まずは、現用のVirtualHost関係の下準備。
VirtualHost関係をホストごとのconfに分けて、Includeする構成を試す。
その上で、
py38-certbot-apache
が見事に*.confを書き換えてくれるか?実験する。
py38-certbot-apacheに依存して、本体の py38-certbot が導入される筈。
された
pkg install -y py38-certbot-apache
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 15 package(s) will be affected (of 0 checked):New packages to be INSTALLED:
augeas: 1.12.0_1
py38-acme: 1.16.0,1
py38-certbot: 1.16.0,1
py38-certbot-apache: 1.16.0
py38-configargparse: 1.4.1
py38-configobj: 5.0.6_1
py38-distro: 1.5.0
py38-josepy: 1.8.0
py38-parsedatetime: 2.6
py38-pyrfc3339: 1.1
py38-python-augeas: 1.0.3
py38-requests-toolbelt: 0.9.1
py38-zope.component: 4.2.2
py38-zope.event: 4.1.0
py38-zope.interface: 5.3.0Number of packages to be installed: 15
The process will require 20 MiB more space.
6 MiB to be downloaded.
[1/15] Fetching py38-certbot-apache-1.16.0.txz: 100% 115 KiB 118.3kB/s 00:01
[2/15] Fetching py38-python-augeas-1.0.3.txz: 100% 21 KiB 21.4kB/s 00:01
[3/15] Fetching augeas-1.12.0_1.txz: 100% 609 KiB 624.1kB/s 00:01
[4/15] Fetching py38-certbot-1.16.0,1.txz: 100% 381 KiB 390.5kB/s 00:01
[5/15] Fetching py38-distro-1.5.0.txz: 100% 23 KiB 23.3kB/s 00:01
[6/15] Fetching py38-josepy-1.8.0.txz: 100% 80 KiB 81.8kB/s 00:01
[7/15] Fetching py38-acme-1.16.0,1.txz: 100% 65 KiB 66.7kB/s 00:01
[8/15] Fetching py38-requests-toolbelt-0.9.1.txz: 100% 4 MiB 4.7MB/s 00:01
[9/15] Fetching py38-pyrfc3339-1.1.txz: 100% 8 KiB 8.1kB/s 00:01
[10/15] Fetching py38-zope.interface-5.3.0.txz: 100% 289 KiB 296.4kB/s 00:01
[11/15] Fetching py38-zope.component-4.2.2.txz: 100% 93 KiB 95.0kB/s 00:01
[12/15] Fetching py38-zope.event-4.1.0.txz: 100% 8 KiB 7.8kB/s 00:01
[13/15] Fetching py38-parsedatetime-2.6.txz: 100% 57 KiB 58.7kB/s 00:01
[14/15] Fetching py38-configobj-5.0.6_1.txz: 100% 51 KiB 52.3kB/s 00:01
[15/15] Fetching py38-configargparse-1.4.1.txz: 100% 27 KiB 27.7kB/s 00:01
Checking integrity... done (0 conflicting)
[1/15] Installing py38-josepy-1.8.0...
[1/15] Extracting py38-josepy-1.8.0: 100%
[2/15] Installing py38-requests-toolbelt-0.9.1...
[2/15] Extracting py38-requests-toolbelt-0.9.1: 100%
[3/15] Installing py38-pyrfc3339-1.1...
[3/15] Extracting py38-pyrfc3339-1.1: 100%
[4/15] Installing py38-zope.interface-5.3.0...
[4/15] Extracting py38-zope.interface-5.3.0: 100%
[5/15] Installing py38-zope.event-4.1.0...
[5/15] Extracting py38-zope.event-4.1.0: 100%
[6/15] Installing augeas-1.12.0_1...
[6/15] Extracting augeas-1.12.0_1: 100%
[7/15] Installing py38-distro-1.5.0...
[7/15] Extracting py38-distro-1.5.0: 100%
[8/15] Installing py38-acme-1.16.0,1...
[8/15] Extracting py38-acme-1.16.0,1: 100%
[9/15] Installing py38-zope.component-4.2.2...
[9/15] Extracting py38-zope.component-4.2.2: 100%
[10/15] Installing py38-parsedatetime-2.6...
[10/15] Extracting py38-parsedatetime-2.6: 100%
[11/15] Installing py38-configobj-5.0.6_1...
[11/15] Extracting py38-configobj-5.0.6_1: 100%
[12/15] Installing py38-configargparse-1.4.1...
[12/15] Extracting py38-configargparse-1.4.1: 100%
[13/15] Installing py38-python-augeas-1.0.3...
[13/15] Extracting py38-python-augeas-1.0.3: 100%
[14/15] Installing py38-certbot-1.16.0,1...
[14/15] Extracting py38-certbot-1.16.0,1: 100%
[15/15] Installing py38-certbot-apache-1.16.0...
[15/15] Extracting py38-certbot-apache-1.16.0: 100%
=====
Message from py38-certbot-1.16.0,1:--
This port installs the "standalone" client only, which does not use and
is not the certbot-auto bootstrap/wrapper script.The simplest form of usage to obtain certificates is:
# sudo certbot certonly --standalone -d <domain>, [domain2, ... domainN]>
NOTE:
The client requires the ability to bind on TCP port 80 or 443 (depending
on the --preferred-challenges option used). If a server is running on that
port, it will need to be temporarily stopped so that the standalone server
can listen on that port to complete the challenge authentication process.For more information on the 'standalone' mode, see:
https://certbot.eff.org/docs/using.html#standalone
The certbot plugins to support apache and nginx certificate installation
will be made available in the following ports:* Apache plugin: security/py-certbot-apache
* Nginx plugin: security/py-certbot-nginxIn order to automatically renew the certificates, add this line to
/etc/periodic.conf:weekly_certbot_enable="YES"
More config details in the certbot periodic script:
/usr/local/etc/periodic/weekly/500.certbot-3.8
root@fbsd:~ #
ここから問題頻出
2021-09-23 14:58:00,334:DEBUG:certbot._internal.error_handler:Calling registered functions
2021-09-23 14:58:00,334:INFO:certbot._internal.client:Rolling back to previous server configuration...
2021-09-23 14:58:01,515:DEBUG:certbot.display.util:Notifying user: We were unable to install your certificate, however, we successfully restored your server to its prior configuration.
2021-09-23 14:58:01,520:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
File "/usr/local/lib/python3.8/site-packages/certbot_apache/_internal/configurator.py", line 2468, in config_test
util.run_script(self.options.conftest_cmd)
File "/usr/local/lib/python3.8/site-packages/certbot/util.py", line 115, in run_script
raise errors.SubprocessError(msg)
certbot.errors.SubprocessError: Error while running apachectl configtest.
Performing sanity check on apache24 configuration:AH00526: Syntax error on line 595 of /usr/local/etc/apache24/httpd.conf:
Cannot define multiple Listeners on the same IP:port
During handling of the above exception, another exception occurred:Traceback (most recent call last):
File "/usr/local/bin/certbot", line 33, in <module>
sys.exit(load_entry_point('certbot==1.16.0', 'console_scripts', 'certbot')())
File "/usr/local/lib/python3.8/site-packages/certbot/main.py", line 15, in main
return internal_main.main(cli_args)
File "/usr/local/lib/python3.8/site-packages/certbot/_internal/main.py", line 1552, in main
return config.func(config, plugins)
File "/usr/local/lib/python3.8/site-packages/certbot/_internal/main.py", line 960, in install
_install_cert(config, le_client, domains)
File "/usr/local/lib/python3.8/site-packages/certbot/_internal/main.py", line 909, in _install_cert
le_client.deploy_certificate(domains, path_provider.key_path, path_provider.cert_path,
File "/usr/local/lib/python3.8/site-packages/certbot/_internal/client.py", line 556, in deploy_certificate
self.installer.restart()
File "/usr/local/lib/python3.8/site-packages/certbot_apache/_internal/configurator.py", line 2432, in restart
self.config_test()
File "/usr/local/lib/python3.8/site-packages/certbot_apache/_internal/configurator.py", line 2470, in config_test
raise errors.MisconfigurationError(str(err))
certbot.errors.MisconfigurationError: Error while running apachectl configtest.
Performing sanity check on apache24 configuration:AH00526: Syntax error on line 595 of /usr/local/etc/apache24/httpd.conf:
Cannot define multiple Listeners on the same IP:port2021-09-23 14:58:01,529:ERROR:certbot._internal.log:Error while running apachectl configtest.
Performing sanity check on apache24 configuration:AH00526: Syntax error on line 595 of /usr/local/etc/apache24/httpd.conf:
Cannot define multiple Listeners on the same IP:portroot@fbsd
あ?だけど、<Virtualhost *.443>でも動くしなぁ。
最後はチカラ技
<VirtualHost *:443>
ServerName fbsd.sub.h-sol.jp
ServerAdmin webmaster@sub.h-sol.jp
DocumentRoot "/home/www/data/fbsd"
<Directory />
# AllowOverride ALL
# Order Deny,Allow
AllowOverride None
Options +FollowSymLinks +Multiviews +ExecCGI
Require all granted
</Directory>
ScriptAlias /cgi-bin/ /home/www/data/fbsd/cgi-bin/
<Directory "/home/www/data/fbsd/cgi-bin">
AllowOverride None
Options +ExecCGI +MultiViews +SymLinksIfOwnerMatch
Require all granted
</Directory>
<Directory /wp/wp-admin/>
AllowOverride All
Order Deny,Allow
Allow from 192.168.
</Directory>
ErrorLog "/var/log/fbsd-sub-443-error.log"
CustomLog "/var/log/fbsd-sub-443-access.log" combined
SSLEngine On
SSLCertificateFile "/usr/local/etc/letsencrypt/live/fbsd.sub.h-sol.jp/fullchain.pem"
SSLCertificateKeyFile "/usr/local/etc/letsencrypt/live/fbsd.sub.h-sol.jp/privkey.pem"
</VirtualHost>
動いた。
参考はApacheのドキュメントなど。
コメント