【CentOS7】Let's Encryptの証明書を自動更新させる | 瀬戸内の雲のように

【CentOS7】Let's Encryptの証明書を自動更新させる

Posted: 2018-03-26


スポンサーリンク

目次

背景

こちらの記事でも書いておりますが、当ブログはLet's Encryptを使ってSSL化しております。

このLet's Encryptは無料でSSL証明書を発行してくれるので大変ありがたいのですが、期間が3ヶ月しかないため、油断するとすぐに期限切れしてしまいます。

今回はそんなお悩みを解決するため、証明書を自動更新する設定をメモしておきます。

環境

  • CentOS Linux release 7.4.1708 (Core)
  • certbot 0.19.0

cronの設定

# echo '0 0 * * * /usr/bin/certbot renew --post-hook "/usr/bin/systemctl restart nginx.service" > /dev/null 2>&1'

(前提)普通に手作業で更新する場合の手順

インストール時に使ったcertbotコマンドで更新できます。

コマンド

 /usr/bin/certbot renew --post-hook "/usr/bin/systemctl restart nginx.service"

成功した時の実行結果

/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/blog.setouchino.cloud.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for blog.setouchino.cloud
Waiting for verification...
Cleaning up challenges

-------------------------------------------------------------------------------
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/blog.setouchino.cloud/fullchain.pem
-------------------------------------------------------------------------------

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/www.setouchino.cloud.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.setouchino.cloud
Waiting for verification...
Cleaning up challenges

-------------------------------------------------------------------------------
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/www.setouchino.cloud/fullchain.pem
-------------------------------------------------------------------------------

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/setouchino.cloud.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for setouchino.cloud
Waiting for verification...
Cleaning up challenges

-------------------------------------------------------------------------------
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/setouchino.cloud/fullchain.pem
-------------------------------------------------------------------------------

-------------------------------------------------------------------------------

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/blog.setouchino.cloud/fullchain.pem (success)
  /etc/letsencrypt/live/www.setouchino.cloud/fullchain.pem (success)
  /etc/letsencrypt/live/setouchino.cloud/fullchain.pem (success)
-------------------------------------------------------------------------------

 
 
ちなみにこのcertbotコマンドで更新する際、期限が残っている等の理由で更新不要の場合にはスキップします。

更新が不要な時の実行結果

# /usr/bin/certbot renew --post-hook "/usr/bin/systemctl restart nginx.service"
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/blog.setouchino.cloud.conf
-------------------------------------------------------------------------------
Cert not yet due for renewal

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/www.setouchino.cloud.conf
-------------------------------------------------------------------------------
Cert not yet due for renewal

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/setouchino.cloud.conf
-------------------------------------------------------------------------------
Cert not yet due for renewal

-------------------------------------------------------------------------------

The following certs are not due for renewal yet:
  /etc/letsencrypt/live/blog.setouchino.cloud/fullchain.pem (skipped)
  /etc/letsencrypt/live/www.setouchino.cloud/fullchain.pem (skipped)
  /etc/letsencrypt/live/setouchino.cloud/fullchain.pem (skipped)
No renewals were attempted.
No hooks were run.
-------------------------------------------------------------------------------

このため、このコマンドをcron設定しておけば必要な時だけ自動で更新してくれます。

自動更新の設定

crontabに以下のコマンドを追記します。

0 0 * * * /usr/bin/certbot renew --post-hook "/usr/bin/systemctl restart nginx.service" > /dev/null 2>&1

これで毎日0:00に更新を試みてくれます。

crontab -eか ファイルに出力した上でcrontab "ファイル名" で追記できます。

以上です。


スポンサーリンク




コメント一覧


コメントを投稿する


お名前


コメント内容





TOP back