それマグで!

知識はカップより、マグでゆっくり頂きます。 takuya_1stのブログ

習慣に早くから配慮した者は、 おそらく人生の実りも大きい。

certbotで証明書をぱぱっと更新する

nginx や apacheが起動していても大丈夫。

certbothttpd が起動しても、ちゃんとなんとかしてくれる。

/usr/bin/certbot -q renew --pre-hook "service nginx stop" --post-hook "service nginx start"

pre-hook や post-hookで再起動を仕込めるので全く問題ないんですね。

man によると

          renew:
            The 'renew' subcommand will attempt to renew all certificates (or more
            precisely, certificate lineages) you have previously obtained if they are
            close to expiry, and print a summary of the results. By default, 'renew'
            will reuse the options used to create obtain or most recently successfully
            renew each certificate lineage. You can try it with `--dry-run` first. For
            more fine-grained control, you can renew individual lineages with the
            `certonly` subcommand. Hooks are available to run commands before and
            after renewal; see https://certbot.eff.org/docs/using.html#renewal for
            more information on these.

            --pre-hook PRE_HOOK   Command to be run in a shell before obtaining any
                                  certificates. Intended primarily for renewal, where it
                                  can be used to temporarily shut down a webserver that
                                  might conflict with the standalone plugin. This will
                                  only be called if a certificate is actually to be
                                  obtained/renewed. When renewing several certificates
                                  that have identical pre-hooks, only the first will be
                                  executed. (default: None)
            --post-hook POST_HOOK
                                  Command to be run in a shell after attempting to
                                  obtain/renew certificates. Can be used to deploy
                                  renewed certificates, or to restart any servers that
                                  were stopped by --pre-hook. This is only run if an
                                  attempt was made to obtain/renew a certificate. If
                                  multiple renewed certificates have identical post-
                                  hooks, only one will be run. (default: None)
            --renew-hook RENEW_HOOK
                                  Command to be run in a shell once for each
                                  successfully renewed certificate. For this command,
                                  the shell variable $RENEWED_LINEAGE will point to the
                                  config live subdirectory containing the new certs and
                                  keys; the shell variable $RENEWED_DOMAINS will contain
                                  a space-delimited list of renewed cert domains
                                  (default: None)
            --disable-hook-validation
                                  Ordinarily the commands specified for --pre-hook
                                  /--post-hook/--renew-hook will be checked for
                                  validity, to see if the programs being run are in the
                                  $PATH, so that mistakes can be caught early, even when
                                  the hooks aren't being run just yet. The validation is
                                  rather simplistic and fails if you use more advanced
                                  shell constructs, so you can use this switch to
                                  disable it. (default: False)

hook

hook組み合わせるをシンプルなコマンドで定期的な証明書の更新をできるので楽ですね。

いつまで certbot と letsencrypt は無料でSSL配ってくれるんでしょうね。。。。

数年後には有料化されちゃったり、登録の煩雑化されたりしないですよね。心配だ