CONTENTS


Lastmodified 2023-11-01 (水) 08:55:04


Renew script

【参考URL】 https://freebsd.sing.ne.jp/daily/04/03/05.html

https://www.server-memo.net/tips/crontab.html

http://pb-times.jp/P_521ab8c540f59

Certbot_Renew.sh

#!/bin/sh
# https://freebsd.sing.ne.jp/daily/04/03/05.html
certbot \
	renew \
	--standalone \
	--force-renewal \
	--expand \
	--pre-hook "/usr/local/etc/rc.d/apache24 stop" \
	--post-hook "/usr/local/etc/rc.d/apache24 start"

/etc/crontab 二ヶ月に一回更新する

5	0	1	*/2	*	root	/root/bin/Certbot_Renew.sh

Renew

デフォルト状態の証明書更新なら、オプションを省けるようだ。

certbot renew

明示的にするならこう。

certbot renew --webroot -w /usr/local/www/apache24/data/ --renew-by-default

ドライランならオプションは、こう・・・。

--renew-by-default --dry-run

SSL Let's Encrypt

https://www.google.co.jp/search?q=FreeBSD+Let%E2%80%99s+Encrypt+&oq=FreeBSD+Let%E2%80%99s+Encrypt+&gs_l=psy-ab.3..0i8i30k1.3369.7873.0.8232.9.9.0.0.0.0.113.938.2j7.9.0....0...1.1.64.psy-ab..0.9.933...0j0i13k1j0i7i30k1j0i8i7i30k1.0.QIF2pZxQwwc

https://letsencrypt.jp/

https://letsencrypt.org/

https://scratchpad.jp/https-with-lets-encrypt/

certbot install on FreeBSD 11.0-RELEASE-p12

【参考サイト】http://blog.goo.ne.jp/low-electric-mouse/e/912c459b71887d3ca025509f7ea9897b

  987  8:32    locate certbot

988 8:35 portinstall security/py-certbot

Installing py27-certbot-0.18.1,1...
===========================================================================

This port installs the "standalone" Python client only, which does not use and
is not the certbot-auto bootstrap/wrapper script.

To obtain certificates, use the 'certonly' command as follows:

 # sudo certbot certonly --standalone -d [server FQDN]

Note: The client currently requires the ability to bind on TCP port 80. If
you have a server running on this port, it will need to be temporarily stopped
so that the standalone server can listen on that port to complete
authentication.

The certbot plugins to support apache and nginx certificate installation
will be made available soon in the following ports:

 * Apache plugin: security/py-certbot-apache
 * Nginx plugin: security/py-certbot-nginx

===========================================================================

# certbot certonly --standalone -d sun1.smb.net

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): webmaster@smb.net

-------------------------------------------------------------------------------
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf. You must agree
in order to register with the ACME server at
https://acme-v01.api.letsencrypt.org/directory
-------------------------------------------------------------------------------
(A)gree/(C)ancel: A

-------------------------------------------------------------------------------
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about EFF and
our work to encrypt the web, protect its users and defend digital rights.
-------------------------------------------------------------------------------
(Y)es/(N)o: Y
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for sun1.smb.net
Cleaning up challenges
Problem binding to port 443: Could not bind to IPv4 or IPv6.

IMPORTANT NOTES:
 - Your account credentials have been saved in your Certbot
   configuration directory at /usr/local/etc/letsencrypt. You should
   make a secure backup of this folder now. This configuration
   directory will also contain certificates and private keys obtained
   by Certbot so making regular backups of this folder is ideal.

# apachectl stop

Stopping apache24.
Waiting for PIDS: 878.

# certbot certonly --standalone -d sun1.smb.net

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for sun1.smb.net
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /usr/local/etc/letsencrypt/live/sun1.smb.net/fullchain.pem
   Your key file has been saved at:
   /usr/local/etc/letsencrypt/live/sun1.smb.net/privkey.pem
   Your cert will expire on 2017-12-25. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by: 

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

root@sun1:~:17_09_26:10:54 #
root@sun1:/usr/local/etc/letsencrypt:17_09_26:10:57 # ll
total 24
drwx------  3 root  wheel  512 Sep 26 10:42 accounts/
drwx------  3 root  wheel  512 Sep 26 10:54 archive/
drwxr-xr-x  2 root  wheel  512 Sep 26 10:54 csr/
drwx------  2 root  wheel  512 Sep 26 10:54 keys/
drwx------  3 root  wheel  512 Sep 26 10:54 live/
drwxr-xr-x  2 root  wheel  512 Sep 26 10:54 renewal/

/usr/local/etc/apache24/extra/httpd-ssl.conf

Listen 443
SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES:!IDEA
SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES:!IDEA
SSLHonorCipherOrder on 
SSLProtocol all -SSLv3 -SSLv2
SSLProxyProtocol all -SSLv3 -SSLv2
SSLPassPhraseDialog  builtin
SSLSessionCache        "shmcb:/var/run/ssl_scache(512000)"
SSLSessionCacheTimeout  300
SSLUseStapling On
SSLStaplingCache "shmcb:/var/run/ssl_stapling(32768)"
SSLStaplingStandardCacheTimeout 3600
SSLStaplingErrorCacheTimeout 600

<VirtualHost _default_:443>
Protocols h2 http/1.1               # 有効化するには後述の https://piano2nd.smb.net/~kuji/pukiwiki-1.4.7/index.php?SSL#k1b68f44 DocumentRoot "/usr/local/www/apache24/data" を実行する
ServerName sun1.smb.net:443
ServerAdmin webmaster@smb.net
ErrorLog "/var/log/httpd-error.log"
TransferLog "/var/log/httpd-access.log"
SSLEngine on
SSLCertificateFile "/usr/local/etc/letsencrypt/live/sun1.smb.net/fullchain.pem"
SSLCertificateKeyFile "/usr/local/etc/letsencrypt/live/sun1.smb.net/privkey.pem"
<FilesMatch "\.(cgi|shtml|phtml|php)$">
    SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/usr/local/www/apache24/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-5]" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0
CustomLog "/var/log/httpd-ssl_request.log" \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>

# ファイル末尾に以下の1文を追加する。                              
Header set Strict-Transport-Security " max-age=315360000;"

/usr/local/etc/apache24/httpd.conf

以下は、コメントアウトされている場合は、コメントを外す。
LoadModule log_config_module libexec/apache24/mod_log_config.so
LoadModule setenvif_module libexec/apache24/mod_setenvif.so
LoadModule ssl_module libexec/apache24/mod_ssl.so
LoadModule socache_shmcb_module libexec/apache24/mod_socache_shmcb.so
LoadModuleの下に、以下の設定(SSL設定を読み込む)を追記する。
Include etc/apache24/extra/httpd-ssl.conf

# certbot renew --webroot -w /usr/local/www/apache24/data/ --renew-by-default --dry-run

Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /usr/local/etc/letsencrypt/renewal/sun1.smb.net.conf
-------------------------------------------------------------------------------
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for sun1.smb.net
Using the webroot path /usr/local/www/apache24/data for all unmatched domains.
Waiting for verification...
Cleaning up challenges

-------------------------------------------------------------------------------
new certificate deployed without reload, fullchain is
/usr/local/etc/letsencrypt/live/sun1.smb.net/fullchain.pem
-------------------------------------------------------------------------------

-------------------------------------------------------------------------------
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
  /usr/local/etc/letsencrypt/live/sun1.smb.net/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
-------------------------------------------------------------------------------

IMPORTANT NOTES:
 - Your account credentials have been saved in your Certbot
   configuration directory at /usr/local/etc/letsencrypt. You should
   make a secure backup of this folder now. This configuration
   directory will also contain certificates and private keys obtained
   by Certbot so making regular backups of this folder is ideal.

# crontab -e

以下のコマンドを追加します。

0 2,5 * * * /usr/local/bin/certbot renew --agree-tos --webroot -w /usr/local/www/apache24/data/ --renew-by-default && /usr/local/etc/rc.d/apache24 reload

# portinstall www/mod_http2-devel

Installing mod_http2-devel-1.10.11...
If you want to have the h2 module enabled in your apache installation,
you need to add

   LoadModule http2_module modules/mod_h2.so

somewhere in your config files and add a line like

   H2Engine on

whereever you want the module to be active (general server of specific
virtual hosts).

NB: The shared libraries were renamed from mod_http2 to mod_h2 to
    avoid conflicts with the (now bundled) mod_http2 in www/apache24

/usr/local/etc/apache24/httpd.conf

LoadModuleの最後尾に、http2_moduleのモジュール読み込みを追加する。

LoadModule http2_module libexec/apache24/mod_h2.so

/usr/local/etc/apache24/extra/httpd-ssl.conf

<VirtualHost _default_:443>の下に、次のコマンドを追記する。
Protocols h2 http/1.1

Total access 2910:本日 2:昨日 0

Counter: 2910, today: 2, yesterday: 0

トップ   新規 一覧 検索 最終更新   ヘルプ   最終更新のRSS