[2017.OCt.20] We can use mod_md in ApacheLounge 2.4.x version now, so I changed from dehydrated (former Letsencrypt.sh) to mod_md about certs updating tool. About this, see → “From dehydrate to mod_md, Let’s Encrypt Tool”.
========================================================
[Oct.26] As I use Elliptic curve Diffie–Hellman (ECDH) for kx now, I posted a new article. ☞“Letsencrypt.sh on Windows-#4”
========================================================
[Sep.19] As I had a success about the first renewal of the Let’s Encrypt Certs automatically, I posted a new article. ☞“Letsencrypt.sh on Windows-#3”
By the way, they renamed project from letsencrypt.sh to dehydrated. So you can find the project at https://github.com/lukas2511/dehydrated/releases. Therefore, read letsencrypt.sh
as dehydrated
in my article.
========================================================
As I wrote, the script letsencrypt-win-simple doesn’t support the renewal of certificates on Apache Windows version still now, and the official client, that’s certbot, also doesn’t support Apache on Windows OS. So, I think I use the other script named letsencrypt.sh.
If ‘Run native Bash on Ubuntu on Windows’ project is complete for ordinary users, you can run sh files on Windows10 easily. But now, it is not complete. Besides, my server OS is not Windows10 but Windows7, so I installed Cygwin to my server PC for letsencrypt.sh. I ran setup-x86.exe and added installing wget and apt-cyg. For HowTO, see ‘Building h2load on Cygwin’.
$ apt-cyg install git
$ cd /usr/local
$ git clone https://github.com/lukas2511/letsencrypt.sh
$ cd letsencrypt.sh
$ git pull https://github.com/lukas2511/letsencrypt.sh
$ apt-cyg install curl
The test configuration of letsencrypt.sh.
$ cd /usr/local/letsencrypt.sh
$ vi domain.txt
Here is my domain.txt.
$ cd /usr/local/letsencrypt.sh
$ cp docs/examples/config .
$ vi config
#CA="https://acme-v01.api.letsencrypt.org/directory" ↓ CA="https://acme-staging.api.letsencrypt.org/directory" * While your testing. #BASEDIR=$SCRIPTDIR ↓ BASEDIR="/cygdrive/c/Users/UserID/AppData/Roaming" * You can set it anywhere you want with security consideration. #DOMAINS_TXT="${BASEDIR}/domains.txt" ↓ DOMAINS_TXT="${SCRIPTDIR}/domains.txt" #WELLKNOWN="${BASEDIR}/.acme-challenges" ↓ WELLKNOWN="/cygdrive/x/Apache24/htdocs/.well-known/acme-challenge" * I already have data in the directory '.well-known/acme-challenge' by letsencrypt-win-simple. So I need to tell it to letsencrypt.sh.
$ cd /usr/local/letsencrypt.sh
$ ./letsencrypt.sh -c
# INFO: Using main config file /usr/local/letsencrypt.sh/config + Generating account key... + Registering account key with letsencrypt... Processing o6asan.com with alternative names: www.o6asan.com test.o6asan.com + Signing domains... + Generating private key... + Generating signing request... + Requesting challenge for o6asan.com... + Requesting challenge for www.o6asan.com... + Requesting challenge for test.o6asan.com... + Responding to challenge for o6asan.com... + Challenge is valid! + Responding to challenge for www.o6asan.com... + Challenge is valid! + Responding to challenge for test.o6asan.com... + Challenge is valid! + Requesting certificate... + Checking certificate... + Done! + Creating fullchain.pem... + Done!
Your test certificates you can find in ${BASEDIR}/certs/YourDomain. The test ends.
Now getting real certs.
CA="https://acme-staging.api.letsencrypt.org/directory" ↓ #CA="https://acme-v01.api.letsencrypt.org/directory"
$ ./letsencrypt.sh -c -x
cert.csr cert.pem cert-xxxxxxxxxx.csr cert-xxxxxxxxxx.pem chain.pem chain-xxxxxxxxxx.pem fullchain.pem fullchain-xxxxxxxxxx.pem privkey.pem privkey-xxxxxxxxxx.pem
$ ./letsencrypt.sh -gc
If you use Apache2.4.8 or later, you need fullchain.pem and privkey.pem. But at the point, you meet a trouble. Letsencrypt.sh gives fullchain.pem and privkey.pem as symbolic link files of LINUX. You cannot use them on Windows OS. For resolution, copy fullchain-xxxxxxxxxx.pem and privkey-xxxxxxxxxx.pem as server.crt and server.key to your server cert directory.
Run cmd.exe as Administrator. >pushd ${BASEDIR}/certs/YourDomain >copy /Y fullchain-xxxxxxxxxx.pem pathtoserver.crt >copy /Y privkey-xxxxxxxxxx.pem pathtoserver.key >x:Apache24binhttpd -k stop >x:Apache24binhttpd -k start
That’s it.
Adding one more thing, I will write about HowTO renew certs automatically on the next post.
About a week ago, I found an automatic renew of Let’s Encrypt certs didn’t work well. So I tried to do it by manually, and it also gave me a 403 error. When I checked up on the error, I saw the error came from the denial about the directory “.well-known/acme-challenge”. But why was it occurring suddenly? Finally, I found it was because of BPS. Its new version has more strict rules for Site Security. My “.well-known/acme-challenge” was in the Document Root which is WordPress base, and BPS denies accesses to them.
I moved “.well-known/acme-challenge” to other Location and made a apache2.4 conf file. Its text is like the below.
Alias /.well-known/acme-challenge "/pathto/.well-known/acme-challenge/"
<Directory "/pathto/.well-known/acme-challenge/">
<IfModule mod_authz_core.c>
Require all granted
</IfModule>
</Directory>
When I commented to 「CertbotWebサーバー証明書更新エラー とApache起動不能」, I refered to 「Let’s encrypt のWeb認証に失敗する場合の許可の通し方」, by the way, the topic くりくりさん told me. The cases of 「Let’s encrypt のWeb認証に失敗する場合の許可の通し方」 and mine are very resemble. I rememberd this after it was all over. 😼
The recipe for sweet potato yōkan that I often made this fall. Ingredients Sweet potato…
After a long time, when I checked broken links and fixed them, I got an…
I made a box, so I prepare the contents. Theme and Plugins. The theme is…
Hehe, it's been almost a year since my last post. I received a notification email…
About a week ago, I finally started to renew my sites, which I had been…
This website uses cookies.