Archive for the ‘Serverの構築と運用覚書き’ Category
昨日(7/13)午後、「接続はプライベートではありません」との警告文が表示され、このサイトにアクセスすることができなくなってしまっていた。午前中は問題なくアクセスできていたのに突然の障害の発生。
この問題、SSL証明書が無効なときに発生することから証明書の有効期限を確認したところ、ちょうど期限切れであったことを確認。証明書を新規に発行しなおした。
一連の作業のログを、以下に、残しておいた。
SSL証明書の期限の確認:
証明書発行時に作成される証明書公開鍵 fullchain.pemに対し、opensslコマンドを用いて有効期限の確認できる。
openssl x509 -in fullchain.pem -noout -dates
notBefore=Apr 14 04:26:02 2023 GMT
notAfter=Jul 13 04:26:01 2023 GMT
結果、有効期限は7/13の午前4時26分(GMT)に切れていることを確認。
証明書の新規発行:
certbotの確認
# certbot --version
certbot 1.22.0
httpdの停止
証明書の新規作成
# certbot certonly --manual \
> --preferred-challenges dns \
> -d *.yamasnet.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for *.yamasnet.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name:
_acme-challenge.yamasnet.com.
with the following value:
*******************************************
Before continuing, verify the TXT record has been deployed. Depending on the DNS
provider, this may take some time, from a few seconds to multiple minutes. You can
check if it has finished deploying with aid of online tools, such as the Google
Admin Toolbox: https://toolbox.googleapps.com/apps/dig/#TXT/_acme-challenge.yamasnet.com.
Look for one or more bolded line(s) below the line ';ANSWER'. It should show the
value(s) you've just added.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/yamasnet.com/fullchain.pem
Key is saved at: /etc/letsencrypt/live/yamasnet.com/privkey.pem
This certificate expires on 2023-10-11.
These files will be updated when the certificate renews.
NEXT STEPS:
- This certificate will not be renewed automatically. Autorenewal of --manual certificates requires the use of an authentication hook script (--manual-auth-hook) but one was not provided. To renew this certificate, repeat this same certbot command before the certificate's expiry date.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
* Donating to EFF: https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
httpdの起動:
Posted in Serverの構築と運用覚書き | No Comments »
このブログ上に投稿したポスト記事は、その都度、Tweetしている。この仕組み、2015年に作成しており、4月1日の投稿記事まではうまく機能していた。ところが、4月11日に投稿した前回記事「LetsEncrypt SSL証明書の更新(2023/4/14付け)」はTweetされなくなっていた。
どうやらTweeterの運営が変わったことの影響を受けたようだ。
いろいろ試行錯誤しながら、なんとか復活。
この記事のタイトルと要約の一部がTweetされているはず。
Posted in Serverの構築と運用覚書き | No Comments »
LetsEncrypt SSL証明書を更新した。
更新時のログを以下に示す:
# certbot certonly --manual
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Please enter the domain name(s) you would like on your certificate (comma and/or
space separated) (Enter 'c' to cancel): *.yamasnet.com
Renewing an existing certificate for *.yamasnet.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name:
_acme-challenge.yamasnet.com.
with the following value:
************************************************
Before continuing, verify the TXT record has been deployed. Depending on the DNS
provider, this may take some time, from a few seconds to multiple minutes. You can
check if it has finished deploying with aid of online tools, such as the Google
Admin Toolbox: https://toolbox.googleapps.com/apps/dig/#TXT/_acme-challenge.yamasnet.com.
Look for one or more bolded line(s) below the line ';ANSWER'. It should show the
value(s) you've just added.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/yamasnet.com/fullchain.pem
Key is saved at: /etc/letsencrypt/live/yamasnet.com/privkey.pem
This certificate expires on 2023-07-13.
These files will be updated when the certificate renews.
NEXT STEPS:
- This certificate will not be renewed automatically. Autorenewal of --manual certificates requires the use of an authentication hook script (--manual-auth-hook) but one was not provided. To renew this certificate, repeat this same certbot command before the certificate's expiry date.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
* Donating to EFF: https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Posted in Serverの構築と運用覚書き | No Comments »
Monday, November 14th, 2022
LetsEncrypt SSL証明書を更新した。
更新時のログを以下に示す:
[root@server02 ~]# certbot certonly --manual
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Please enter the domain name(s) you would like on your certificate (comma and/or
space separated) (Enter 'c' to cancel): *.yamasnet.com
Renewing an existing certificate for *.yamasnet.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name:
_acme-challenge.yamasnet.com.
with the following value:
*******************************************
Before continuing, verify the TXT record has been deployed. Depending on the DNS
provider, this may take some time, from a few seconds to multiple minutes. You can
check if it has finished deploying with aid of online tools, such as the Google
Admin Toolbox: https://toolbox.googleapps.com/apps/dig/#TXT/_acme-challenge.yamasnet.com.
Look for one or more bolded line(s) below the line ';ANSWER'. It should show the
value(s) you've just added.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/yamasnet.com/fullchain.pem
Key is saved at: /etc/letsencrypt/live/yamasnet.com/privkey.pem
This certificate expires on 2023-02-11.
These files will be updated when the certificate renews.
NEXT STEPS:
- This certificate will not be renewed automatically. Autorenewal of --manual certificates requires the use of an authentication hook script (--manual-auth-hook) but one was not provided. To renew this certificate, repeat this same certbot command before the certificate's expiry date.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
* Donating to EFF: https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
httpd を再起動し証明書更新を反映
[root@server02 ~]# systemctl restart httpd
証明書の有効期間は以下:
有効期間:
発行日 2022年11月14日月曜日 8:47:24
有効期限 2023年2月12日日曜日 8:47:23
Posted in Serverの構築と運用覚書き | No Comments »
Thursday, November 3rd, 2022
自宅サーバーの自動バックアップについて10年以上前に「USBへのバックアップを自動化」を書いたことがある。
このときに紹介したバックアップ用のshellには古いバックアップデータを自動的に削除する仕組みになっていない。このためバックアップ用のデバイスが満杯になるとエラーになってしまい。正常にバックアップできないという事態が発生していた。
1週間以上前に作成したバックアップデータを自動的に削除し、デバイスの容量を確保するために、バックアップ用shellの最終行に以下の1行を付け加えた
find /mnt/ssd -maxdepth 1 -type f -name '*.tar.gz' -atime +5 -exec rm -f {} \;
(追記)上記、shellの一部を修正した(11/09)
Posted in Serverの構築と運用覚書き | No Comments »