• /home/kobore/www/soft/wildcard_TLS.mm

1. 背景

• ■Let’s Encrypt でワイルドカード対応のSSL証明書を取得する必要が発生した

  • サーバのサブドメインで、位置情報を扱う必要があり、否応がなく対応しなければならなくなった

  ■*.sea-anemone.techに全部対応できるようにすること→ 例えば、loc.sea-anemone.tech. tech.sea-anemone.techとか

2.前提

• ■参考としたページ
  • ~ https://www.virment.com/how-to-get-wildcard-certificate-lets-encrypt/
• ■AWSを使っている場合は、あまり無理しなくても、AWSが無料で提供しているので、それを使うのが良いかもしれない

• ■"お名前.com"でRoute53に飛ばす

  • 
  • ~ https://kobore.net/DNS_memo.mm.html

3.準備

• ■2つのTeraTermを立ち上げて、EC2にログインしておく
• ■ターミナルAとターミナルBと呼ぶ

4.手続

• ■ターミナルA

  • ~ ubuntu$ sudo certbot certonly --manual --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory -d sea-anemone -d *.sea-anemone

    • /usr/lib/python3/dist-packages/requests/__init__.py:80: RequestsDependencyWarning: urllib3 (1.25.8) or chardet (3.0.4) doesn't match a supported version!  RequestsDependencyWarning)

      Saving debug log to /var/log/letsencrypt/letsencrypt.log

      Plugins selected: Authenticator manual, Installer None

      ~ Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): tomoichi.ebata@gmail.com

      - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

      ~ Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must agree in order to register with the ACME server at https://acme-v02.api.letsencrypt.org/directory

      - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    (A)gree/(C)ancel:

    • A

      Would you be willing to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom.

    (Y)es/(N)o:

    • Y

      Obtaining a new certificate

      Performing the following challenges:

      dns-01 challenge for sea-anemone

      dns-01 challenge for sea-anemone

      NOTE: The IP of this machine will be publicly logged as having requested this certificate. If you're running certbot in manual mode on a machine that is not your server, please ensure you're okay with that.

      Are you OK with your IP being logged?

    (Y)es/(N)o:

    • y
    • Please deploy a DNS TXT record under the name _acme-challenge.sea-anemone with the following value:
    • OXerteief0N8ss3XvEKLUDn_rg55fHh7gi59N8dd_hA
    • Before continuing, verify the record is deployed.
    • Press Enter to Continue

    ここで一時待機する

• ■ターミナルB
  • ubuntu$ dig -t txt @01.dnsv.jp _acme-challenge.sea-anemone +short
  • ubuntu$ dig -t txt @01.dnsv.jp _acme-challenge.sea-anemone +short
  • (5分後くらい)
  • ubuntu$ dig -t txt @01.dnsv.jp _acme-challenge.sea-anemone +short
    • S9nWlzBQlVGH9f3CPaNLwR70MbBbUpCsnsDm8Wnav54
• ■(再び)ターミナルA
  • リターンキーを押す
    • Please deploy a DNS TXT record under the name
    • _acme-challenge.ondemandbus.mobi with the following value:
  • S9nWlzBQlVGH9f3CPaNLwR70MbBbUpCsnsDm8Wnav54"
    • Before continuing, verify the record is deployed.
    • Press Enter to Continue
    • Please deploy a DNS TXT record under the name
    • _acme-challenge.example.com with the following value:
    • NMtK2LZOUluDwDcNriGfPF-x2J_5xk_0-y7S7JuLRvQ
    • Before continuing, verify the record is deployed.
    • (This must be set up in addition to the previous challenges; do not remove,
    • replace, or undo the previous challenge tasks yet. Note that you might be
    • asked to create multiple distinct TXT records with the same name. This is
    • permitted by DNS standards.)
• ■(再び)ターミナルB
  • ubuntu$ dig -t txt @01.dnsv.jp _acme-challenge.sea-anemone +short
    • "NMtK2LZOUluDwDcNriGfPF-x2J_5xk_0-y7S7JuLRvQ"
    • "S9nWlzBQlVGH9f3CPaNLwR70MbBbUpCsnsDm8Wnav54"
  • Press Enter to Continue
  • Waiting for verification...
  • Cleaning up challenges
  • IMPORTANT NOTES:
    • - Congratulations! Your certificate and chain have been saved at:
      • /etc/letsencrypt/live/sea-anemone/fullchain.pem
      • Your key file has been saved at:
      • /etc/letsencrypt/live/sea-anemone/privkey.pem
      • Your cert will expire on 2020-04-29. To obtain a new or tweaked
      • version of this certificate in the future, simply run certbot
      • again. To non-interactively renew *all* of your certificates, run
      • "certbot renew"
    • - If you like Certbot, please consider supporting our work by:
      • ~ Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
      • ~ Donating to EFF:                    https://eff.org/donate-le
• ■(再び)ターミナルA

  • $ sudo aws iam upload-server-certificate --server-certificate-name mory-mobi-certificate-20200130 --certificate-body file:///etc/letsencrypt/live/sea-anemone/cert.pem --private-key file:///etc/letsencrypt/live/sea-anemone/privkey.pem --certificate-chain file:///etc/letsencrypt/live/sea-anemone/chain.pem --path /sea-anemone/

5.Route53からレコードセットしなればいけない気がするが、今動いているので、手を付けていない