2020/06/23

Let's encryptでワイルドカード証明書

let's encryptでwww.example.comとexample.comの両方をサポートする証明書がほしかった。
ワイルドカード証明書が利用できるようになっていたのでやってみた。



まずは、いつもやっているコマンドスイッチでやってみる。
これはfukatani.orgの証明書。当然ながら成功する。

# certbot --debug certonly --webroot --webroot-path /data/www/localhost/htdocs --domain fukatani.org --email support@fukatani.org --agree-tos -n
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for fukatani.org
Using the webroot path /data/www/localhost/htdocs for all unmatched domains.
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/fukatani.org/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/fukatani.org/privkey.pem
   Your cert will expire on 2020-09-15. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le




続いて、そのコマンドスイッチのdomainをワイルドカードに変更してやってみた。
が、だめ。DNSで認証をしないといけない

# certbot --debug certonly --webroot --webroot-path /data/www/localhost/htdocs --domain *.fukatani.org --email support@fukatani.org --agree-tos -n
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.
Exiting abnormally:
Traceback (most recent call last):
  File "/usr/lib/python-exec/python3.7/certbot", line 11, in <module>
    load_entry_point('certbot==1.4.0', 'console_scripts', 'certbot')()
  File "/usr/lib/python3.7/site-packages/certbot/main.py", line 15, in main
    return internal_main.main(cli_args)
  File "/usr/lib/python3.7/site-packages/certbot/_internal/main.py", line 1347, in main
    return config.func(config, plugins)
  File "/usr/lib/python3.7/site-packages/certbot/_internal/main.py", line 1233, in certonly
    lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
  File "/usr/lib/python3.7/site-packages/certbot/_internal/main.py", line 121, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/usr/lib/python3.7/site-packages/certbot/_internal/client.py", line 409, in obtain_and_enroll_certificate
    cert, chain, key, _ = self.obtain_certificate(domains)
  File "/usr/lib/python3.7/site-packages/certbot/_internal/client.py", line 343, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/usr/lib/python3.7/site-packages/certbot/_internal/client.py", line 390, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
  File "/usr/lib/python3.7/site-packages/certbot/_internal/auth_handler.py", line 62, in handle_authorizations
    achalls = self._choose_challenges(authzrs)
  File "/usr/lib/python3.7/site-packages/certbot/_internal/auth_handler.py", line 207, in _choose_challenges
    combinations)
  File "/usr/lib/python3.7/site-packages/certbot/_internal/auth_handler.py", line 319, in gen_challenge_path
    return _find_smart_path(challbs, preferences, combinations)
  File "/usr/lib/python3.7/site-packages/certbot/_internal/auth_handler.py", line 355, in _find_smart_path
    _report_no_chall_path(challbs)
  File "/usr/lib/python3.7/site-packages/certbot/_internal/auth_handler.py", line 394, in _report_no_chall_path
    raise errors.AuthorizationError(msg)
certbot.errors.AuthorizationError: Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.
Please see the logfiles in /var/log/letsencrypt for more details.



DNSで認証するようにしてみた。
が、だめ。

root@edo ~ Wed Jun 17 23:01:32 2020 JST(+0900)
# certbot --debug certonly --webroot --domain *.fukatani.org --email support@fukatani.org --agree-tos --preferred-challenges dns-01
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
Exiting abnormally:
Traceback (most recent call last):
  File "/usr/lib/python-exec/python3.7/certbot", line 11, in <module>
    load_entry_point('certbot==1.4.0', 'console_scripts', 'certbot')()
  File "/usr/lib/python3.7/site-packages/certbot/main.py", line 15, in main
    return internal_main.main(cli_args)
  File "/usr/lib/python3.7/site-packages/certbot/_internal/main.py", line 1347, in main
    return config.func(config, plugins)
  File "/usr/lib/python3.7/site-packages/certbot/_internal/main.py", line 1233, in certonly
    lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
  File "/usr/lib/python3.7/site-packages/certbot/_internal/main.py", line 121, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/usr/lib/python3.7/site-packages/certbot/_internal/client.py", line 409, in obtain_and_enroll_certificate
    cert, chain, key, _ = self.obtain_certificate(domains)
  File "/usr/lib/python3.7/site-packages/certbot/_internal/client.py", line 343, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/usr/lib/python3.7/site-packages/certbot/_internal/client.py", line 390, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
  File "/usr/lib/python3.7/site-packages/certbot/_internal/auth_handler.py", line 62, in handle_authorizations
    achalls = self._choose_challenges(authzrs)
  File "/usr/lib/python3.7/site-packages/certbot/_internal/auth_handler.py", line 206, in _choose_challenges
    self._get_chall_pref(authzr.body.identifier.value),
  File "/usr/lib/python3.7/site-packages/certbot/_internal/auth_handler.py", line 230, in _get_chall_pref
    "None of the preferred challenges "
certbot.errors.AuthorizationError: None of the preferred challenges are supported by the selected plugin
Please see the logfiles in /var/log/letsencrypt for more details.



--webrootは使えないので、--manualにする。
途中、DNSのTXTレコードを登録するように言われるので登録する。
が、TXTレコードを登録して時間が短いままで、Enterを押して継続するとエラーになる。
# certbot --debug certonly --manual --domain *.fukatani.org --email support@fukatani.org --agree-tos --preferred-challenges dns-01 --manual-public-ip-logging-ok
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for fukatani.org

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.fukatani.org with the following value:

wMxH4rx8wGY9bivrEwGitRAjHemDTpG4pAGl-R-0Ydo

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Challenge failed for domain fukatani.org
dns-01 challenge for fukatani.org
Cleaning up challenges
Exiting abnormally:
Traceback (most recent call last):
  File "/usr/lib/python-exec/python3.7/certbot", line 11, in <module>
    load_entry_point('certbot==1.4.0', 'console_scripts', 'certbot')()
  File "/usr/lib/python3.7/site-packages/certbot/main.py", line 15, in main
    return internal_main.main(cli_args)
  File "/usr/lib/python3.7/site-packages/certbot/_internal/main.py", line 1347, in main
    return config.func(config, plugins)
  File "/usr/lib/python3.7/site-packages/certbot/_internal/main.py", line 1233, in certonly
    lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
  File "/usr/lib/python3.7/site-packages/certbot/_internal/main.py", line 121, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/usr/lib/python3.7/site-packages/certbot/_internal/client.py", line 409, in obtain_and_enroll_certificate
    cert, chain, key, _ = self.obtain_certificate(domains)
  File "/usr/lib/python3.7/site-packages/certbot/_internal/client.py", line 343, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/usr/lib/python3.7/site-packages/certbot/_internal/client.py", line 390, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
  File "/usr/lib/python3.7/site-packages/certbot/_internal/auth_handler.py", line 91, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "/usr/lib/python3.7/site-packages/certbot/_internal/auth_handler.py", line 180, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.
Please see the logfiles in /var/log/letsencrypt for more details.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: fukatani.org
   Type:   unauthorized
   Detail: Incorrect TXT record
   "VYkZeZhWgb6a5lnzyuAupaohODaH0XtsPcj8zjrbtRw" found at
   _acme-challenge.fukatani.org

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.


TXTレコードを登録して、しっかり待ってやると成功!

# certbot --debug certonly --manual --domain *.fukatani.org --email support@fukatani.org --agree-tos --preferred-challenges dns-01 --manual-public-ip-logging-ok
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for fukatani.org

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.fukatani.org with the following value:

cKzuIZJxFgedH-U2lN-SANUU42kIPp-Y1RQYgqTohGY

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/fukatani.org-0001/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/fukatani.org-0001/privkey.pem
   Your cert will expire on 2020-09-15. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le