Atlasを利用したCertbot AlamaLinux9
Atlasを利用したCertbotを利用して、AlmaLinux9上で証明書の取得をやってみた。AlmaLinux8をやってみてだいぶ動作の流れが理解できた気がする。ACMEは、Automated Certificate Management Environment の略称で、日本語だと「証明書管理の自動化環境」と訳される。Webサイトの暗号化に欠かせないSSL/TLS証明書を、人間の手作業なしで、サーバーが自動的に取得・更新できるようにするための標準的なプロトコルである。
The GlobalSign Atlas Certificate Management API provides high volume certificate issuance and lifecycle management capabilities through state-of-the-art RESTful APIs.A downloadable copy of the API documentation can be found here: https://www.globalsign.com/en/repository/globalsign-atlas-certificate-management-api.pdf.
設定項目
ホスト名:test.aquila.jp
Linux:Alma Linux9
Python:Python 3.9.25
Certbot:python3-certbot-apache
1.AlmaLinux9の基本設定 httpdサービスのインストール
# sudo dnf install httpd mod_ssl
# sudo systemctl enable --now httpd
# sudo dnf install -y epel-release
# sudo dnf install -y certbot python3-certbot-apache2.とりあえず80番でのアクセス設定
# vi /etc/httpd/conf.d/vhost-ssl.conf
<VirtualHost *:80>
DocumentRoot "/var/www/html/"
ServerName test.aquila.jp
RewriteEngine on
</VirtualHost>
# systemctl restart httpd
3.Atlasのドメイン登録(HTTP認証)
# mkdir -p /var/www/html/.well-known/pki-validation/
# vi /var/www/html/.well-known/pki-validation/gsdv.txt4.証明書発行
# sudo certbot register --server "https://emea.acme.atlas.globalsign.com/directory" \
--eab-kid "ID" \
--eab-hmac-key "KEY" \
-d "test.aquila.jp"
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices)
(Enter 'c' to cancel): MAILADDRESS
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://www.globalsign.com/en/repository/GlobalSign_Subscriber_Agreement.pdf.
You must agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
Account registered.
# sudo certbot --apache \
--server "https://emea.acme.atlas.globalsign.com/directory" \
-d "test.aquila.jp"
# systemctl restart httpd5.確認
# sudo certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/test.aquila.jp.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Account registered.
Simulating renewal of an existing certificate for test.aquila.jp
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all simulated renewals succeeded:
/etc/letsencrypt/live/test.aquila.jp/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
Certificate Name: test.aquila.jp
Serial Number: 1b90d3785f37a44e71daf563d4a9a78
Key Type: ECDSA
Domains: test.aquila.jp
Expiry Date: 2026-10-27 00:16:00+00:00 (VALID: 198 days)
Certificate Path: /etc/letsencrypt/live/test.aquila.jp/fullchain.pem
Private Key Path: /etc/letsencrypt/live/test.aquila.jp/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -6.CRON設定
00 03 * * * certbot renew --quiet --post-hook "systemctl reload httpd"