From: 011netservice@gmail.com Date: 2024-05-13 Subject: readme-LetsEncrypt.txt path: CodeHelper\Certificate\LetsEncrypt\readme-LetsEncrypt.txt 歡迎來信交流, 訂購軟體需求. □ Let’s Encrypt 是憑證中心 Let’s Encrypt 是憑證中心, 網址: https://letsencrypt.org/zh-tw/ 免費憑證效期只有 90 天。 一個帳號,只能對同一個網域申請3次憑證, 因此使用了9個月後,就無法用原來的帳號申請同一個網域的免費憑證. 解決方法為: 使用 Certbot 方法,永久使用免費憑證。 使用 certbot 這個 ACME 程式, 可以自動執行憑證的頒發、安裝,甚至不需要停止你的伺服器 certbot : https://certbot.eff.org/ 也可透過線上工具網站( ZeroSSL、SSL For Free、 Certbot)可完成憑證申請, 再安裝於網站當中。 #### 2024-03-03 Case: certbot renewing certificates. 更新萬用域名憑證 "*.011.idv.tw", (採用 DNS 域名驗證方式 _acme-challenge.011.idv.tw 方式 ) □ 本案例以 *.011.idv.tw 憑證為例, 重新申請憑證. ○ 有效日期前 19 天時, 會收到郵件通知: Your certificate (or certificates) for the names listed below will expire in 19 days (on 20 Jan 23 12:44 +0000)... Your certificate (or certificates) for the names listed below will expire in 19 days (on 08 Nov 22 12:35 +0000)... ○ renew 方法不適用, 請改用後面的步驟. PS C:\Certbot\live\main.011.idv.tw> certbot renew renew 錯誤如下: Saving debug log to C:\Certbot\log\letsencrypt.log - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Processing C:\Certbot\renewal\011.idv.tw.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Failed to renew certificate 011.idv.tw with error: The manual plugin is not working; there may be problems with your existing configuration. The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.') - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - All renewals failed. The following certificates could not be renewed: C:\Certbot\live\011.idv.tw\fullchain.pem (failure) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1 renew failure(s), 0 parse failure(s) Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile C:\Certbot\log\letsencrypt.log or re-run Certbot with -v for more details. ○ manual 更新方法, 等於重新申請! ◇ 以系統管理員開啟 powershell ◇ cmd, 改用 command console, 比較容易執行 certbot 相關指令. ◇ cd C:\Certbot\live\011.idv.tw ◇ 步驟1: 執行 (manual申請指令): ApplyChallenges.cmd certbot certonly -v --preferred-challenges dns-01 --manual -d *.011.idv.tw 例如: Saving debug log to C:\Certbot\log\letsencrypt.log Plugins selected: Authenticator manual, Installer None Certificate is due for renewal, auto-renewing... Renewing an existing certificate for *.011.idv.tw Performing the following challenges: dns-01 challenge for 011.idv.tw - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please deploy a DNS TXT record under the name: _acme-challenge.011.idv.tw. with the following value: DhvEy_m4C5eMA0grqbQObbwzZVlNJvoj6P5_u1XNv6Q Before continuing, verify the TXT record has been deployed. Depending on the DNS provider, this may take some time, from a few seconds to multiple minutes. You can check if it has finished deploying with aid of online tools, such as the Google Admin Toolbox: https://toolbox.googleapps.com/apps/dig/#TXT/_acme-challenge.011.idv.tw. <--- 檢查 DNS TXT record _acme-challenge 是否生效的網址. Look for one or more bolded line(s) below the line ';ANSWER'. It should show the value(s) you've just added. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Press Enter to Continue 到這裡, 暫停執行, 將以上的 DNS TXT record _acme-challenge.011.idv.tw. 登記到你的網域管理上, 直到生效後再繼續執行. ◇ 步驟2: 到DNS網域管理上設定(DNS TXT record _acme-challenge.011.idv.tw) 已經過期無效的 DNS TXT record 則必須刪除, 否則容易檢查無效! ◇ 步驟3: 檢查 (DNS TXT record _acme-challenge.011.idv.tw) 是否已生效? 利用(檢查 DNS TXT record _acme-challenge 是否生效的網址)檢查(DNS TXT record _acme-challenge.011.idv.tw)生效否: 開啟瀏覽器, 檢視網址 https://toolbox.googleapps.com/apps/dig/#TXT/_acme-challenge.011.idv.tw 內容 若已生效時, 可看到在網域管理中設定的 (DNS TXT record _acme-challenge.011.idv.tw) 字串應出現, 過程可能要經過幾小時 (實際等待時間紀錄): 例如: 設定日期, (DNS TXT record _acme-challenge.011.idv.tw), 生效時間 20220612, xxx, "MBZWMdo992QsLYAbaiakEPylOc60ZEbq-sdaYxQ5G0c", 約4小時更新完成, TTL 預估6小時. 20220810, xxx, "iApbD3iz-80aYt_KO8EJC-3OnzJyW3mYPPMvm4OSMUo", 約1小時更新完成 20221022, "WZSarJiAnf5NitJSQz66t8eSsLbtQ5aE_XBc-JwsAS0", 約1小時更新完成, 20230120截止. 20230101, xxx, "DhvEy_m4C5eMA0grqbQObbwzZVlNJvoj6P5_u1XNv6Q", 約等1.5小時已看到DNS TXT record, 結果卻未通過. 20230101, xxx, "NopZHViCHieahL9032CKhS_f1xUUGAkST7sh2ZO1Nx8", 再來一次, 約等1.5小時已看到DNS TXT record, 結果卻未通過. 20230101, "Y4eXrMwZ6-AaoUpYiyJZBOuiIAmm7-uhVzDyRan2cuo", 第三次了! 這次1.5小時已看到DNS TXT record, 再多等到共2.7小時, 總算通過! 憑證截止日期2023-04-01 20230312, xxx, "1WVt82bay7EJEOUIqxv5s-obDWaXJWN05gO5TlYhCNk", 18:14 開始, 約等1.5小時已看到DNS TXT record, 結果卻未通過. 20230312, "l_Ncilsr_hEb5pf1XNougNa3MtgeV6fYMp7-PKtvlQ8", 21:33 開始 20230522, "Iyhipw0Z8MMBkIjw1Tq_3_zZTYgjbrsiksYvvaz2wBk", 08:25 開始, 沒通過, 再申請一次. "ekxvqZfmjNLM4GWGjftRfI2aeGrF6aBdW6ZQcBq3W4s", 09:36 開始, 12:21通過 20230804, "8RHrWNbZn1tSLV8fPfWO2ZviJ8jUEdi0OYoglaPUSoA", 09:25 開始, 11:20通過. 20231013, "Ou1k0C2p2kASoff3Y5q25sL-ZdNbsqeoPLPKPv2AdV8", 15:20 開始, 16:25已看到, 故意多等1小時到17:24 20231223, "YONCHFnm2bhHmUte0-nS2hM8Ct40U8IgJkc5Pk61v8c", 補記 20240303, "yH2DSqGucVQRI2ePZvK_mvpeFpdxOGr6DtPPrWacbvQ", 09:07 開始, 16:00 當然通過了 20240303, "nEf1KLky-ugPOTGXXCTUGV7IPiGZgAjbU_g8pImR8gY", 08:50 開始, 09:20 fail, 太快, 雖然已經看到, 還是要多等一下. 20240303, "9yYGIhLPy-MZHM-3nbulIY46QsXoWU9wXBZKMqAMf6c", 09:30 開始, 20240723, "AW3ljX2lmq0la40DwRpH_wVUpto7ALrZg3OjG5gEeIM", 13:38 開始, 20241001, "sSisafvQ1cw8bdYfAKoYbPonPFBKpbc6hGpI2sa0bnc", 17:32 開始, 18:15 已看到, 故意多等到 19:00 通過. ◇ 若 (DNS TXT record _acme-challenge.011.idv.tw) 已生效, 則可繼續執行先前暫停執行的步驟(即 manual申請指令). 執行成功後, 會產生4個檔案, 主要為這2個檔案 Certificate is saved at: C:\Certbot\live\011.idv.tw\fullchain.pem Key is saved at: C:\Certbot\live\011.idv.tw\privkey.pem This certificate expires on 2023-01-20. 以及這兩個檔案: cert.pem, chain.pem 例如: Waiting for verification... Cleaning up challenges Successfully received certificate. Certificate is saved at: C:\Certbot\live\011.idv.tw\fullchain.pem Key is saved at: C:\Certbot\live\011.idv.tw\privkey.pem This certificate expires on 2023-04-01. <--- 憑證截止日期 These files will be updated when the certificate renews. ... 若 DNS TXT record _acme-challenge 還未完全生效, 導致執行(manual申請指令)的電腦視為無效, 則只能重複執行(步驟1, 2, 3), 重新送出申請. 因此建議應以建議以(步驟1)同一台電腦開啟瀏覽器, 檢視 https://toolbox.googleapps.com/apps/dig/#TXT/_acme-challenge.011.idv.tw 內容, 較正確. 20230101, 這招無效! 還是要等久一點, TTL 預估是6小時, 若能等24小時保證沒問題. 實際等待時間可參考以上(實際等待時間紀錄). 例如: Waiting for verification... Challenge failed for domain 011.idv.tw dns-01 challenge for 011.idv.tw Certbot failed to authenticate some domains (authenticator: manual). The Certificate Authority reported these problems: Domain: 011.idv.tw Type: unauthorized Detail: Incorrect TXT record "MBZWMdo992QsLYAbaiakEPylOc60ZEbq-sdaYxQ5G0c" (and 2 more) found at _acme-challenge.011.idv.tw Hint: The Certificate Authority failed to verify the manually created DNS TXT records. Ensure that you created these in the correct location, or try waiting longer for DNS propagation on the next attempt. Cleaning up challenges Some challenges have failed. Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile C:\Certbot\log\letsencrypt.log or re-run Certbot with -v for more details. ◇ 建立 .pfk 檔案. 參考 CodeHelper\Certificate\OpenSSL\readme-OpenSSL.txt ◇ Windows IIS 網站匯入並繫結憑證 參考 CodeHelper\Windows\IIS\readme-iis.txt #### 2022-08-10 查看憑證申請紀錄. 參考(readme-Certificate.txt.查看憑證申請紀錄) #### certbot renewing certificates. 更新伺服器憑證 "www.011.idv.tw", 以 80 port 更新憑證方式 步驟: 1. 有效日期前 17 或 19 天時, 會收到郵件通知. 2. 在伺服器上關掉(IIS 佔據的 80 port) 3. 以系統管理員身分啟動 powershell, 切換為 cmd console, 切換工作目錄到 C:\Certbot\live\www.011.idv.tw cd C:\Certbot\live\www.011.idv.tw 4. 執行 PS C:\Certbot\live\www.011.idv.tw> certbot renew Saving debug log to C:\Certbot\log\letsencrypt.log - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Processing C:\Certbot\renewal\www.011.idv.tw.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Renewing an existing certificate for www.011.idv.tw - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Congratulations, all renewals succeeded: C:\Certbot\live\www.011.idv.tw\fullchain.pem (success) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 完成! PS C:\Certbot\live\main.011.idv.tw> certbot renew Saving debug log to C:\Certbot\log\letsencrypt.log - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Processing C:\Certbot\renewal\main.011.idv.tw.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Renewal configuration file C:\Certbot\renewal\main.011.idv.tw.conf is broken. The error was: Expected C:\Certbot\live\main.011.idv.tw\cert.pem to be a symlink Skipping. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - No renewals were attempted. Additionally, the following renewal configurations were invalid: C:\Certbot\renewal\main.011.idv.tw.conf (parsefail) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 0 renew failure(s), 1 parse failure(s) Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile C:\Certbot\log\letsencrypt.log or re-run Certbot with -v for more details. PS C:\Certbot\live\main.011.idv.tw> #### 2022-06-12 Case: certbot 申請憑證, 在伺服器上執行申請步驟. 本案例驗證方式為 http 網站連結方式驗證. 也就是在伺服器上, 確定 Port: 80 已對外開放 這個驗證方式好處是: 可立即確認驗證成功與否. 缺點是: 必須擁有伺服器控制權限, 必須在伺服器上申請, 必須保持伺服器連線中, 必須確定伺服器 Port: 80 已對外開放. 在伺服器上 □ 下載並執行 certbot 在伺服器上, 到 certbot 網站 : https://certbot.eff.org/, 在網頁上選擇 My HTTP website is running (Web Hosting Product) on (Windows) 後, 可以在下方找到下載 certbot-beta-installer-win32.exe, version=Certbot(beta) 1.24.0 安裝後, 以系統管理員身分執行 PowerShell 或 cmd.exe, 就可以使用 certbot 指令. 例如: 檢查 certbot 版本: PS C:\Certbot> certbot --version certbot 1.24.0 □ 建立 C:\Certbot 目錄存放憑證及執行記錄, 必須擁有權限. □ 申請憑證 ○ 在伺服器上, 確定 Port: 80 已對外開放, 且未被 IIS 使用中(先停用IIS). 再以系統管理員身分執行 PowerShell. ○ 執行指令: certbot certonly --standalone Problem binding to port 80: [WinError 10013] 嘗試存取通訊端被拒絕,因為存取權限不足。 執行紀錄案例詳如後(Certbot 執行紀錄). 成功執行後, 在 C:\Certbot\ 可取得4個檔案, 例如申請 "main.011.idv.tw" 結果為: 1. C:\Certbot\live\main.011.idv.tw\fullchain.pem 憑證檔案. 包含完整憑證路徑. All certificates, including server certificate (aka leaf certificate or end-entity certificate). The server certificate is the first one in this file, followed by any intermediates. 2. C:\Certbot\live\main.011.idv.tw\privkey.pem 私鑰, Private key for the certificate 3. C:\Certbot\live\main.011.idv.tw\cert.pem contains the server certificate by itself 4. C:\Certbot\live\main.011.idv.tw\chain.pem contains the additional intermediate certificate or certificates that web browsers will need in order to validate the server certificate. If you provide one of these files to your web server, you must provide both of them, or some browsers will show “This Connection is Untrusted” errors for your site, some of the time. 以上檔案詳細說明, 參考 https://eff-certbot.readthedocs.io/en/stable/using.html#where-are-my-certificates All files are PEM-encoded. If you need other format, such as DER or PFX, then you could convert using openssl. You can automate that with --deploy-hook if you’re using automatic renewal. 所有的檔案都是 PEM-encoded, 若要轉乘其他格式, 必須透過 openssl 工具. ○ 轉為 .pfx 檔案 若網站是 IIS, 則必須轉為 .pfx 檔案, 才能匯入. 先切換到工作目錄: cd "C:\Certbot\live\main.011.idv.tw" 以 openssl 轉為 .pfx 檔案 \"Program Files"\OpenSSL-Win64\bin\openssl pkcs12 -export -out main011idvtw20220515.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem 執行過程需要設定 .pfx 的檔案密碼. 成功執行後, 可產生檔案 C:\Certbot\live\main.011.idv.tw\main011idvtw20220515.pfx 以上指令可以建立為批次檔(BuildPfx.cmd)內容如下: rem put this file to C:\Certbot\live\[YourDomain]\, e.g. C:\Certbot\live\011.idv.tw\ SET PASSWORD=[YourPassword] "C:\Program Files\OpenSSL-Win64\bin\openssl.exe" pkcs12 -export -out "wild011idvtw20220612.pfx" -inkey "privkey.pem" -in "cert.pem" -certfile "fullchain.pem" -password "pass:%PASSWORD%" □ Certbot執行紀錄 PS C:\Certbot> certbot certonly --standalone Please enter the domain name(s) you would like on your certificate (comma and/or space separated) (Enter 'c' to cancel): www.011.idv.tw Requesting a certificate for www.011.idv.tw Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): 011netservice@gmail.com <---- 改用你的email. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must agree in order to register with the ACME server. Do you agree? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: Y <---- 同意使用服務. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Would you be willing, once your first certificate is successfully issued, to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: Y <---- 同意 email 分享在 Electronic Frontier Foundation. Account registered. Please enter the domain name(s) you would like on your certificate (comma and/or space separated) (Enter 'c' to cancel): main.011.idv.tw Requesting a certificate for main.011.idv.tw <---- 改用你的網站. 憑證跟私鑰建立成功, 有效期限如下, 同時建立了工作排程會自動更新憑證. Successfully received certificate. Certificate is saved at: C:\Certbot\live\main.011.idv.tw\fullchain.pem Key is saved at: C:\Certbot\live\main.011.idv.tw\privkey.pem This certificate expires on 2022-08-12. These files will be updated when the certificate renews. Certbot has set up a scheduled task to automatically renew this certificate in the background. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - If you like Certbot, please consider supporting our work by: * Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate * Donating to EFF: https://eff.org/donate-le - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - www.011.idv.tw 憑證跟私鑰建立成功, 有效期限如下, 同時建立了工作排程會自動更新憑證. Successfully received certificate. Certificate is saved at: C:\Certbot\live\www.011.idv.tw\fullchain.pem Key is saved at: C:\Certbot\live\www.011.idv.tw\privkey.pem This certificate expires on 2022-09-10. These files will be updated when the certificate renews. Certbot has set up a scheduled task to automatically renew this certificate in the background. We were unable to subscribe you the EFF mailing list because your e-mail address appears to be invalid. You can try again later by visiting https://act.eff.org. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - If you like Certbot, please consider supporting our work by: * Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate * Donating to EFF: https://eff.org/donate-le - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - #### 2022-05-15 certbot安裝步驟原文 Windows installation procedure Certbot is now officially available for Windows. If you find that Certbot is not the most suitable Let's Encrypt client application for your use case, there are many other clients written by other organizations and developers that you may be able to use to obtain a certificate from Let's Encrypt. 1. Important notes 安裝程序以目前的 certbot 版本為準. 安裝程序只提供取得憑證的步驟, 不包含安裝到網站中. This procedure follows the current Certbot implementation for Windows, in particular the fact that it installs as a system component, and requires administrative privileges. These instructions will be updated when a future version of Certbot switches to a different installation method. No installers for HTTP servers are supported for now (Certbot for Windows can currently obtain your certificate from Let's Encrypt, but not install it into your web server application). 2. Specific Windows system requirements and user knowledge requirements 2.1 The user needs to be familiar with the command-line interface (CLI), because Certbot is a pure CLI program. 2.2 The user must use an account with administrative privileges to install and run Certbot. 2.3 PowerShell and CMD.EXE are supported; both need to be started with elevated privileges before invoking Certbot. 2.4 Path C:\Certbot must be writable by the current user. 使用者必須使用 PowerShell 或 CMD.exe, 並且擁有系統管理者的權限. 以及檔案目錄 C:\Certbot 的讀寫權限. 3. Installation instructions 1. Connect to the server. 2. Connect locally or remotely (using Remote Desktop) to the server using an account that has administrative privileges for this machine. 3. Install Certbot. 4. Download the latest version of the Certbot installer for Windows at https://dl.eff.org/certbot-beta-installer-win32.exe. 5. Run the installer and follow the wizard. The installer will propose a default installation directory, C:\Program Files(x86), that can be customized.) 6. To start a shell for Certbot, select the Start menu, enter cmd (to run CMD.EXE) or powershell (to run PowerShell), and click on “Run as administrator” in the contextual menu that shows up above. 7. Run Certbot as a shell command. To run a command on Certbot, enter the name certbot in the shell, followed by the command and its parameters. For instance, to display the inline help, run: C:\WINDOWS\system32> certbot --help 4. 取得憑證. Choose how you'd like to run Certbot Are you ok with temporarily stopping your website? Yes, my web server is not currently running on this machine. Stop your webserver, then run this command to get a certificate. Certbot will temporarily spin up a webserver on your machine. a. 網站沒有在執行中的話, 用這個指令取得憑證: C:\WINDOWS\system32> certbot certonly --standalone No, I need to keep my web server running. If you have a webserver that's already using port 80 and don't want to stop it while Certbot runs, run this command and follow the instructions in the terminal. b. 網站持續執行中不能停的話, 用這個指令: C:\WINDOWS\system32> certbot certonly --webroot 以上建議用 a 方法, 單純取得憑證就好. 不要跟網站安裝憑證綁在一起, 比較單純. Important Note: To use the webroot plugin, your server must be configured to serve files from hidden directories. If /.well-known is treated specially by your webserver configuration, you might need to modify the configuration to ensure that files inside /.well-known/acme-challenge are served by the webserver. 要使用 webroot plugin 的話, 網站必須支援可使用隱藏目錄 /.well-known/acme-challenge 5. Test automatic renewal The Certbot installation on your system comes with a pre-installed Scheduled Task that will renew your certificates automatically before they expire. You will not need to run Certbot again, unless you change your configuration. You can test automatic renewal for your certificates by running the command Certbot 安裝過程會建立工作排程自動更新憑證, 因此可以不需要再執行 Certbot. 若要測試工作排程自動更新憑證是否正常, 可如下指令測試: C:\WINDOWS\system32> certbot renew --dry-run If you needed to stop your webserver to run Certbot (for example, if you used the standalone authenticator on a machine where port 80 is normally in use), you'll want to edit the built-in command to add the --pre-hook and --post-hook flags to stop and start your webserver automatically. For example, if your webserver is Apache 2.4, add the following to the certbot renew command: 工作排程器(本機)項目為 Certbot Renew Task 每天動作 = 啟動程式 Powershell.exe -NoProfile -WindowStyle Hidden -Command "certbot renew" 引數: -pre-hook “net stop Apache2.4” --post-hook “net start Apache2.4” 加入引數 如上例可以 在憑證更新前後, 自動停止及重新啟動網站 Apache2.4. 執行紀錄: PS C:\Certbot> certbot renew --dry-run Saving debug log to C:\Certbot\log\letsencrypt.log - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Processing C:\Certbot\renewal\main.011.idv.tw.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Account registered. Simulating renewal of an existing certificate for main.011.idv.tw Failed to renew certificate main.011.idv.tw with error: Problem binding to port 80: [WinError 10013] 嘗試存取通訊端被拒 絕,因為存取權限不足。 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - All simulated renewals failed. The following certificates could not be renewed: C:\Certbot\live\main.011.idv.tw\fullchain.pem (failure) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1 renew failure(s), 0 parse failure(s) Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile C:\Certbot\log\letsencrypt.log or re-run Certbot with -v for more details. PS C:\Certbot> 6. Confirm that Certbot worked To confirm that your site is set up properly, visit https://yourwebsite.com/ in your browser and look for the lock icon in the URL bar. 以瀏覽器開啟網址: https://main.011.idv.tw/, 確認已可使用. (網站圖像有鎖) 7. Note for Windows Apache or Nginx users As described in section 5 above, Certbot for Windows currently cannot install the certificate in Apache or Nginx for you. As of the most recent release, you will have to edit your web server application’s configuration to install the certificate yourself after Certbot has obtained it. If this limitation is acceptable to you, please start from the beginning of this document to learn more about installing and using Certbot on Windows. Certbot windows 目前不支援 Apache or Nginx 的憑證安裝. 因此必須自行安裝到網站中. #### 2022-05-29, Case: certbot 申請萬用域名憑證, 採用 DNS 域名驗證. 申請萬用域名憑證, 只能使用(DNS 域名驗證)的方式申請, 無法使用 (http-01 挑戰方式)申請 因此必須 DNS 域名管理上設定一筆 TXT 紀錄(_acme-challenge.011.idv.tw)成功後, 才能通過驗證 這個驗證方式好處是: 不需要伺服器, 不需要在伺服器上申請. 缺點是: 必須等待 DNS 域名管理設定一筆 TXT 紀錄(_acme-challenge.011.idv.tw)成功後, 才能通過驗證. 這個網站 https://toolbox.googleapps.com/apps/dig/ 可以檢查 DNS 設定管理 ref: https://blog.miniasp.com/post/2021/02/11/Create-SSL-TLS-certificates-from-LetsEncrypt-using-Certbot http://tech.smallya.net/2021/11/28/certbot-lets-encrypt-ssl%E6%86%91%E8%AD%89-iis-%E5%A4%9A%E5%9F%9F%E5%90%8D/ 在伺服器上 □ 下載並執行 certbot 在伺服器上, 到 certbot 網站 : https://certbot.eff.org/, 在網頁上選擇 My HTTP website is running (Web Hosting Product) on (Windows) 後, 可以在下方找到下載 certbot-beta-installer-win32.exe, version=Certbot(beta) 1.24.0 安裝後, 以系統管理員身分執行 PowerShell 或 cmd.exe, 就可以使用 certbot 指令. 例如: 檢查 certbot 版本: PS C:\Certbot> certbot --version certbot 1.24.0 □ 建立 C:\Certbot 目錄存放憑證及執行記錄, 必須擁有權限. □ 申請憑證 ○ 在伺服器上, 以系統管理員身分執行 PowerShell. ○ 執行指令: (請改成你自己的 email 和網域) certbot certonly -–manual -m 011netservice@gmail.com -d *.011.idv.tw certbot certonly -–manual --preferred-challenges dns -m 011netservice@gmail.com -d *.011.idv.tw 執行紀錄案例詳如後(Certbot執行紀錄). 成功執行後, 在 C:\Certbot\ 可取得4個檔案, 例如申請 "main.011.idv.tw" 結果為: 1. C:\Certbot\live\main.011.idv.tw\fullchain.pem 憑證檔案. 包含完整憑證路徑. All certificates, including server certificate (aka leaf certificate or end-entity certificate). The server certificate is the first one in this file, followed by any intermediates. 2. C:\Certbot\live\main.011.idv.tw\privkey.pem 私鑰, Private key for the certificate 3. C:\Certbot\live\main.011.idv.tw\cert.pem 伺服器憑證 contains the server certificate by itself 4. C:\Certbot\live\main.011.idv.tw\chain.pem 中繼憑證 contains the additional intermediate certificate or certificates that web browsers will need in order to validate the server certificate. If you provide one of these files to your web server, you must provide both of them, or some browsers will show “This Connection is Untrusted” errors for your site, some of the time. 以上檔案詳細說明, 參考 https://eff-certbot.readthedocs.io/en/stable/using.html#where-are-my-certificates All files are PEM-encoded. If you need other format, such as DER or PFX, then you could convert using openssl. You can automate that with --deploy-hook if you’re using automatic renewal. 所有的檔案都是 PEM-encoded, 若要轉乘其他格式, 必須透過 openssl 工具. ○ 轉為 .pfx 檔案, 才能匯入 IIS 網站 以系統管理員權限, 切換到工作目錄: cd "C:\Certbot\live\011.idv.tw" 以 openssl 轉為 .pfx 檔案 \"Program Files"\OpenSSL-Win64\bin\openssl pkcs12 -export -out wild011idvtw20220612.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem 執行過程需要設定 .pfx 的檔案密碼. 成功執行後, 可產生檔案 C:\Certbot\live\011.idv.tw\wild011idvtw20220612.pfx 以上指令可以建立為批次檔(BuildPfx.cmd)內容如下: rem put this file to C:\Certbot\live\[YourDomain]\, e.g. C:\Certbot\live\011.idv.tw\ SET PASSWORD=[YourPassword] "C:\Program Files\OpenSSL-Win64\bin\openssl.exe" pkcs12 -export -out "wild011idvtw20220612.pfx" -inkey "privkey.pem" -in "cert.pem" -certfile "fullchain.pem" -password "pass:%PASSWORD%" ○ IIS 繫結 wild011idvtw20220612 萬用域名憑證 步驟參考 readme-Certificate.txt □ Certbot執行紀錄: (申請萬用域名憑證, 採用 DNS 域名驗證) PS C:\Certbot> certbot certonly --manual -m 011netservice@gmail.com -d *.011.idv.tw Saving debug log to C:\Certbot\log\letsencrypt.log - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must agree in order to register with the ACME server. Do you agree? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: y <---- 同意服務使用條款. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Would you be willing, once your first certificate is successfully issued, to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: y <---- 同意提供 E-mail 給 Electronic Frontier Foundation (EFF) 做註冊使用. Account registered. Requesting a certificate for *.011.idv.tw - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please deploy a DNS TXT record under the name: DNS TXT record 名稱為: _acme-challenge.011.idv.tw. with the following value: DNS TXT record 名稱"_acme-challenge.011.idv.tw"的值為: (這個內容每次申請都不一樣, 不需要記憶) MBZWMdo992QsLYAbaiakEPylOc60ZEbq-sdaYxQ5G0c Before continuing, verify the TXT record has been deployed. Depending on the DNS provider, this may take some time, from a few seconds to multiple minutes. You can check if it has finished deploying with aid of online tools, such as the Google Admin Toolbox: https://toolbox.googleapps.com/apps/dig/#TXT/_acme-challenge.011.idv.tw. Look for one or more bolded line(s) below the line ';ANSWER'. It should show the value(s) you've just added. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Press Enter to Continue <---- 在這裡等到 網域 DNS 已正確, 才可以按 Enter 繼續 本案例在這裡等了大約6小時以後, 確認 網域 DNS 已正確, 才按 Enter 繼續 確認方法為: 瀏覽上面 Certbot 提供的網址, 例如: https://toolbox.googleapps.com/apps/dig/#TXT/_acme-challenge.011.idv.tw, 是否可查到 DNS TXT record 名稱"_acme-challenge.011.idv.tw" 的值 由於 DNS 更新需要時間(一般 TTL為 3600秒(1小時), Hinet為 6小時), 因此必須等到你的網域 DNS 已正確, 再繼續執行! 這個網站 https://toolbox.googleapps.com/apps/dig/ 可以檢查 DNS 設定管理 網域 DNS 可以到登記網域的地方修改, 本例為 hinet Successfully received certificate. Certificate is saved at: C:\Certbot\live\011.idv.tw\fullchain.pem Key is saved at: C:\Certbot\live\011.idv.tw\privkey.pem This certificate expires on 2022-08-27. These files will be updated when the certificate renews. NEXT STEPS: - This certificate will not be renewed automatically. Autorenewal of --manual certificates requires the use of an authentication hook script (--manual-auth-hook) but one was not provided. To renew this certificate, repeat this same certbot command before the certificate's expiry date. We were unable to subscribe you the EFF mailing list because your e-mail address appears to be invalid. You can try again later by visiting https://act.eff.org. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - If you like Certbot, please consider supporting our work by: * Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate * Donating to EFF: https://eff.org/donate-le - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -