KAGOYA VPS での certbot¶

bitnami の SSL ツール bncert-tool を試した (KAGOYA_VPS_での_bncert-tool) がうまくできなかったので、certbot での SSL 化を行う

参考¶

• (公式) certbot
• (bncert-tool での同じ失敗例もあり) aws light sail に bitnamiを使わずにSSL設定
• Certbotを使ってSSL証明書を発行し、HTTP通信を暗号化しよう
• Let's Encryptで証明書を発行・管理する(snap版)

実施記録¶

certbot¶

【参考】vps 上の docker コンテナの様子

# docker container ls
CONTAINER ID   IMAGE                    COMMAND                  CREATED        STATUS          PORTS                      NAMES
3144a13de656   bitnami/redmine:latest   "/opt/bitnami/script…"   4 months ago   Up 56 minutes   127.0.0.1:8080->3000/tcp   root-redmine-1
ddf0dafbc53a   bitnami/mariadb:latest   "/opt/bitnami/script…"   4 months ago   Up 56 minutes   3306/tcp                   root-mariadb-1

1. vps インスタンスへ SSH ログイン (root)
2. snapd のインストール (以下、certbot公式内の参考ページ の手順通り)
   • EPEL (Extra Packages for Enterprise Linux) をまずインストール

     sudo dnf install epel-release
     sudo dnf upgrade
     

   • snapd のインストール

     dnf install snapd
     

   • systemd で snap ソケットを有効化

     # systemctl enable --now snapd.socket
     Created symlink /etc/systemd/system/sockets.target.wants/snapd.socket → /usr/lib/systemd/system/snapd.socket.
     

   • 古い snap との互換性の為、シンボリックリンクを作成

     ln -s /var/lib/snapd/snap /snap
     

   • snap のパス有効化のために、再ログインまたは再起動 (とりあえず vps インスタンスを再起動)
3. snap パッケージ以外の certbot-auto, Certbot を削除
   • 説明では apt dnf yum の certbot 削除指示があった
   • vps に apt が無かったので、ほかの2つを一応実行したが、インストールはされていなかった

     # dnf remove certbot
     No match for argument: certbot
     No packages marked for removal.
     Dependencies resolved.
     Nothing to do.
     Complete!
     # yum remove certbot
     No match for argument: certbot
     No packages marked for removal.
     Dependencies resolved.
     Nothing to do.
     Complete!
     

4. certbot のインストール
   • エラーとなった

     # snap install --classic certbot
     error: too early for operation, device not yet seeded or device model not acknowledged
     

   • snap install 時の同様のエラー報告があった
     • snap install coreでエラーが出るとき
     • Let's Encryptで証明書を発行・管理する(snap版)
     • どちらも、少し待ってから再度実行すればよいと記載あり
   • 本当に少し待っただけで実行成功した

     # snap install --classic certbot
     2025-10-03T18:50:06+09:00 INFO Waiting for automatic snapd restart...
     certbot 5.0.0 from Certbot Project (certbot-eff✓) installed
     

5. certbot 実行用のシンボリックリンク作成
   • ln -s /snap/bin/certbot /usr/bin/certbot
6. 証明書の取得とインストール
   • 連絡メール: greennail3804@gmail.com
   • 利用規約同意: Y
   • ニュース等のメール送付: N
   • ドメイン選択: 1 (redmine.smismith.com)

     # certbot --nginx
     Saving debug log to /var/log/letsencrypt/letsencrypt.log
     Enter email address or hit Enter to skip.
      (Enter 'c' to cancel): greennail3804@gmail.com
     
     - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
     Please read the Terms of Service at:
     https://letsencrypt.org/documents/LE-SA-v1.5-February-24-2025.pdf
     You must agree in order to register with the ACME server. Do you agree?
     - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
     (Y)es/(N)o: Y
     
     - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
     Would you be willing, once your first certificate is successfully issued, to
     share your email address with the Electronic Frontier Foundation, a founding
     partner of the Let's Encrypt project and the non-profit organization that
     develops Certbot? We'd like to send you email about our work encrypting the web,
     EFF news, campaigns, and ways to support digital freedom.
     - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
     (Y)es/(N)o: N
     Account registered.
     
     Which names would you like to activate HTTPS for?
     We recommend selecting either all domains, or all domains in a VirtualHost/server block.
     - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
     1: redmine.smismith.com
     - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
     Select the appropriate numbers separated by commas and/or spaces, or leave input
     blank to select all options shown (Enter 'c' to cancel): 1
     Requesting a certificate for redmine.smismith.com
     
     Successfully received certificate.
     Certificate is saved at: /etc/letsencrypt/live/redmine.smismith.com/fullchain.pem
     Key is saved at:         /etc/letsencrypt/live/redmine.smismith.com/privkey.pem
     This certificate expires on 2026-01-01.
     These files will be updated when the certificate renews.
     Certbot has set up a scheduled task to automatically renew this certificate in the background.
     
     Deploying certificate
     Successfully deployed certificate for redmine.smismith.com to /etc/nginx/conf.d/tls.conf
     Congratulations! You have successfully enabled HTTPS on https://redmine.smismith.com
     
     - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
     If you like Certbot, please consider supporting our work by:
      * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
      * Donating to EFF:                    https://eff.org/donate-le
     - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
     

7. 手動更新でのテスト

• --dry-run で確認、問題なさそう

  # certbot renew --dry-run
  Saving debug log to /var/log/letsencrypt/letsencrypt.log
  
  - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  Processing /etc/letsencrypt/renewal/redmine.smismith.com.conf
  - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  Account registered.
  Simulating renewal of an existing certificate for redmine.smismith.com
  
  - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  Congratulations, all simulated renewals succeeded:
    /etc/letsencrypt/live/redmine.smismith.com/fullchain.pem (success)
  - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -