毎回調べてしまうので、手順をメモします。
前提
- certbot-auto が使える状態
git clone https://github.com/certbot/certbot
- ドメインの DNS レコードが変更できる状態
手順
適宜、kuratsuki.net を自ドメインに置き換えてください。
$ sudo ./certbot-auto certonly \
--manual -d '*.kuratsuki.net' \
-m 'webmaster@kuratsuki.net' --agree-tos \
--preferred-challenges dns-01 \
--server https://acme-v02.api.letsencrypt.org/directory
./certbot-auto has insecure permissions!
To learn how to fix them, visit https://community.letsencrypt.org/t/certbot-auto-deployment-best-practices/91979/
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for kuratsuki.net
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.
Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.kuratsuki.net with the following value:
Ib4LVMChbn2wyQZgvfbFXOkIO5HuDi7OJ9Xxjhp9-C2
Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
ここで一旦 DNS の設定に移ります。
自分の場合はお名前.comなので次のように辿って設定します。
- 「ドメイン設定」
- 「ネームサーバーの設定」
- 「DNS 関連機能の設定」
- ドメインを選択して「次へ」
- 「DNSレコード設定を利用する」
- 「TYPE」を「TXT」として「ホスト名」を「_acme-challenge」にします
- 「VALUE」に先程 certbot-auto が出したハッシュを入力して「確認画面へ進む」
- 「設定する」
DNS レコードの設定が終ったら certbot-auto に戻って Enter キーを押します。
ここで DNS レコードの更新が反映されていないと次のような表示が出ます。
Waiting for verification...
Challenge failed for domain kuratsuki.net
dns-01 challenge for kuratsuki.net
Cleaning up challenges
Some challenges have failed.
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: kuratsuki.net
Type: unauthorized
Detail: Incorrect TXT record
"KQ08Sk3s2KCzWwsGrzJMU4GJksYY-8aGoSPuY3k1f8J" found at
_acme-challenge.kuratsuki.net
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
ローカルで反映されたのを確認してからやってもこの表示が出たので、別窓でもう一つ terminal を開いておいて次を試してみます。
$ nslookup -q=txt _acme-challenge.kuratsuki.net
Server: 127.0.0.53
Address: 127.0.0.53#53
Non-authoritative answer:
_acme-challenge.kuratsuki.net text = "KQ08Sk3s2KCzWwsGrzJMU4GJksYY-8aGoSPuY3k1f8J"
Authoritative answers can be found from:
この結果に反映されるまでは certbot-auto を続けても失敗するだけです。
問題なければ次のような表示になります。
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/kuratsuki.net/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/kuratsuki.net/privkey.pem
Your cert will expire on 2019-09-21. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again. To non-interactively renew *all* of your certificates, run
"certbot-auto renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
これで証明書諸々が /etc/letsencrypt/live/ に格納されました。