サーバ

Let’s Encrypt: certbot-autoでサブドメインを追加する

Let’s Encryptの証明書で、サブドメインを追加する場合は以下のコマンドで -d スイッチで必要なドメインを追加するだけ。(現在確保しているドメインも含めて指定)

$ ./certbot-auto certonly –webroot -w /opt/bitnami/nginx/html/ -d [ドメイン1] -d [ドメイン2] -d [ドメイン3…]

以下はまだDNS側で指定していなかった段階の実行例。

$ ./certbot-auto certonly –webroot -w /opt/bitnami/nginx/html/ -d [1111].samuraism.com -d [2222].samuraism.com -d [3333].samuraism.com
Requesting to rerun ./certbot-auto with root privileges…
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
You have an existing certificate that contains a portion of the domains you
requested (ref: /etc/letsencrypt/renewal/teamcity.samuraism.com.conf)

It contains these names: youtrack.samuraism.com, confluence.samuraism.com,
hub.samuraism.com, jb.samuraism.com, metabase.samuraism.com,
teamcity.samuraism.com, upsource.samuraism.com, yabumi.samuraism.com

You requested these names for the new certificate: youtrack.samuraism.com,
hub.samuraism.com, confluence.samuraism.com, teamcity.samuraism.com,
upsource.samuraism.com, yabumi.samuraism.com, metabase.samuraism.com,
jb.samuraism.com, jfrog.samuraism.com.

Do you want to expand and replace this existing certificate with the new
certificate?
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
(E)xpand/(C)ancel: e
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for [1111].samuraism.com
http-01 challenge for [2222].samuraism.com
http-01 challenge for [3333].samuraism.com
Using the webroot path /opt/bitnami/nginx/html for all unmatched domains.
Waiting for verification…
Challenge failed for domain [3333].samuraism.com
http-01 challenge for [3333].samuraism.com
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:
– The following errors were reported by the server:

Domain: [3333].samuraism.com
Type: dns
Detail: DNS problem: NXDOMAIN looking up A for [3333].samuraism.com
– check that a DNS record exists for this domain

DNSもちゃんと指定して成功すると以下の通り

$ ./certbot-auto certonly –webroot -w /opt/bitnami/nginx/html/ -d [1111].samuraism.com -d [2222].samuraism.com -d [3333].samuraism.com

Requesting to rerun ./certbot-auto with root privileges…
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
You have an existing certificate that contains a portion of the domains you
requested (ref: /etc/letsencrypt/renewal/teamcity.samuraism.com.conf)

It contains these names: youtrack.samuraism.com, confluence.samuraism.com,
hub.samuraism.com, jb.samuraism.com, metabase.samuraism.com,
teamcity.samuraism.com, upsource.samuraism.com, yabumi.samuraism.com

You requested these names for the new certificate: youtrack.samuraism.com,
hub.samuraism.com, confluence.samuraism.com, teamcity.samuraism.com,
upsource.samuraism.com, yabumi.samuraism.com, metabase.samuraism.com,
jb.samuraism.com, jfrog.samuraism.com.

Do you want to expand and replace this existing certificate with the new
certificate?
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
(E)xpand/(C)ancel: e
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for jfrog.samuraism.com
Using the webroot path /opt/bitnami/nginx/html for all unmatched domains.
Waiting for verification…
Cleaning up challenges

IMPORTANT NOTES:
– Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/teamcity.samuraism.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/teamcity.samuraism.com/privkey.pem
Your cert will expire on 2020-05-31. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again. To non-interactively renew *all* of your certificates, run
“certbot-auto renew”
– If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

 

証明書の更新後はWebサーバの再起動をお忘れなく。