メモのアジト

ドメイン変更によるNGINXとLet's Encryptの設定変更

2023/06 の作業


ドメイン変更したので、NGINXとLet's Encryptの設定変更。

Let's Encrypt


旧ドメインの証明書を削除


今の内容を確認

# tree -D /etc/letsencrypt/
/etc/letsencrypt/
    [Mar 18  2022]  accounts
        [Mar 18  2022]  acme-staging-v02.api.letsencrypt.org
・・・・
    [Mar 21 11:55]  archive
        [May 20 12:18] old.domain.ga
・・・・
    [May 20 12:17]  csr
・・・・
        [May 20 12:17]  0009_csr-certbot.pem
    [May 20 12:17]  keys
・・・・
        [May 20 12:17]  0009_key-certbot.pem
    [Mar 21 11:55]  live
        [May 20 12:18] old.domain.ga
            [May 20 12:18]  cert.pem -> ../../archive/old.domain.ga/cert2.pem
            [May 20 12:18]  chain.pem -> ../../archive/old.domain.ga/chain2.pem
            [May 20 12:18]  fullchain.pem -> ../../archive/old.domain.ga/fullchain2.pem
            [May 20 12:18]  privkey.pem -> ../../archive/old.domain.ga/privkey2.pem
            [Mar 21 11:55]  README
        [Mar 18  2022]  README
    [Mar 18  2022]  options-ssl-nginx.conf
    [May 20 12:18]  renewal
        [May 20 12:18] old.domain.ga.conf
    [Mar 18  2022]  renewal-hooks
        [Mar 18  2022]  deploy
        [Mar 18  2022]  post
        [Mar 18  2022]  pre
    [Mar 18  2022]  ssl-dhparams.pem
20 directories, 73 files



削除

# certbot revoke --cert-path /etc/letsencrypt/live/old.domain.ga/fullchain.pem
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you like to delete the certificate(s) you just revoked, along with all
earlier and later versions of the certificate?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es (recommended)/(N)o: Y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The following certificate(s) are selected for deletion:

  * old.domain.ga

WARNING: Before continuing, ensure that the listed certificates are not being
used by any installed server software (e.g. Apache, nginx, mail servers).
Deleting a certificate that is still being used will cause the server software
to stop working. See https://certbot.org/deleting-certs for information on
deleting certificates safely.

Are you sure you want to delete the above certificate(s)?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
Deleted all files relating to certificate old.domain.ga.
Congratulations! You have successfully revoked the certificate that was located at /etc/letsencrypt/live/old.domain.ga/fullchain.pem.



削除後の内容を確認

# tree -D /etc/letsencrypt/
/etc/letsencrypt/
    [Mar 18  2022]  accounts
        [Mar 18  2022]  acme-staging-v02.api.letsencrypt.org
・・・・
    [Jun  7 11:28]  archive
    [May 20 12:17]  csr
・・・・
        [May 20 12:17]  0009_csr-certbot.pem
    [May 20 12:17]  keys
・・・・
        [May 20 12:17]  0009_key-certbot.pem
    [Jun  7 11:28]  live
        [Mar 18  2022]  README
    [Mar 18  2022]  options-ssl-nginx.conf
    [May 20 12:18]  renewal
    [Mar 18  2022]  renewal-hooks
        [Mar 18  2022]  deploy
        [Mar 18  2022]  post
        [Mar 18  2022]  pre
    [Mar 18  2022]  ssl-dhparams.pem
18 directories, 59 files



※ 以下のようにエラーで消せない(revoke)場合は、

# certbot revoke --cert-path /etc/letsencrypt/live/old.domain.ga/fullchain.pem
Saving debug log to /var/log/letsencrypt/letsencrypt.log
An unexpected error occurred:
The client lacks sufficient authorization :: Certificate is expired
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.


ファイルを消すコマンドで消す(delete)

# certbot delete --cert-name old.domain.ga
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The following certificate(s) are selected for deletion:

  * old.domain.ga

WARNING: Before continuing, ensure that the listed certificates are not being
used by any installed server software (e.g. Apache, nginx, mail servers).
Deleting a certificate that is still being used will cause the server software
to stop working. See https://certbot.org/deleting-certs for information on
deleting certificates safely.

Are you sure you want to delete the above certificate(s)?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y
Deleted all files relating to certificate old.domain.ga.



NGINX


設定ファイルの変更


ドメインの変更とsslの設定をコメントアウト(certbotに設定してもらう為に。そのままでもなんとかしてくれる?)

# sudo systemctl stop nginx.service
# sudo vi /etc/nginx/sites-available/worksite_nginx.conf
・・・・
:%s/old.domain.ga/new.domain.com/g

 #listen              443 ssl; # managed by Certbot
 #ssl_certificate /etc/letsencrypt/live/old.domain.ga/fullchain.pem; # managed by Certbot
 #ssl_certificate_key /etc/letsencrypt/live/old.domain.ga/privkey.pem; # managed by Certbot
 #include             /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
 #ssl_dhparam         /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

:wq


certbot で新ドメインの証明書のを取得

# sudo certbot --nginx


証明書の設定の確認などconfファイルに問題が無かったらNGINXを起動。設定が正しければ起動する。

# sudo systemctl start nginx.service


アプリ側等にドメインの設定がある場合はそれらも修正。


おしまい。

  一覧へ戻る

関連エントリー

Let,s Encrypt

2022/02 の作業


前回ドメインの設定までしたので、Let's Encrypt でタダのTLSの証明書を設…