Certbot を使って無料でSSLを構築してみた。環境は Conoha+Kusanagi(nginx/centos7) 。


Certbot is packaged the in EPEL (Extra Packages for Enterprise Linux) repository. To enable EPEL on your system and install Certbot, run

$ sudo yum install epel-release
$ sudo yum install certbot

ドキュメントでは、nginx/centos7 の組み合わせだと自動的に「証明書の更新」が出来ないから、ここでは「証明書の取得」だけやってcron等で更新してね、ということらしい。実際はkusanagi側の機能により既にCertbotを使った自動更新機能が動いている。。いずれにせよ、最初の証明書取得は以下の通り。

Get Started
Certbot supports a number of different “plugins” that can be used to obtain and/or install certificates.

Since your server architecture doesn't yet support automatic installation you should probably use the certonly command to obtain your certificate.

$ sudo certbot certonly


Automating renewal
Let's Encrypt certificates last for 90 days, so it's highly advisable to renew them automatically! You can test automatic renewal for your certificates by running this command:

更新自体はcertbot renewコマンドで行う。--dry-runオプションで「実行したとしたら~」のテストができる。実際やってみたら以下のようになった。

$ sudo certbot renew --dry-run
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/ (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)


If that appears to be working correctly, you can arrange for automatic renewal by adding a cron or systemd job which runs the following: certbot renew -quiet


Note: if you're setting up a cron or systemd job, we recommend running it twice per day (it won't do anything until your certificates are due for renewal or revoked, but running it regularly would give your site a chance of staying online in case a Let's Encrypt-initiated revocation happened for some reason). Please select a random minute within the hour for your renewal tasks.


$ certbot renew -quiet


# crontab -l
07 03 06 */2 * /usr/bin/kusanagi update cert tech


  • Centos7+nginxにkusanagiが入った構成でCertbotを使ったSSL証明書の作成を行った
  • 証明書の作成はドキュメント通りに手順を実行すること。
  • 証明書の自動更新はkusanagi側の機能により提供されるので何もしなくて良い。

-, ,

Copyright© , 2018 AllRights Reserved Powered by AFFINGER4.