\u9038\u822c\u306e\u8aa4\u5bb6\u5ead\u306e\u30e1\u30fc\u30eb\u30b5\u30fc\u30d0\u30fc\u306eSSL\/TLS\u8a8d\u8a3c\u306b\u5fc5\u8981\u306a\u30d5\u30ea\u30fc\u306e\u8a3c\u660e\u66f8\u3092\u767a\u884c\u3059\u308bLet’s Encrypt \u306eDNS\u30c1\u30e3\u30ec\u30f3\u30b8\u8a8d\u8a3c\u3092\u3081\u3082\u3002<\/p>\n\n\n\n\n\n\n\n
\u304d\u3063\u304b\u3051\u306f certbot \u30b3\u30de\u30f3\u30c9\u3067\u304a\u99b4\u67d3\u307f\u306estandalone \u30aa\u30d7\u30b7\u30e7\u30f3\u304c\u901a\u3089\u306a\u3044\uff1f\u3060\u3063\u305f\u3089DNS\u30c1\u30e3\u30ec\u30f3\u30b8\u8a8d\u8a3c\u3059\u308c\u3070\u3044\u3044\u3058\u3083\u306a\u3044\uff08\u30a2\u30f3\u30c8\u30ef\u30cd\u30c3\u30c8\u4e26\u307f\u611f\uff09\u3060\u3063\u305f\u3068\u601d\u3044\u307e\u3059\u3002\u3084\u308a\u65b9\u306f\u3044\u308d\u3044\u308d\u30cd\u30c3\u30c8\u306b\u51fa\u3066\u3044\u308b\u306e\u3067\u6b63\u89e3\u306f\u4e00\u3064\u3067\u306f\u306a\u3044\u3067\u3059\u304c\u30a8\u30f3\u30ab\u30ec\u30c3\u30b8\u3092\u53d7\u3051\u305f\u3082\u306e\u3067\u3059\u3002<\/p>\n\n\n\n
\u30c1\u30e3\u30ec\u30f3\u30b8\u306e\u30bf\u30a4\u30d7 – Let’s Encrypt – \u30d5\u30ea\u30fc\u306a SSL\/TLS \u8a3c\u660e\u66f8<\/a><\/p>\n\n\n\n \u307e\u305a\u3001certbot\u306e\u30b5\u30fc\u30d0\u30fc\u8a8d\u8a3c\u306b\u5fc5\u8981\u306ahttp, https \u30dd\u30fc\u30c8\u3092firewall-cmd \u3067\u958b\u653e\u3057\u307e\u3059\u3002<\/p>\n\n\n \u30e4\u30de\u30cf\u30eb\u30fc\u30bf\u30fc\u306e\u5834\u5408\u306e\u5f53\u62d9\u8a18\u4e8b\uff1aRTX830 IPoE PPPoE\u30de\u30eb\u30c1\u30bb\u30c3\u30b7\u30e7\u30f3 \u30d5\u30a3\u30eb\u30bf\u578b\u30eb\u30fc\u30c6\u30a3\u30f3\u30b0\u8a2d\u5b9a<\/a> \u304c\u5fc5\u8981\u3067\u3057\u305f\u3002\u30eb\u30fc\u30bf\u30fc\u306e80,443\u756a\u306e\u30dd\u30fc\u30c8\u30d5\u30a9\u30ef\u30fc\u30c7\u30a3\u30f3\u30b0\u3092\u884c\u3044\u3001\u30dd\u30fc\u30c8\u30c1\u30a7\u30c3\u30af\u3010\u5916\u90e8\u304b\u3089\u30dd\u30fc\u30c8\u958b\u653e\u78ba\u8a8d\u3011<\/a> \u3067\u30e1\u30fc\u30eb\u30b5\u30fc\u30d0\u30fc\u306e80,443 \u30dd\u30fc\u30c8\u958b\u653e\u3092\u78ba\u8a8d\u3057\u307e\u3059\u3002<\/p>\n\n\n\n \u6b21\u306b\u3001certbot\u672c\u4f53\u3092\u30e1\u30fc\u30eb\u30b5\u30fc\u30d0\u30fc\u306b\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3057\u307e\u3059\u3002\u3053\u308c\u306f\u7279\u306b\u554f\u984c\u306a\u3044\u3068\u601d\u3044\u307e\u3059\u3002<\/p>\n\n\n DNS02\u30c1\u30e3\u30ec\u30f3\u30b8\u3059\u308b\u307e\u3048\u306bDNS\u30b5\u30fc\u30d0\u30fc\u306b\u8a2d\u7f6e\u3059\u308b\u8a8d\u8a3c\u30c8\u30fc\u30af\u30f3\u3092\u30b2\u30c3\u30c8\u3057\u307e\u3059\u3002<\/p>\n\n\n \u76f4\u3050\u306b[Enter]\u30ad\u30fc\u3092\u62bc\u3057\u305f\u304f\u306a\u308b\u3068\u3053\u308d\u3067\u3059\u304c\u3053\u3053\u306f\u843d\u3061\u7740\u3044\u3066\u307e\u305a\u306f\u8868\u793a\u3055\u308c\u305f\u30c8\u30fc\u30af\u30f3\u3092\u30b3\u30d4\u30fc\u3057\u307e\u3059\u3002<\/p>\n\n\n\n \u4e0a\u8a18\u753b\u9762\u3067\u30a8\u30f3\u30bf\u30fc\u30ad\u30fc\u3092\u62bc\u3057\u3066\u3082DNS\u30b5\u30fc\u30d0\u30fc\u306ezone\u30d5\u30a1\u30a4\u30eb\u306b\u30c8\u30fc\u30af\u30f3\u3092\u767b\u9332\u3057\u3066\u3044\u306a\u3044\u5834\u5408\u306f\u8a8d\u8a3c\u306b\u5931\u6557\u3057\u307e\u3059\u3002\u3053\u3053\u3067\u306f\u3044\u3063\u305f\u3093\u4f5c\u696d\u3092\u4e2d\u65ad\u3057\u3066\u30c8\u30fc\u30af\u30f3\u3092\u30b3\u30d4\u30fc\u3057\u3066TXT\u60c5\u5831\u3068\u3057\u3066DNS\u30b5\u30fc\u30d0\u30fc\u306b\u8a2d\u7f6e\u3057\u307e\u3059\u3002\u300c\u3061\u3087\u3063\u3068\u3001\u30b7\u30ea\u30a2\u30eb\u5024\uff08\u610f\u5473\u6df1\uff09\u4e0a\u3052\u306a\u3044\u3068\u30de\u30ba\u3044\u3067\u3059\u3088\u3002\u300d<\/p>\n\n\n chroot\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u306bzone\u30d5\u30a1\u30a4\u30eb\u3092\u30b3\u30d4\u30fc\u3001BIND\u518d\u8d77\u52d5\u3057\u307e\u3059\u3002\u3053\u306e\u8fba\u306f\u81ea\u5df1\u6d41\u3067\u30c4\u30c3\u30b3\u30df\u51e6\u6e80\u8f09\u306a\u64cd\u4f5c\u306a\u306e\u3067\u3042\u307e\u308a\u53c2\u8003\u306b\u3057\u306a\u3044\u3067\u4e0b\u3055\u3044\u3002<\/p>\n\n\n \u5148\u307b\u3069\u306e\u30e1\u30fc\u30eb\u30b5\u30fc\u30d0\u30fc\u306e\u753b\u9762\u3067[Enter]\u30ad\u30fc\u3092\u62bc\u3057\u3066Congratulations! \u3068\u8868\u793a\u3055\u308c\u308c\u3070\u8a8d\u8a3c\u6210\u529f\u3067\u3059\u3002<\/p>\n\n\n\n \u30e1\u30fc\u30eb\u30b5\u30fc\u30d0\u30fc\u306ecrontab -e \u3092\u7de8\u96c6\u3057\u3066\u66f4\u65b0\u3092\u81ea\u52d5\u5b9f\u884c\u3059\u308b\u3088\u3046\u306b\u8a2d\u5b9a\u3057\u307e\u3059\u3002\u4ee5\u4e0b\u306f2\u304b\u6708\u306b1\u56de\u3001\u9694\u67081\u65e5\u306e\u5348\u524d4\u6642\u30686\u6642\u306b\u8a3c\u660e\u66f8\u306e\u66f4\u65b0\u3092\u3059\u308b\u4f8b\u3067\u3059\u3002\u5931\u6557\u3057\u305f\u5834\u5408\u306b\u5099\u3048\u3066\uff12\u56de\u5b9f\u884c\u3057\u3066\u3044\u307e\u3059\u304c\u3084\u308a\u904e\u304e\u308b\u3068\u30ec\u30fc\u30c8\u5236\u9650\u304c\u639b\u304b\u308b\u306e\u3067\u6ce8\u610f\u304c\u5fc5\u8981\u3067\u3059\u3002\uff08 –dry-run\u30aa\u30d7\u30b7\u30e7\u30f3\u3092\u4ed8\u3051\u3066\u52d5\u4f5c\u78ba\u8a8d\u3059\u308b\u3068\u826f\u3044\u3067\u3057\u3087\u3046\u3002\uff09<\/p>\n\n\n cron \u304c\u3061\u3083\u3093\u3068\u52d5\u3044\u3066\u3044\u308b\u304b\u30ed\u30b0\u3092\u78ba\u8a8d\u3001\u3057\u3088\u3046\uff01\uff08\u76f4\u7403\uff09<\/p>\n\n\n <\/p>\n\n\n\n \u53c2\u8003URL: \u30c1\u30e3\u30ec\u30f3\u30b8\u306e\u30bf\u30a4\u30d7 – Let’s Encrypt – \u30d5\u30ea\u30fc\u306a SSL\/TLS \u8a3c\u660e\u66f8<\/a><\/p>\n\n\n\n\u76ee\u6b21<\/h2>\n\n\n\n
http, https \u30dd\u30fc\u30c8\u306e\u958b\u653e<\/h3>\n\n\n\n
# firewall-cmd --add-service=http --zone=public --permanent
# firewall-cmd --add-service=https --zone=public --permanent\n\n# firewall-cmd --reload<\/span><\/pre>\n\n\ncertbot\u306e\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb<\/h3>\n\n\n\n
# yum -y install epel-release\n\n# yum -y install python2-certbot-apache<\/span><\/pre>\n\n\n\u8a8d\u8a3c\u30c8\u30fc\u30af\u30f3\u3092\u30b2\u30c3\u30c8<\/h3>\n\n\n\n
# certbot certonly --manual -d mail.stuffy.site --preferred-challenges dns
<\/span>\nSaving debug log to \/var\/log\/letsencrypt\/letsencrypt.log\nPlugins selected: Authenticator manual, Installer None\nStarting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org\nCert not due for renewal, but simulating renewal for dry run\nSimulating renewal of an existing certificate for mail.stuffy.site\nPerforming the following challenges:\ndns-01 challenge for mail.stuffy.site\n\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\nPlease deploy a DNS TXT record under the name\n_acme-challenge.mail.stuffy.site with the following value:\n\nnN7iALVuBdZPGlXVzoG-dpKElP1MmTKWvX9nZkm6dbQ\n\nBefore continuing, verify the record is deployed.\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\nPress Enter to Continue<\/pre>\n\n\nBIND\u306bTXT\u30ec\u30b3\u30fc\u30c9\u3092\u8ffd\u52a0<\/h3>\n\n\n\n
stuffy.site.zone<\/span>\n\n IN MX 10 mail.stuffy.site.\n;\nlocalhost IN A 127.0.0.1\nns1 IN A 116.58.163.5\nmail IN A 116.58.163.6\nwww IN A 116.58.163.4
;
\n#\u30b3\u2191\u30b3\u2193<\/span>\n_acme-challenge.mail IN TXT nN7iALVuBdZPGlXVzoG-dpKElP1MmTKWvX9nZkm6dbQ<\/pre>\n\n\n[NS Server] # pwd<\/span>
\/var\/named<\/span>
# \\cp stuffy.site.zone .\/chroot\/var\/named
# rm -f .\/chroot\/var\/named\/*.jnl
\n# systemctl restart named-chroot
\n# rndc flush<\/span><\/pre>\n\n\ncertbot DNS02 \u30c1\u30e3\u30ec\u30f3\u30b8\u8a8d\u8a3c<\/h3>\n\n\n\n
Cron\u3067\u81ea\u52d5\u66f4\u65b0<\/h3>\n\n\n\n
# crontab -e
<\/span>\n00 04 1 *\/2 * echo 2 | \/usr\/bin\/certbot certonly --manual -d mail.stuffy.site --preferred-challenges dns --post-hook 'systemctl reload postfix' --post-hook 'systemctl reload dovecot'\n00 06 1 *\/2 * echo 2 | \/usr\/bin\/certbot certonly --manual -d mail.stuffy.site --preferred-challenges dns --post-hook 'systemctl reload postfix' --post-hook 'systemctl reload dovecot'
\n# systemctl restart crond<\/span><\/pre>\n\n\n# cat \/var\/log\/cron | grep certbot<\/span><\/pre>\n\n\n