無償で証明書を取得できるLet’s Encryptでワイルドカード証明書を取得できるようになりました。
つまりサブドメインを決め打ちにしておく必要がなくなります。
初めて取得してみたので、手順をメモしておきます。
certbotを最新版にしておく。
$ brew upgrade certbot
証明書を取得。–prefferred-challengesでdns-01を、–serverでエンドポイントを明示的に指定しておくのが肝。
$ sudo certbot certonly --manual -d *.samuraism.com --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory -m yusuke@samuraism.com Password: Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator manual, Installer None Obtaining a new certificate /usr/local/Cellar/certbot/0.22.2/libexec/lib/python3.6/site-packages/josepy/jwa.py:107: CryptographyDeprecationWarning: signer and verifier have been deprecated. Please use sign and verify instead. signer = key.signer(self.padding, self.hash) Performing the following challenges: dns-01 challenge for samuraism.com ------------------------------------------------------------------------------- NOTE: The IP of this machine will be publicly logged as having requested this certificate. If you're running certbot in manual mode on a machine that is not your server, please ensure you're okay with that. Are you OK with your IP being logged? ------------------------------------------------------------------------------- (Y)es/(N)o: y ------------------------------------------------------------------------------- Please deploy a DNS TXT record under the name _acme-challenge.samuraism.com with the following value: 7UKny6YdPQblW0zCYoI9TkAQ9EVA3CIfPny3QBRtvJ8 Before continuing, verify the record is deployed. ------------------------------------------------------------------------------- Press Enter to Continue
ここでEnterを押すのはガマンして、上に現れている7UKny6YdPQblW0zCYoI9TkAQ9EVA3CIfPny3QBRtvJ8という文字列(毎回異なる)をDNSのTXTレコードで_acme-challengeというサブドメインに対して引けるように記述する。value-domainを使っているけど、具体的には以下の様に書きました。
txt _acme-challenge 7UKny6YdPQblW0zCYoI9TkAQ9EVA3CIfPny3QBRtvJ8
しばらく待って、指定したレコードがdigコマンドで、取得できるのを確認:
$ dig _acme-challenge.samuraism.com any @8.8.8.8 ; <<>> DiG 9.9.7-P3 <<>> _acme-challenge.samuraism.com any @8.8.8.8 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59538 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;_acme-challenge.samuraism.com. IN ANY ;; ANSWER SECTION: _acme-challenge.samuraism.com. 119 IN TXT "7UKny6YdPQblW0zCYoI9TkAQ9EVA3CIfPny3QBRtvJ8" ;; Query time: 349 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Tue Mar 20 22:48:31 CET 2018 ;; MSG SIZE rcvd: 114
指定した値が取れたらEnterを押して完了。
Waiting for verification... Cleaning up challenges IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/samuraism.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/samuraism.com/privkey.pem Your cert will expire on 2018-06-18. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
これで /etc/letsencrypt/live/[ドメイン名]に証明書が保存されます。あとはNginxなりAapacheなりで読み込めばok。