ワイルドカード証明書を使おうと思ったが、定期的な更新を自動化させると、その際にDNSのTXTレコードを自動的に変更する仕組みを作る必要があると気がついた。
なので、予定変更。
両方に対応する証明書を作ることにした。
早速2つのホスト名を指定して証明書を発行するコマンドを実行。
が、すでにfukatani.orgで証明書を発行していたので、エラーが出た。
# certbot --debug certonly --webroot --webroot-path /data/www/localhost/htdocs --domain www.fukatani.org --domain fukatani.org --email support@fukatani.org --agree-tos -n
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Exiting abnormally:
Traceback (most recent call last):
File "/usr/lib/python-exec/python3.7/certbot", line 11, in <module>
load_entry_point('certbot==1.4.0', 'console_scripts', 'certbot')()
File "/usr/lib/python3.7/site-packages/certbot/main.py", line 15, in main
return internal_main.main(cli_args)
File "/usr/lib/python3.7/site-packages/certbot/_internal/main.py", line 1347, in main
return config.func(config, plugins)
File "/usr/lib/python3.7/site-packages/certbot/_internal/main.py", line 1226, in certonly
should_get_cert, lineage = _find_cert(config, domains, certname)
File "/usr/lib/python3.7/site-packages/certbot/_internal/main.py", line 286, in _find_cert
action, lineage = _find_lineage_for_domains_and_certname(config, domains, certname)
File "/usr/lib/python3.7/site-packages/certbot/_internal/main.py", line 313, in _find_lineage_for_domains_and_certname
return _find_lineage_for_domains(config, domains)
File "/usr/lib/python3.7/site-packages/certbot/_internal/main.py", line 265, in _find_lineage_for_domains
return _handle_subset_cert_request(config, domains, subset_names_cert)
File "/usr/lib/python3.7/site-packages/certbot/_internal/main.py", line 163, in _handle_subset_cert_request
force_interactive=True):
File "/usr/lib/python3.7/site-packages/certbot/display/util.py", line 532, in yesno
self._interaction_fail(message, cli_flag)
File "/usr/lib/python3.7/site-packages/certbot/display/util.py", line 462, in _interaction_fail
raise errors.MissingCommandlineFlag(msg)
certbot.errors.MissingCommandlineFlag: Missing command line flag or config entry for this setting:
You have an existing certificate that contains a portion of the domains you requested (ref: /etc/letsencrypt/renewal/fukatani.org.conf)
It contains these names: fukatani.org
You requested these names for the new certificate: www.fukatani.org, fukatani.org.
Do you want to expand and replace this existing certificate with the new certificate?
(You can set this with the --expand flag)
Please see the logfiles in /var/log/letsencrypt for more details.
指示に従って--expandフラグを立てた。
成功。
# certbot --debug certonly --webroot --webroot-path /data/www/localhost/htdocs --domain www.fukatani.org --domain fukatani.org --email support@fukatani.org --agree-tos -n --expand Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator webroot, Installer None Renewing an existing certificate Performing the following challenges: http-01 challenge for www.fukatani.org Using the webroot path /data/www/localhost/htdocs for all unmatched domains. Waiting for verification... Cleaning up challenges IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/fukatani.org/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/fukatani.org/privkey.pem Your cert will expire on 2020-09-15. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le