minutes)
1209600 ; expire (2 weeks)
60 ; minimum (1 minute)
)
;
IN NS ns.chinaz.org.
--------------------------------------------------------------
# chown -R named:named /var/named/dynamic-dns
# chmod 770 /var/named/dynamic-dns/
# chmod 640 /var/named/dynamic-dns/_acme-challenge.chinaz.org.zone
構文チェック
# named-checkzone _acme-challenge.chinaz.org /var/named/dynamic-dns/_acme-challenge.chinaz.org.zone
# named-checkconf /etc/named.conf
サービスの再起動起動
systemctl restart named-chroot
動作確認
Dynamic DNSの動作確認
txtの登録
nsupdate -d -k /var/named/keys/certbot-key
update add _acme-challenge.chinaz.org. 3600 in txt test
send
quit
txtの削除
nsupdate -d -k /var/named/keys/certbot-key
update delete _acme-challenge.chinaz.org. 3600 in txt test
send
quit
登録されたか確認
dig @127.0.0.1 TXT _acme-challenge.chinaz.org
Certbotの設定
# vi /etc/letsencrypt/rfc2136.ini
--------------------------------------------------------------
# _acme-challenge.example.orgゾーンのmasterサーバのアドレス
dns_rfc2136_server = 210.136.17.172
# アクセスするポート番号
dns_rfc2136_port = 53
# 認証鍵の名前
dns_rfc2136_name = certbot-key.
# 認証鍵の値
dns_rfc2136_secret = VryzjtrLza//MekqxhVS/AkjklujjwLcPSqn0000+O0=
# 鍵の生成に用いたアルゴリズム
dns_rfc2136_algorithm = HMAC-SHA256
--------------------------------------------------------------
# chmod 600 /etc/letsencrypt/rfc2136.ini
アカウントの作成
# certbot certonly --dns-rfc2136 --dns-rfc2136-credentials /etc/letsencrypt/rfc2136.ini -d '*.chinaz.org'
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator dns-rfc2136, Installer None
Enter email address (used for urgent renewal and security notices)
(Enter 'c' to cancel): aki@chinaz.org
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-staging-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: a
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for chinaz.org
Unsafe permissions on credentials configuration file: /etc/letsencrypt/rfc2136.ini
Cleaning up challenges
Encountered exception during recovery: certbot.errors.PluginError: Encountered error deleting TXT record: The peer didn't know the key we used
Encountered error adding TXT record: The peer didn't know the key we used
IMPORTANT NOTES:
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
証明書の設定
場所の確認
# cd /etc/letsencrypt/live/chinaz.org/
# ll
合計 4
-rw-r--r-- 1 root root 692 12月 31 18:32 README
lrwxrwxrwx 1 root root 34 12月 31 18:32 cert.pem -> ../../archive/chinaz.org/cert1.pem
lrwxrwxrwx 1 root root 35 12月 31 18:32 chain.pem -> ../../archive/chinaz.org/chain1.pem
lrwxrwxrwx 1 root root 39 12月 31 18:32 fullchain.pem -> ../../archive/chinaz.org/fullchain1.pem
lrwxrwxrwx 1 root root 37 12月 31 18:32 privkey.pem -> ../../archive/chinaz.org/privkey1.pem
Apacheの設定
# vi /etc/httpd/conf.d/ssl.conf
----------------------------------------------------------------------
SSLCertificateFile /etc/letsencrypt/live/chinaz.org/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/chinaz.org/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/chinaz.org/chain.pem
----------------------------------------------------------------------
postfixの設定
# vi /etc/postfix/main.cf
----------------------------------------------------------------------
smtpd_tls_cert_file = /etc/letsencrypt/live/chinaz.org/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/chinaz.org/privkey.pem
----------------------------------------------------------------------
dovecotの設定
# vi /etc/dovecot/conf.d/10-ssl.conf
----------------------------------------------------------------------
ssl_cert = </etc/letsencrypt/live/chinaz.org/fullchain.pem
ssl_key = </etc/letsencrypt/live/chinaz.org/privkey.pem
----------------------------------------------------------------------
更新処理のスクリプト
# vi /usr/local/sbin/certbot.sh
--------------------------------------------------------------
#!/bin/sh
/usr/bin/certbot renew -q --deploy-hook "systemctl restart httpd ; systemctl restart postfix ; systemctl restart dovecot" --dns-rfc2136-propagation-seconds 180
--------------------------------------------------------------
# ln -s /usr/local/sbin/certbot.sh /etc/cron.daily/cretboy.sh
定期タスク(cron)でエラー 2022/03/27
cronに登録したスクリプトで、エラーが発生
DNSの「_acme-challenge.chinaz.org
」が取得できなくなっていることが原因
「_acme-challenge.chinaz.org
」に「allow-query { any; };
」を追加してDNSを再起動することで回復
「systemctl reload named-chroot
」では設定が反映されなかった。
CentOS8で構築する自宅サーバ:dnsサーバの構築 その2 Let’s Encryptで証明書を取得! | 気ままな旅日記
Encountered exception during recovery: certbot.errors.PluginError: Received response from server: REFUSED
Failed to renew certificate chinaz.org with error: Received response from server: REFUSED
All renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/chinaz.org/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)
定期タスク(cron)でエラー 2021/09/19
cronに登録したスクリプトで、エラーが発生
LOGに下記のstatusが"400"のメッセージがあり、タイムアウトと思われたので、コマンドに待機時間を拡張するオプション「 --dns-rfc2136-propagation-seconds 180
」を追加後に手動で、正常動作することを確認
※オプション未指定時は、60秒なの暫定で倍の180を指定
Failed to renew certificate chinaz.org with error: Some challenges have failed.
All renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/chinaz.org/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)
# vi letsencrypt.log
2021-09-19 15:12:20,233:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Sun, 19 Sep 2021 06:12:20 GMT
Content-Type: application/json
Content-Length: 662
Connection: keep-alive
Boulder-Requester: xxxx
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0001xxxxxxxxxxxxx
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
{
"identifier": {
"type": "dns",
"value": "chinaz.org"
},
"status": "invalid",
"expires": "2021-09-26T06:11:18Z",
"challenges": [
{
"type": "dns-01",
"status": "invalid",
"error": {
"type": "urn:ietf:params:acme:error:dns",
"detail": "DNS problem: NXDOMAIN looking up TXT for _acme-challenge.chinaz.org - check that a DNS record exists for this domain",
"status": 400
},
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/32353274330/xxxx",
"token": "xxxxxxxxxxxxx",
"validated": "2021-09-19T06:12:18Z"
}
],
"wildcard": true
}