LetsEncrypt SSL証明書の有効期限を失念 新規発行
July 14, 2023 – 9:24 am昨日(7/13)午後、「接続はプライベートではありません」との警告文が表示され、このサイトにアクセスすることができなくなってしまっていた。午前中は問題なくアクセスできていたのに突然の障害の発生。
この問題、SSL証明書が無効なときに発生することから証明書の有効期限を確認したところ、ちょうど期限切れであったことを確認。証明書を新規に発行しなおした。
一連の作業のログを、以下に、残しておいた。
SSL証明書の期限の確認:
証明書発行時に作成される証明書公開鍵 fullchain.pemに対し、opensslコマンドを用いて有効期限の確認できる。
openssl x509 -in fullchain.pem -noout -dates notBefore=Apr 14 04:26:02 2023 GMT notAfter=Jul 13 04:26:01 2023 GMT
結果、有効期限は7/13の午前4時26分(GMT)に切れていることを確認。
証明書の新規発行:
certbotの確認
# certbot --version certbot 1.22.0
httpdの停止
# systemctl stop httpd
証明書の新規作成
# certbot certonly --manual \ > --preferred-challenges dns \ > -d *.yamasnet.com Saving debug log to /var/log/letsencrypt/letsencrypt.log Requesting a certificate for *.yamasnet.com - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please deploy a DNS TXT record under the name: _acme-challenge.yamasnet.com. with the following value: ******************************************* Before continuing, verify the TXT record has been deployed. Depending on the DNS provider, this may take some time, from a few seconds to multiple minutes. You can check if it has finished deploying with aid of online tools, such as the Google Admin Toolbox: https://toolbox.googleapps.com/apps/dig/#TXT/_acme-challenge.yamasnet.com. Look for one or more bolded line(s) below the line ';ANSWER'. It should show the value(s) you've just added. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Press Enter to Continue Successfully received certificate. Certificate is saved at: /etc/letsencrypt/live/yamasnet.com/fullchain.pem Key is saved at: /etc/letsencrypt/live/yamasnet.com/privkey.pem This certificate expires on 2023-10-11. These files will be updated when the certificate renews. NEXT STEPS: - This certificate will not be renewed automatically. Autorenewal of --manual certificates requires the use of an authentication hook script (--manual-auth-hook) but one was not provided. To renew this certificate, repeat this same certbot command before the certificate's expiry date. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - If you like Certbot, please consider supporting our work by: * Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate * Donating to EFF: https://eff.org/donate-le - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
httpdの起動:
# systemctl start httpd