1. Letsencrypt/certbot/manual_mode

../manual-auth-hook

https://certbot.eff.org/glossary#command-line

letsencryptがどのような検査をしているかは、 Manualモードでcertbotを実行してみることで見える。

/dns-01 /renew /wild_card

/nerima.click

If you’d like to obtain a certificate running certbot on a machine other than your target webserver or perform the steps for domain validation yourself, you can use the manual plugin.

While hidden from the UI, you can use the plugin to obtain a certificate by specifying certonly and --manual on the command line.

This requires you to copy and paste commands into another terminal session, which may be on a different computer.

The manual plugin can use either the http, dns or the tls-sni challenge.

You can use the --preferred-challenges option to choose the challenge of your preference.

2. http-01

#

Create a file containing just this data:

TyOlfVRpWcNzhUwubelrBUdRDGoPmmsddmkACD5t2i0.Uuosmu0iUAn9aKvlg_ETM_1l6E6L3DXvu-XQJtCA_Ko

And make it available on your web server at this URL:

http://xxx.brau.jp/.well-known/acme-challenge/TyOlfVRpWcNzhUwubelrBUdRDGoPmmsddmkACD5t2i0

別の例:

  Detail: Fetching
   http://sakura.qmail.jp/.well-known/acme-challenge/j2WpRRpQ2PSRXDuDuSMy-PB04NV89-irzMbrm1fYJNQ:
   Connection refused

3. dns-01

# certbot certonly --manual --preferred-challenges dns-01 -d xxx.brau.jp

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.xxx.brau.jp with the following value:

WXXzIsHV4ayCFUhlvh4T59udxW1th3A21zdrM0lpSPg

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4. DNS 成功例

TXTレコードを登録して、続行する。

# dig -t txt _acme-challenge.www.brau.jp

; <<>> DiG 9.9.5 <<>> -t txt _acme-challenge.www.brau.jp
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51493
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;_acme-challenge.www.brau.jp.   IN      TXT

;; ANSWER SECTION:
_acme-challenge.www.brau.jp. 86400 IN   TXT     "IyOVJxgccU5aBSibNM5SAHQ-AvO0HXgZURdttK49D5o"

;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Jan 22 23:17:07 JST 2019
;; MSG SIZE  rcvd: 101

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Cleaning up challenges
Resetting dropped connection: acme-v02.api.letsencrypt.org

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /usr/local/etc/letsencrypt/live/www.brau.jp/fullchain.pem
   Your key file has been saved at:
   /usr/local/etc/letsencrypt/live/www.brau.jp/privkey.pem
   Your cert will expire on 2019-04-22. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"

MoinQ: Letsencrypt/certbot/manual_mode (last edited 2023-07-22 00:38:01 by ToshinoriMaeno)