FreeBSD 12 で、Let’s Encrypt が使用できる環境を構築する事にしました。
また、構築した時の情報を忘れないようにメモ書きします。
ワイルドカードの証明書を作成するために、独自ドメイン(お名前.com)をDDNS(MyDNS.JP)に登録する。
また、独自ドメイン(お名前.com)のネームサーバをDDNS(MyDNS.JP)のネームサーバに変更する。
事前に、MyDNS.JP から提供されている DNS-01方式に対応しているAPIを使用して環境を構築する。
また、DNS-01方式に対応したAPIはGitHub からダウンロードする。
設定①
certbot が使用できるように導入する。
①.py37-certbot をインストールする。
pkg install py37-certbot②.インストール時のログ情報です。
[root@FreeBSD /]# pkg install py37-certbot
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 25 package(s) will be affected (of 0 checked):
New packages to be INSTALLED:
py37-acme: 1.3.0,1
py37-asn1crypto: 1.3.0
py37-certbot: 1.3.0,1
py37-certifi: 2020.4.5.1
py37-cffi: 1.14.0
py37-chardet: 3.0.4_3
py37-configargparse: 1.2
py37-configobj: 5.0.6_1
py37-cryptography: 2.6.1
py37-distro: 1.4.0_1
py37-idna: 2.8
py37-josepy: 1.3.0
py37-openssl: 19.0.0
py37-parsedatetime: 2.5
py37-pycparser: 2.19
py37-pyrfc3339: 1.1
py37-pysocks: 1.7.1
py37-pytz: 2019.3,1
py37-requests: 2.22.0
py37-requests-toolbelt: 0.8.0_1
py37-six: 1.14.0
py37-urllib3: 1.25.7,1
py37-zope.component: 4.2.2
py37-zope.event: 4.1.0
py37-zope.interface: 4.6.0
Number of packages to be installed: 25
The process will require 26 MiB more space.
7 MiB to be downloaded.
Proceed with this action? [y/N]: y
[1/25] Fetching py37-certbot-1.3.0,1.txz: 100% 282 KiB 289.0kB/s 00:01
[2/25] Fetching py37-distro-1.4.0_1.txz: 100% 23 KiB 23.1kB/s 00:01
[3/25] Fetching py37-openssl-19.0.0.txz: 100% 86 KiB 88.1kB/s 00:01
[4/25] Fetching py37-cryptography-2.6.1.txz: 100% 348 KiB 356.4kB/s 00:01
[5/25] Fetching py37-six-1.14.0.txz: 100% 19 KiB 19.5kB/s 00:01
[6/25] Fetching py37-cffi-1.14.0.txz: 100% 204 KiB 208.6kB/s 00:01
[7/25] Fetching py37-pycparser-2.19.txz: 100% 163 KiB 167.2kB/s 00:01
[8/25] Fetching py37-asn1crypto-1.3.0.txz: 100% 159 KiB 162.6kB/s 00:01
[9/25] Fetching py37-josepy-1.3.0.txz: 100% 74 KiB 75.6kB/s 00:01
[10/25] Fetching py37-acme-1.3.0,1.txz: 100% 58 KiB 59.6kB/s 00:01
[11/25] Fetching py37-requests-toolbelt-0.8.0_1.txz: 100% 4 MiB 4.7MB/s 00:01
[12/25] Fetching py37-requests-2.22.0.txz: 100% 82 KiB 84.3kB/s 00:01
[13/25] Fetching py37-chardet-3.0.4_3.txz: 100% 152 KiB 155.2kB/s 00:01
[14/25] Fetching py37-certifi-2020.4.5.1.txz: 100% 146 KiB 149.8kB/s 00:01
[15/25] Fetching py37-urllib3-1.25.7,1.txz: 100% 161 KiB 164.7kB/s 00:01
[16/25] Fetching py37-pysocks-1.7.1.txz: 100% 24 KiB 24.4kB/s 00:01
[17/25] Fetching py37-idna-2.8.txz: 100% 62 KiB 63.1kB/s 00:01
[18/25] Fetching py37-pytz-2019.3,1.txz: 100% 157 KiB 160.4kB/s 00:01
[19/25] Fetching py37-pyrfc3339-1.1.txz: 100% 8 KiB 8.1kB/s 00:01
[20/25] Fetching py37-zope.interface-4.6.0.txz: 100% 192 KiB 196.3kB/s 00:01
[21/25] Fetching py37-zope.component-4.2.2.txz: 100% 91 KiB 93.6kB/s 00:01
[22/25] Fetching py37-zope.event-4.1.0.txz: 100% 8 KiB 7.8kB/s 00:01
[23/25] Fetching py37-parsedatetime-2.5.txz: 100% 57 KiB 58.5kB/s 00:01
[24/25] Fetching py37-configobj-5.0.6_1.txz: 100% 51 KiB 52.2kB/s 00:01
[25/25] Fetching py37-configargparse-1.2.txz: 100% 26 KiB 26.9kB/s 00:01
Checking integrity... done (0 conflicting)
[1/25] Installing py37-pycparser-2.19...
[1/25] Extracting py37-pycparser-2.19: 100%
[2/25] Installing py37-six-1.14.0...
[2/25] Extracting py37-six-1.14.0: 100%
[3/25] Installing py37-cffi-1.14.0...
[3/25] Extracting py37-cffi-1.14.0: 100%
[4/25] Installing py37-asn1crypto-1.3.0...
[4/25] Extracting py37-asn1crypto-1.3.0: 100%
[5/25] Installing py37-cryptography-2.6.1...
[5/25] Extracting py37-cryptography-2.6.1: 100%
[6/25] Installing py37-openssl-19.0.0...
[6/25] Extracting py37-openssl-19.0.0: 100%
[7/25] Installing py37-certifi-2020.4.5.1...
[7/25] Extracting py37-certifi-2020.4.5.1: 100%
[8/25] Installing py37-pysocks-1.7.1...
[8/25] Extracting py37-pysocks-1.7.1: 100%
[9/25] Installing py37-idna-2.8...
[9/25] Extracting py37-idna-2.8: 100%
[10/25] Installing py37-chardet-3.0.4_3...
[10/25] Extracting py37-chardet-3.0.4_3: 100%
[11/25] Installing py37-urllib3-1.25.7,1...
[11/25] Extracting py37-urllib3-1.25.7,1: 100%
[12/25] Installing py37-requests-2.22.0...
[12/25] Extracting py37-requests-2.22.0: 100%
[13/25] Installing py37-pytz-2019.3,1...
[13/25] Extracting py37-pytz-2019.3,1: 100%
[14/25] Installing py37-josepy-1.3.0...
[14/25] Extracting py37-josepy-1.3.0: 100%
[15/25] Installing py37-requests-toolbelt-0.8.0_1...
[15/25] Extracting py37-requests-toolbelt-0.8.0_1: 100%
[16/25] Installing py37-pyrfc3339-1.1...
[16/25] Extracting py37-pyrfc3339-1.1: 100%
[17/25] Installing py37-zope.interface-4.6.0...
[17/25] Extracting py37-zope.interface-4.6.0: 100%
[18/25] Installing py37-zope.event-4.1.0...
[18/25] Extracting py37-zope.event-4.1.0: 100%
[19/25] Installing py37-distro-1.4.0_1...
[19/25] Extracting py37-distro-1.4.0_1: 100%
[20/25] Installing py37-acme-1.3.0,1...
[20/25] Extracting py37-acme-1.3.0,1: 100%
[21/25] Installing py37-zope.component-4.2.2...
[21/25] Extracting py37-zope.component-4.2.2: 100%
[22/25] Installing py37-parsedatetime-2.5...
[22/25] Extracting py37-parsedatetime-2.5: 100%
[23/25] Installing py37-configobj-5.0.6_1...
[23/25] Extracting py37-configobj-5.0.6_1: 100%
[24/25] Installing py37-configargparse-1.2...
[24/25] Extracting py37-configargparse-1.2: 100%
[25/25] Installing py37-certbot-1.3.0,1...
[25/25] Extracting py37-certbot-1.3.0,1: 100%
=====
Message from py37-urllib3-1.25.7,1:
--
Since version 1.25 HTTPS connections are now verified by default which is done
via "cert_reqs = 'CERT_REQUIRED'". While certificate verification can be
disabled via "cert_reqs = 'CERT_NONE'", it's highly recommended to leave it on.
Various consumers of net/py-urllib3 already have implemented routines that
either explicitly enable or disable HTTPS certificate verification (e.g. via
configuration settings, CLI arguments, etc.).
Yet it may happen that there are still some consumers which don't explicitly
enable/disable certificate verification for HTTPS connections which could then
lead to errors (as is often the case with self-signed certificates).
In case of an error one should try first to temporarily disable certificate
verification of the problematic urllib3 consumer to see if that approach will
remedy the issue.
=====
Message from py37-certbot-1.3.0,1:
--
This port installs the "standalone" client only, which does not use and
is not the certbot-auto bootstrap/wrapper script.
The simplest form of usage to obtain certificates is:
# sudo certbot certonly --standalone -d <domain>, [domain2, ... domainN]>
NOTE:
The client requires the ability to bind on TCP port 80 or 443 (depending
on the --preferred-challenges option used). If a server is running on that
port, it will need to be temporarily stopped so that the standalone server
can listen on that port to complete the challenge authentication process.
For more information on the 'standalone' mode, see:
https://certbot.eff.org/docs/using.html#standalone
The certbot plugins to support apache and nginx certificate installation
will be made available in the following ports:
* Apache plugin: security/py-certbot-apache
* Nginx plugin: security/py-certbot-nginx
In order to automatically renew the certificates, add this line to
/etc/periodic.conf:
weekly_certbot_enable="YES"
[root@FreeBSD /]#③.php74 php74-mbstring php74-openssl をインストールする。
pkg install php74 php74-mbstring php74-openssl④.インストール時のログ情報です。
[root@FreeBSD /]# pkg install php74 php74-mbstring php74-openssl
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 6 package(s) will be affected (of 0 checked):
New packages to be INSTALLED:
libargon2: 20190702
oniguruma: 6.9.4
pcre2: 10.34
php74: 7.4.4
php74-mbstring: 7.4.4
php74-openssl: 7.4.4
Number of packages to be installed: 6
The process will require 40 MiB more space.
6 MiB to be downloaded.
Proceed with this action? [y/N]: y
[1/6] Fetching php74-7.4.4.txz: 100% 4 MiB 4.2MB/s 00:01
[2/6] Fetching php74-mbstring-7.4.4.txz: 100% 746 KiB 764.3kB/s 00:01
[3/6] Fetching php74-openssl-7.4.4.txz: 100% 56 KiB 57.6kB/s 00:01
[4/6] Fetching libargon2-20190702.txz: 100% 64 KiB 65.5kB/s 00:01
[5/6] Fetching pcre2-10.34.txz: 100% 1 MiB 1.3MB/s 00:01
[6/6] Fetching oniguruma-6.9.4.txz: 100% 219 KiB 224.7kB/s 00:01
Checking integrity... done (0 conflicting)
[1/6] Installing libargon2-20190702...
[1/6] Extracting libargon2-20190702: 100%
[2/6] Installing pcre2-10.34...
[2/6] Extracting pcre2-10.34: 100%
[3/6] Installing php74-7.4.4...
[3/6] Extracting php74-7.4.4: 100%
[4/6] Installing oniguruma-6.9.4...
[4/6] Extracting oniguruma-6.9.4: 100%
[5/6] Installing php74-mbstring-7.4.4...
[5/6] Extracting php74-mbstring-7.4.4: 100%
[6/6] Installing php74-openssl-7.4.4...
[6/6] Extracting php74-openssl-7.4.4: 100%
=====
Message from php74-mbstring-7.4.4:
--
This file has been added to automatically load the installed extension:
/usr/local/etc/php/ext-20-mbstring.ini
=====
Message from php74-openssl-7.4.4:
--
This file has been added to automatically load the installed extension:
/usr/local/etc/php/ext-20-openssl.ini
[root@FreeBSD /]#設定②
certbot を使用してワイルドカードの証明書を作成する。
①.certbot register を実行する。
certbot register②.メールアドレスを登録する。
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): メールアドレスを記入する。③.同意するため、(A)gree を選択する。
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A を選択する。④.Nを選択する。
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: N を選択する。⑤.注意事項が表示する。
IMPORTANT NOTES:
- Your account credentials have been saved in your Certbot
configuration directory at /usr/local/etc/letsencrypt. You should
make a secure backup of this folder now. This configuration
directory will also contain certificates and private keys obtained
by Certbot so making regular backups of this folder is ideal.⑥.ワイルドカードの証明書を作成する。
certbot certonly --manual \
--preferred-challenges=dns \
--manual-auth-hook /your/domain/directory/DirectEdit-master/txtregist.php \
--manual-cleanup-hook /your/domain/directory/DirectEdit-master/txtdelete.php \
-d *.yourdomain \
--server https://acme-v02.api.letsencrypt.org/directory \
--agree-tos -m yourmailaddr \
--manual-public-ip-logging-ok⑦.以下のように表示する事で登録が完了する。
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/usr/local/etc/letsencrypt/live/yourdomain/fullchain.pem
Your key file has been saved at:
/usr/local/etc/letsencrypt/live/yourdomain/privkey.pem
Your cert will expire on YYYY-MM-DD. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le注意事項
- certbot-auto はサポートが終了して使用する事が出来ませんでした。
- TXTレコード(_acme-challenge)を使用する場合は、DDNS(MyDNS.JP)に登録する必要はないです。また、TXTレコード(_acme-challenge)に対応する環境を構築する必要があります。
