スポンサーリンク
こちらの記事でも書いておりますが、当ブログはLet's Encryptを使ってSSL化しております。
このLet's Encryptは無料でSSL証明書を発行してくれるので大変ありがたいのですが、期間が3ヶ月しかないため、油断するとすぐに期限切れしてしまいます。
今回はそんなお悩みを解決するため、証明書を自動更新する設定をメモしておきます。
cronの設定
# echo '0 0 * * * /usr/bin/certbot renew --post-hook "/usr/bin/systemctl restart nginx.service" > /dev/null 2>&1'
インストール時に使ったcertbotコマンドで更新できます。
コマンド
/usr/bin/certbot renew --post-hook "/usr/bin/systemctl restart nginx.service"
成功した時の実行結果
/log/letsencrypt/letsencrypt.log
-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/blog.setouchino.cloud.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for blog.setouchino.cloud
Waiting for verification...
Cleaning up challenges
-------------------------------------------------------------------------------
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/blog.setouchino.cloud/fullchain.pem
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/www.setouchino.cloud.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.setouchino.cloud
Waiting for verification...
Cleaning up challenges
-------------------------------------------------------------------------------
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/www.setouchino.cloud/fullchain.pem
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/setouchino.cloud.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for setouchino.cloud
Waiting for verification...
Cleaning up challenges
-------------------------------------------------------------------------------
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/setouchino.cloud/fullchain.pem
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/blog.setouchino.cloud/fullchain.pem (success)
/etc/letsencrypt/live/www.setouchino.cloud/fullchain.pem (success)
/etc/letsencrypt/live/setouchino.cloud/fullchain.pem (success)
-------------------------------------------------------------------------------
ちなみにこのcertbotコマンドで更新する際、期限が残っている等の理由で更新不要の場合にはスキップします。
更新が不要な時の実行結果
# /usr/bin/certbot renew --post-hook "/usr/bin/systemctl restart nginx.service"
Saving debug log to /var/log/letsencrypt/letsencrypt.log
-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/blog.setouchino.cloud.conf
-------------------------------------------------------------------------------
Cert not yet due for renewal
-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/www.setouchino.cloud.conf
-------------------------------------------------------------------------------
Cert not yet due for renewal
-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/setouchino.cloud.conf
-------------------------------------------------------------------------------
Cert not yet due for renewal
-------------------------------------------------------------------------------
The following certs are not due for renewal yet:
/etc/letsencrypt/live/blog.setouchino.cloud/fullchain.pem (skipped)
/etc/letsencrypt/live/www.setouchino.cloud/fullchain.pem (skipped)
/etc/letsencrypt/live/setouchino.cloud/fullchain.pem (skipped)
No renewals were attempted.
No hooks were run.
-------------------------------------------------------------------------------
このため、このコマンドをcron設定しておけば必要な時だけ自動で更新してくれます。
crontabに以下のコマンドを追記します。
0 0 * * * /usr/bin/certbot renew --post-hook "/usr/bin/systemctl restart nginx.service" > /dev/null 2>&1
これで毎日0:00に更新を試みてくれます。
crontab -e
か ファイルに出力した上でcrontab "ファイル名"
で追記できます。
以上です。
スポンサーリンク