• 【解決】Windows Updateエラー(0x800f0905)
    3月からWindows Updateがうまく行かない。かなり以前の職場でWSUSといろいろと格闘したので、Windows Updateの扱いはよく知っているつもりではあるが、簡単には治らなかった。 次の累積パッチで治るかなと思って放置していたが、4月分もあたっていないし、最悪再イ...
  • Bluetooth接続でYouTube Musicからの楽曲情報が表示されない(解決)
    AndroidスマホとカーナビをBluetooth接続をしている。 Google Play Musicではカーナビに楽曲情報が表示されるが、YouTube Musicでは表示されない。曲の頭出しや停止・再生はカーナビ側から操作ができる。 結論から言うと、AVRCPのバージョン...
  • 4極イヤホンジャックの修理
    iPadを落としたら、イヤホンジャックが抜けずに途中からポキっと行ってしまった。 仕方がないので修理をすることに。 使っているヘッドセットはlogicoolのH151 STEREO HEADSET。
  • QEMU+KVM+SpiceでUEFI+TPM2.0のWindows11の導入
    QEMU上でWindows10の仮想PCを動かしていたが、そろそろWindows11に対応冴えておく必要があると思い、アップグレードしようとした。 結論的には、Win10はBIOSで動いていたのに対し、Win11はUEFIセキュアブートにしなければならなく、HDDイメージにEFI...
  • HKU\.Defaultはデフォルトユーザのものではない。
    HKU\.DEFAULT(HKEY_USERS\.DEFAULT)は、あちこちで間違った認識をされている。HKU\.DEFAULT(HKEY_USERS\.DEFAULT)は、デフォルトユーザとかテンプレートユーザと呼ばれるアカウント(=今後作成されるユーザアカウントの初期設定)...

2020/06/23

Let's encryptでワイルドカード証明書

let's encryptでwww.example.comとexample.comの両方をサポートする証明書がほしかった。
ワイルドカード証明書が利用できるようになっていたのでやってみた。



まずは、いつもやっているコマンドスイッチでやってみる。
これはfukatani.orgの証明書。当然ながら成功する。

# certbot --debug certonly --webroot --webroot-path /data/www/localhost/htdocs --domain fukatani.org --email support@fukatani.org --agree-tos -n
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for fukatani.org
Using the webroot path /data/www/localhost/htdocs for all unmatched domains.
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/fukatani.org/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/fukatani.org/privkey.pem
   Your cert will expire on 2020-09-15. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le



続いて、そのコマンドスイッチのdomainをワイルドカードに変更してやってみた。
が、だめ。DNSで認証をしないといけない

# certbot --debug certonly --webroot --webroot-path /data/www/localhost/htdocs --domain *.fukatani.org --email support@fukatani.org --agree-tos -n
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.
Exiting abnormally:
Traceback (most recent call last):
  File "/usr/lib/python-exec/python3.7/certbot", line 11, in <module>
    load_entry_point('certbot==1.4.0', 'console_scripts', 'certbot')()
  File "/usr/lib/python3.7/site-packages/certbot/main.py", line 15, in main
    return internal_main.main(cli_args)
  File "/usr/lib/python3.7/site-packages/certbot/_internal/main.py", line 1347, in main
    return config.func(config, plugins)
  File "/usr/lib/python3.7/site-packages/certbot/_internal/main.py", line 1233, in certonly
    lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
  File "/usr/lib/python3.7/site-packages/certbot/_internal/main.py", line 121, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/usr/lib/python3.7/site-packages/certbot/_internal/client.py", line 409, in obtain_and_enroll_certificate
    cert, chain, key, _ = self.obtain_certificate(domains)
  File "/usr/lib/python3.7/site-packages/certbot/_internal/client.py", line 343, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/usr/lib/python3.7/site-packages/certbot/_internal/client.py", line 390, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
  File "/usr/lib/python3.7/site-packages/certbot/_internal/auth_handler.py", line 62, in handle_authorizations
    achalls = self._choose_challenges(authzrs)
  File "/usr/lib/python3.7/site-packages/certbot/_internal/auth_handler.py", line 207, in _choose_challenges
    combinations)
  File "/usr/lib/python3.7/site-packages/certbot/_internal/auth_handler.py", line 319, in gen_challenge_path
    return _find_smart_path(challbs, preferences, combinations)
  File "/usr/lib/python3.7/site-packages/certbot/_internal/auth_handler.py", line 355, in _find_smart_path
    _report_no_chall_path(challbs)
  File "/usr/lib/python3.7/site-packages/certbot/_internal/auth_handler.py", line 394, in _report_no_chall_path
    raise errors.AuthorizationError(msg)
certbot.errors.AuthorizationError: Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.
Please see the logfiles in /var/log/letsencrypt for more details.



DNSで認証するようにしてみた。
が、だめ。

root@edo ~ Wed Jun 17 23:01:32 2020 JST(+0900)
# certbot --debug certonly --webroot --domain *.fukatani.org --email support@fukatani.org --agree-tos --preferred-challenges dns-01
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
Exiting abnormally:
Traceback (most recent call last):
  File "/usr/lib/python-exec/python3.7/certbot", line 11, in <module>
    load_entry_point('certbot==1.4.0', 'console_scripts', 'certbot')()
  File "/usr/lib/python3.7/site-packages/certbot/main.py", line 15, in main
    return internal_main.main(cli_args)
  File "/usr/lib/python3.7/site-packages/certbot/_internal/main.py", line 1347, in main
    return config.func(config, plugins)
  File "/usr/lib/python3.7/site-packages/certbot/_internal/main.py", line 1233, in certonly
    lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
  File "/usr/lib/python3.7/site-packages/certbot/_internal/main.py", line 121, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/usr/lib/python3.7/site-packages/certbot/_internal/client.py", line 409, in obtain_and_enroll_certificate
    cert, chain, key, _ = self.obtain_certificate(domains)
  File "/usr/lib/python3.7/site-packages/certbot/_internal/client.py", line 343, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/usr/lib/python3.7/site-packages/certbot/_internal/client.py", line 390, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
  File "/usr/lib/python3.7/site-packages/certbot/_internal/auth_handler.py", line 62, in handle_authorizations
    achalls = self._choose_challenges(authzrs)
  File "/usr/lib/python3.7/site-packages/certbot/_internal/auth_handler.py", line 206, in _choose_challenges
    self._get_chall_pref(authzr.body.identifier.value),
  File "/usr/lib/python3.7/site-packages/certbot/_internal/auth_handler.py", line 230, in _get_chall_pref
    "None of the preferred challenges "
certbot.errors.AuthorizationError: None of the preferred challenges are supported by the selected plugin
Please see the logfiles in /var/log/letsencrypt for more details.



--webrootは使えないので、--manualにする。
途中、DNSのTXTレコードを登録するように言われるので登録する。
が、TXTレコードを登録して時間が短いままで、Enterを押して継続するとエラーになる。
# certbot --debug certonly --manual --domain *.fukatani.org --email support@fukatani.org --agree-tos --preferred-challenges dns-01 --manual-public-ip-logging-ok
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for fukatani.org

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.fukatani.org with the following value:

wMxH4rx8wGY9bivrEwGitRAjHemDTpG4pAGl-R-0Ydo

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Challenge failed for domain fukatani.org
dns-01 challenge for fukatani.org
Cleaning up challenges
Exiting abnormally:
Traceback (most recent call last):
  File "/usr/lib/python-exec/python3.7/certbot", line 11, in <module>
    load_entry_point('certbot==1.4.0', 'console_scripts', 'certbot')()
  File "/usr/lib/python3.7/site-packages/certbot/main.py", line 15, in main
    return internal_main.main(cli_args)
  File "/usr/lib/python3.7/site-packages/certbot/_internal/main.py", line 1347, in main
    return config.func(config, plugins)
  File "/usr/lib/python3.7/site-packages/certbot/_internal/main.py", line 1233, in certonly
    lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
  File "/usr/lib/python3.7/site-packages/certbot/_internal/main.py", line 121, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/usr/lib/python3.7/site-packages/certbot/_internal/client.py", line 409, in obtain_and_enroll_certificate
    cert, chain, key, _ = self.obtain_certificate(domains)
  File "/usr/lib/python3.7/site-packages/certbot/_internal/client.py", line 343, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/usr/lib/python3.7/site-packages/certbot/_internal/client.py", line 390, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
  File "/usr/lib/python3.7/site-packages/certbot/_internal/auth_handler.py", line 91, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "/usr/lib/python3.7/site-packages/certbot/_internal/auth_handler.py", line 180, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.
Please see the logfiles in /var/log/letsencrypt for more details.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: fukatani.org
   Type:   unauthorized
   Detail: Incorrect TXT record
   "VYkZeZhWgb6a5lnzyuAupaohODaH0XtsPcj8zjrbtRw" found at
   _acme-challenge.fukatani.org

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.


TXTレコードを登録して、しっかり待ってやると成功!

# certbot --debug certonly --manual --domain *.fukatani.org --email support@fukatani.org --agree-tos --preferred-challenges dns-01 --manual-public-ip-logging-ok
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for fukatani.org

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.fukatani.org with the following value:

cKzuIZJxFgedH-U2lN-SANUU42kIPp-Y1RQYgqTohGY

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/fukatani.org-0001/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/fukatani.org-0001/privkey.pem
   Your cert will expire on 2020-09-15. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

at
Labels: