Yama's Memorandum

証明書の期限が近付いたとのE-mailを受け取ったので更新作業を行った。手続きで間違いをしERRORがでたので新規に取り直した。

以下、証明書取得時のログを示す：

[root@Server02 ~]# certbot certonly --manual
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices)
 (Enter 'c' to cancel): *********@yamasnet.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf. You must
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
Account registered.
Please enter the domain name(s) you would like on your certificate (comma and/or
space separated) (Enter 'c' to cancel): *.yamasnet.com
Requesting a certificate for *.yamasnet.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name:

_acme-challenge.yamasnet.com.

with the following value:

*******************************************

Before continuing, verify the TXT record has been deployed. Depending on the DNS
provider, this may take some time, from a few seconds to multiple minutes. You can
check if it has finished deploying with aid of online tools, such as the Google
Admin Toolbox: https://toolbox.googleapps.com/apps/dig/#TXT/_acme-challenge.yamasnet.com.
Look for one or more bolded line(s) below the line ';ANSWER'. It should show the
value(s) you've just added.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/yamasnet.com/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/yamasnet.com/privkey.pem
This certificate expires on 2024-05-26.
These files will be updated when the certificate renews.

NEXT STEPS:
- This certificate will not be renewed automatically. Autorenewal of --manual certificates requires the use of an authentication hook script (--manual-auth-hook) but one was not provided. To renew this certificate, repeat this same certbot command before the certificate's expiry date.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

証明書の確認：

[root@Server02 ~]# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: yamasnet.com
    Serial Number: 3832a34231be263f78a606e8c13042ad4f5
    Key Type: ECDSA
    Domains: *.yamasnet.com
    Expiry Date: 2024-05-26 06:00:14+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/yamasnet.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/yamasnet.com/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

証明書を反映するため httpdを再起動

systemctl restart httpd

証明書の有効期限

発行日	　　　　2024年2月26日月曜日 15:00:15
有効期限	2024年5月26日日曜日 15:00:14

　　

Posted in Serverの構築と運用覚書き | No Comments »

昨日(7/13)午後、「接続はプライベートではありません」との警告文が表示され、このサイトにアクセスすることができなくなってしまっていた。午前中は問題なくアクセスできていたのに突然の障害の発生。

この問題、SSL証明書が無効なときに発生することから証明書の有効期限を確認したところ、ちょうど期限切れであったことを確認。証明書を新規に発行しなおした。

一連の作業のログを、以下に、残しておいた。

SSL証明書の期限の確認：
証明書発行時に作成される証明書公開鍵 fullchain.pemに対し、opensslコマンドを用いて有効期限の確認できる。

openssl x509 -in fullchain.pem -noout -dates
notBefore=Apr 14 04:26:02 2023 GMT
notAfter=Jul 13 04:26:01 2023 GMT

結果、有効期限は7/13の午前4時26分（GMT）に切れていることを確認。

証明書の新規発行：
certbotの確認

# certbot --version
certbot 1.22.0

httpdの停止

# systemctl stop httpd

証明書の新規作成

# certbot certonly --manual \
>  --preferred-challenges dns \
> -d *.yamasnet.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for *.yamasnet.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name:

_acme-challenge.yamasnet.com.

with the following value:

*******************************************

Before continuing, verify the TXT record has been deployed. Depending on the DNS
provider, this may take some time, from a few seconds to multiple minutes. You can
check if it has finished deploying with aid of online tools, such as the Google
Admin Toolbox: https://toolbox.googleapps.com/apps/dig/#TXT/_acme-challenge.yamasnet.com.
Look for one or more bolded line(s) below the line ';ANSWER'. It should show the
value(s) you've just added.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/yamasnet.com/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/yamasnet.com/privkey.pem
This certificate expires on 2023-10-11.
These files will be updated when the certificate renews.

NEXT STEPS:
- This certificate will not be renewed automatically. Autorenewal of --manual certificates requires the use of an authentication hook script (--manual-auth-hook) but one was not provided. To renew this certificate, repeat this same certbot command before the certificate's expiry date.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

httpdの起動：

# systemctl start httpd

　　

Posted in Serverの構築と運用覚書き | No Comments »

LetsEncrypt SSL証明書を更新した。

更新時のログを以下に示す：

# certbot certonly --manual
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Please enter the domain name(s) you would like on your certificate (comma and/or
space separated) (Enter 'c' to cancel): *.yamasnet.com
Renewing an existing certificate for *.yamasnet.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name:

_acme-challenge.yamasnet.com.

with the following value:

************************************************

Before continuing, verify the TXT record has been deployed. Depending on the DNS
provider, this may take some time, from a few seconds to multiple minutes. You can
check if it has finished deploying with aid of online tools, such as the Google
Admin Toolbox: https://toolbox.googleapps.com/apps/dig/#TXT/_acme-challenge.yamasnet.com.
Look for one or more bolded line(s) below the line ';ANSWER'. It should show the
value(s) you've just added.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/yamasnet.com/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/yamasnet.com/privkey.pem
This certificate expires on 2023-07-13.
These files will be updated when the certificate renews.

NEXT STEPS:
- This certificate will not be renewed automatically. Autorenewal of --manual certificates requires the use of an authentication hook script (--manual-auth-hook) but one was not provided. To renew this certificate, repeat this same certbot command before the certificate's expiry date.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

　　

Posted in Serverの構築と運用覚書き | No Comments »

LetsEncrypt SSL証明書を更新した。

更新時のログを以下に示す：

[root@server02 ~]# certbot certonly --manual
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Please enter the domain name(s) you would like on your certificate (comma and/or
space separated) (Enter 'c' to cancel): *.yamasnet.com
Renewing an existing certificate for *.yamasnet.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name:

_acme-challenge.yamasnet.com.

with the following value:

*******************************************

Before continuing, verify the TXT record has been deployed. Depending on the DNS
provider, this may take some time, from a few seconds to multiple minutes. You can
check if it has finished deploying with aid of online tools, such as the Google
Admin Toolbox: https://toolbox.googleapps.com/apps/dig/#TXT/_acme-challenge.yamasnet.com.
Look for one or more bolded line(s) below the line ';ANSWER'. It should show the
value(s) you've just added.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/yamasnet.com/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/yamasnet.com/privkey.pem
This certificate expires on 2023-02-11.
These files will be updated when the certificate renews.

NEXT STEPS:
- This certificate will not be renewed automatically. Autorenewal of --manual certificates requires the use of an authentication hook script (--manual-auth-hook) but one was not provided. To renew this certificate, repeat this same certbot command before the certificate's expiry date.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

httpd を再起動し証明書更新を反映

[root@server02 ~]# systemctl restart httpd

証明書の有効期間は以下：

有効期間:
    発行日	2022年11月14日月曜日 8:47:24
    有効期限	2023年2月12日日曜日 8:47:23

　　
　　

Posted in Serverの構築と運用覚書き | No Comments »

LetsEncrypt SSL証明書を更新した。

前回、前々回の更新と同様、ディレクトリ /etc/letsencryptを削除後、新たにletsencryptを作成する手順で更新。

新規作成後、httpd を再起動。その後、証明書の有効期間を確認。

更新後の証明書有効期間は：
　　　　　　　　　2022/08/31/ から　2022/11/29

Posted in Serverの構築と運用覚書き | No Comments »