Generate SSL/TLS certificate with let's encrypt | iii threetreeslight

May 13, 2018

Generate SSL/TLS certificate with let's encrypt

gcpにはaws acmに該当するサービスがないので、証明書を作成しなければいけない。

そのため、Let’s encryptを利用した証明書発行を行う。

Let’s encryptとは

Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit. It is a service provided by the Internet Security Research Group (ISRG).

通信の安全を担保するためにも全ての通信がssl/tls ptorocolでの通信する必要がある。 そのためにも、free and automatedなCAっていうのが大事。それを提供しているのがlet’s encryptedという認識です。

let’s encryptによる証明書の発行にはshell accessとそうでない方法ががあり、shell accessを前提としたcertbot ACME clinetを使うと良いよということのようだ。

We recommend that most people with shell access use the Certbot ACME client. It can automate certificate issuance and installation with no downtime. It also has expert modes for people who don’t want autoconfiguration. It’s easy to use, works on many operating systems, and has great documentation. Visit the Certbot site to get customized instructions for your operating system and web server.



ACMEとは Automatic Certificate Management Environment (ACME) の略で、次の機能 を提供している。

  • Account Creation
  • Ordering a Certificate
  • Identifier Authorization
  • Certificate Issuance
  • Certificate Revocation




ACME protocolをsupportしているclientがcertbot で、もともとはlet’s encryptの公式clientとして存在していたものが汎化された感じ。

Certbot is an easy-to-use automatic client that fetches and deploys SSL/TLS certificates for your webserver.


certbot’s authenticator

certbotはauthenticatorを指定する。このauthenticatorはドメイン使用権者の認証とそのドメインの証明書発行のため利用される。 authenticatorはpluingとして提供されており、apache, webroot, nginx, standalone, DNS plugins, manualの6種類がある。


widlcard certificateとするためには以下の通りDNS pluginを利用してtext recordの認証をする必要がありそうだ。

This category of plugins automates obtaining a certificate by modifying DNS records to prove you have control over a domain. Doing domain validation in this way is the only way to obtain wildcard certificates from Let’s Encrypt.

また、dns plugin を読んでいたらcertbotにおいてdockerが使えることが判明。 standalone目的なのだろうけど、localの環境を汚染せずできるのは大きいのかもしれない。


The currently selected ACME CA endpoint does not support issuing wildcard certificates


sudo certbot certonly --manual --preferred-challenges dns-01 \

Obtaining a new certificate
The currently selected ACME CA endpoint does not support issuing wildcard certificates.

なるほど。widlcard certificate対応している気がするのだがと思って調べると、今年の3/14に対応した模様。

ACME v2 and Wildcard Certificate Support is Live

We’re pleased to announce that ACMEv2 and wildcard certificate support is live! With today’s new features we’re continuing to break down barriers for HTTPS adoption across the Web by making it even easier for every website to get and manage certificates. – Mar 14, 2:08 AM


How to issue ACMEv2 Wildcard with Certbot 0.22.0?


certbot certonly --standalone --agree-tos --server \
-d,* \
--config-dir ~/Downloads/letsencrypt --logs-dir ~/Downloads/letsencrypt --work-dir ~/Downloads/letsencrypt

Saving debug log to ***
Plugins selected: Authenticator manual, Installer None

NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
(Y)es/(N)o: Y

Please deploy a DNS TXT record under the name with the following value:


Before continuing, verify the record is deployed.
Press Enter to Continue

Please deploy a DNS TXT record under the name with the following value:


Before continuing, verify the record is deployed.
Press Enter to Continue
Waiting for verification...
Cleaning up challenges

 - Congratulations! Your certificate and chain have been saved at:
   Your cert will expire on 2018-08-11. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:
   Donating to EFF:          

certificateができた。有効期間が3ヶ月なのね。 更新するときはrenewでいいので大分楽そう。


Why ninety-day lifetimes for certificates?

  1. They limit damage from key compromise and mis-issuance. Stolen keys and mis-issued certificates are valid for a shorter period of time.
  2. They encourage automation, which is absolutely essential for ease-of-use. If we’re going to move the entire Web to HTTPS, we can’t continue to expect system administrators to manually handle renewals. Once issuance and renewal are automated, shorter lifetimes won’t be any less convenient than longer ones.