DNS-01 チャレンジ(Certbot)
注) Cloudflareのプロキシとネームサーバを利用することにしたため、PorkbunではなくCertbotのCloudflareのDNS-01チャレンジを選択。
CertbotによるTLS認証手続きで、ルートドメインを取得済であれば、http-01チャレンジ(HTTP認証)よりもdns-01チャレンジ(DNS認証)を利用した方が、サブドメイン毎に認証手続きをする手間などが省け便利です。
DNS認証の具体例については下記を参照して下さい。
DNS認証には、プラグインを使用する方法とmanualオプションを利用する方法がありますが、manualの場合、TXTテキストを90日以内に更新する必要があるため更新コマンドは利用できません。
| Plugin | Auth | Inst | Notes | Challenge types (and port) |
|---|---|---|---|---|
| DNS plugins | Y | N | This category of plugins automates obtaining a certificate by modifying DNS records to prove you have control over a domain. Doing domain validation in this way is the only way to obtain wildcard certificates from Let’s Encrypt. | dns-01 (53) |
| manual | Y | N | Obtain a certificate by manually following instructions to perform domain validation yourself. Certificates created this way do not support autorenewal. Autorenewal may be enabled by providing an authentication hook script to automate the domain validation steps. | http-01 (80) or dns-01 (53) |
Third-party plugins
ドメインを提供しているサードパーティ向けcertbotのプラグインは、オフィシャルまたは有志により提供されています。
There are also a number of third-party plugins for the client, provided by other developers. Many are beta/experimental, but some are already in widespread use:
| Plugin | Auth | Inst | Notes |
|---|---|---|---|
| haproxy | Y | Y | Integration with the HAProxy load balancer |
| s3front | Y | Y | Integration with Amazon CloudFront distribution of S3 buckets |
| gandi | Y | N | Obtain certificates via the Gandi LiveDNS API |
| varnish | Y | N | Obtain certificates via a Varnish server |
| external-auth | Y | Y | A plugin for convenient scripting |
| pritunl | N | Y | Install certificates in pritunl distributed OpenVPN servers |
| proxmox | N | Y | Install certificates in Proxmox Virtualization servers |
| dns-standalone | Y | N | Obtain certificates via an integrated DNS server |
| dns-ispconfig | Y | N | DNS Authentication using ISPConfig as DNS server |
| dns-clouddns | Y | N | DNS Authentication using CloudDNS API |
| dns-lightsail | Y | N | DNS Authentication using Amazon Lightsail DNS API |
| dns-inwx | Y | Y | DNS Authentication for INWX through the XML API |
| dns-azure | Y | N | DNS Authentication using Azure DNS |
| dns-godaddy | Y | N | DNS Authentication using Godaddy DNS |
| dns-yandexcloud | Y | N | DNS Authentication using Yandex Cloud DNS |
| dns-bunny | Y | N | DNS Authentication using BunnyDNS |
| njalla | Y | N | DNS Authentication for njalla |
| DuckDNS | Y | N | DNS Authentication for DuckDNS |
| Porkbun | Y | N | DNS Authentication for Porkbun |
| Infomaniak | Y | N | DNS Authentication using Infomaniak Domains API |
| dns-multi | Y | N | DNS authentication of 100+ providers using go-acme/lego |
| dns-dnsmanager | Y | N | DNS Authentication for dnsmanager.io |
| standalone-nfq | Y | N | HTTP Authentication that works with any webserver (Linux only) |
If you’re interested, you can also write your own plugin.
Porkbun Certbot DNS認証プラグイン
PorkbunからAPIキーを取得しporkbun.iniファイルを作成。(アクセス権は600)
porkbun.ini
dns_porkbun_key=<your-porkbun-api-key>
dns_porkbun_secret=<your-porkbun-api-secret>
DockerによりPorkbun Certbotプラグイン実行
$ docker run -it --rm --name certbot_porkbun -v "$PWD/letsencrypt:/etc/letsencrypt" -v "/var/log/letsencrypt:/var/log/letsencrypt" -v "$PWD/porkbun.ini:/conf/porkbun.ini" infinityofspace/certbot_dns_porkbun:latest \
certonly \
--non-interactive \
--agree-tos \
--email <your-email-address> \
--preferred-challenges dns \
--authenticator dns-porkbun \
--dns-porkbun-credentials /conf/porkbun.ini \
--dns-porkbun-propagation-seconds 60 \
-d "example.com" -d "*.example.com"
認証ドメインの確認
$ docker run -it --rm --name certbot_porkbun -v "$PWD/letsencrypt:/etc/letsencrypt" -v "/var/log/letsencrypt:/var/log/letsencrypt" -v "$PWD/porkbun.ini:/conf/porkbun.ini" infinityofspace/certbot_dns_porkbun:latest \
certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
Certificate Name: example.com
Serial Number: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Key Type: ECDSA
Domains: example.com *.example.com
Expiry Date: 2023-xx-xx 00:54:35+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/example.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/example.com/privkey.pem
更新(クローンジョブに登録)
$ docker run -it --rm --name certbot_porkbun -v "$PWD/letsencrypt:/etc/letsencrypt" -v "/var/log/letsencrypt:/var/log/letsencrypt" -v "$PWD/porkbun.ini:/conf/porkbun.ini" infinityofspace/certbot_dns_porkbun:latest \
renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/example.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Certificate not yet due for renewal
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The following certificates are not due for renewal yet:
/etc/letsencrypt/live/example.com/fullchain.pem expires on 2023-xx-xx (skipped)
No renewals were attempted.