Let’s Encrypt証明書の生成と手動更新(Windows)

WindowsのVPS（Virtual Private Server：仮想専用サーバー）でPython＋Flaskを動作させています。
あえて、ApacheやIISなどのWebサーバの配下でPython+Flaskを呼び出す形ではなく、Flaskで用意されているWebサーバ機能をHTTPSで稼働させています。鍵ペアとサーバ公開鍵証明書は、Let’s Encryptで生成しています、

Let’s Encrypt のサーバ公開鍵証明書の期限は、3か月ですので、その間に更新処理を実施する必要があります。
ApacheやIISなどのWebサーバ からLet’s Encrypt の 鍵ペアとサーバ公開鍵証明書を使う場合は、自動更新の設定が可能です。しかし、それらのWebサーバを使わない場合には、手動で更新する必要があります。

WindowsでのLet’s Encrypt の鍵ペアとサーバ公開鍵証明書を生成する方法と手動更新の方法を解説します。

■　準備

サーバ公開鍵証明書を作成するドメイン名を取得しておく必要があります。

■　WACS.EXEのダウンロード

Windowsにおいて鍵ペアと公開鍵証明書を生成・更新するためのツール（wacs.exe） をダウンロードします。
win-acmeからダウンロードできます。

■　鍵ペアと公開鍵証明書を生成

まず、 コマンドプロンプトからwacs.exeを実行します。

以下の手順で鍵ペアと公開鍵証明書を生成します。

① 次の表示で、Enterを入力

Create certificate failed: Authorization failed

N: Create new certificate (simple for IIS)
M: Create new certificate (full options)
R: Run scheduled renewals (0 currently due)
A: Manage renewals (0 total)
O: More options…
Q: Quit

Please choose from the menu:　

② 次の表示で、Enterを入力

Running in mode: Interactive, Advanced

Please specify how the list of domain names that will be included in the
certificate should be determined. If you choose for one of the “all bindings”
options, the list will automatically be updated for future renewals to
reflect the bindings at that time.

1: Manual input
2: CSR created by another program
C: Abort

How shall we determine the domain(s) to include in the certificate?:

③ 次の表示で、 ドメイン名（ 例：*.XXX.com ）を入力

Enter comma-separated list of host names, starting with the common name: *.XXX.com

Target generated using plugin Manual: *.XXX.com

④ 次の表示で、 １（手動更新）を入力　

Suggested friendly name ‘[Manual] *.XXX.com’, press to accept or type an alternative:

The ACME server will need to verify that you are the owner of the domain
names that you are requesting the certificate for. This happens both during
initial setup and for every future renewal. There are two main methods of
doing so: answering specific http requests (http-01) or create specific dns
records (dns-01). For wildcard domains the latter is the only option. Various
additional plugins are available from https://github.com/PKISharp/win-acme/.

1: [dns-01] Create verification records manually (auto-renew not possible)
2: [dns-01] Create verification records with acme-dns (https://github.com/joohoi/acme-dns)
3: [dns-01] Create verification records with your own script
: Abort

How would you like prove ownership for the domain(s) in the certificate?: 1

⑤ 次の表示で、 Enterを入力（デフォルト：２を選択）

After ownership of the domain(s) has been proven, we will create a
Certificate Signing Request (CSR) to obtain the actual certificate. The CSR
determines properties of the certificate like which (type of) key to use. If
you are not sure what to pick here, RSA is the safe default.

What kind of private key should be used for the certificate?:

1: Elliptic Curve key
2: RSA key

⑥ 次の表示で、 ２を入力

When we have the certificate, you can store in one or more ways to make it
accessible to your applications. The Windows Certificate Store is the default
location for IIS (unless you are managing a cluster of them).

1: IIS Central Certificate Store (.pfx per domain)
2: PEM encoded files (Apache, nginx, etc.)
3: Windows Certificate Store
4: No (additional) store steps
C: Abort

How would you like to store the certificate?: 2

⑦　 次の表示で、 生成する鍵ペアと公開鍵証明書を保存するパスを入力

Path to folder where .pem files are stored: C:\Users\Administrator\Desktop\install

⑧　 次の表示で、 Enterを入力

1: IIS Central Certificate Store (.pfx per domain)
2: Windows Certificate Store
3: No (additional) store steps
C: Abort

Would you like to store it in another way too?:

⑨　 次の表示で、 Enterを入力

With the certificate saved to the store(s) of your choice, you may choose one
or more steps to update your applications, e.g. to configure the new
thumbprint, or to update bindings.

1: Create or update https bindings in IIS
2: Create or update ftps bindings in IIS
3: Start external script or program
4: No (additional) installation steps

Which installation step should run first?:

⑩　 次の表示で、 指定されたドメイン認証用のTXTレコードをドメイン名を取得したドメインサーバに設定

First chance error calling into ACME server, retrying with new nonce…
Authorize identifier: XXX.com
Authorizing m-iruka.com using dns-01 validation (Manual)

Domain: m-iruka.com
Record: _acme-challenge.XXX.com
Type: TXT
Content: “jigZ0FkNguqajwZPJrjrCJg4XFm3WmNv5lvtGAKmX40”
Note: Some DNS managers add quotes automatically. A single set
is needed.

※DNSサーバにTXTレコードを追加（追加後、ドメインサーバで”更新”すること）

⑪　ドメインサーバに設定したら、次の表示で、Enterを入力（ドメイン認証成功が表示される）

Please press after you’ve created and verified the record

Preliminary validation succeeded
Answer should now be available at _acme-challenge.XXX.com
Preliminary validation succeeded

Domain: m-iruka.com
Record: _acme-challenge.XXX.com
Type: TXT
Content: “jigZ0FkNguqajwZPJrjrCJg4XFm3WmNv5lvtGAKmX40”

⑫　TXTレコードをドメインサーバから削除した後、 次の表示で、Enterを入力

Please press after you’ve deleted the record

Authorization result: valid
Requesting certificate [Manual] *.XXX.com
Store with PemFiles…
Exporting .pem files to C:\Users\Administrator\Desktop\install
Installing with None…
Adding Task Scheduler entry with the following settings

• Name win-acme renew (acme-v02.api.letsencrypt.org)
• Path C:\Users\Administrator\Desktop\install\win-acme.v2.1.4.710.x64.pluggable
• Command wacs.exe –renew –baseuri “https://acme-v02.api.letsencrypt.org/”
• Start at 09:00:00
• Time limit 02:00:00
  

⑫　次の表示で、 Enterを入力（次回更新日が表示される）

Do you want to specify the user the task will run as? (y/n*) –

Adding renewal for [Manual] *.XXX.com
Next renewal scheduled at 2020/4/11 13:00:32

⑬　 次の表示で、 oを入力

N: Create new certificate (simple for IIS)
M: Create new certificate (full options)
R: Run scheduled renewals (0 currently due)
A: Manage renewals (1 total)
O: More options…
Q: Quit

Please choose from the menu: o

⑭　次の表示で、aを入力

T: (Re)create scheduled task
E: Test email notification
A: ACME account details
I: Import scheduled renewals from WACS/LEWS 1.9.x
M: Encrypt/decrypt configuration
Q: Back

Please choose from the menu: a

⑮　次の表示で、メールアドレスを入力（手動更新期限前に通知メールを受け取るため）

Account ID: –
Created: 2020-02-16T03:18:54.75392419Z
Initial IP: 153.127.15.17
Status: valid
Contact(s):

Modify contacts? (y/n*) – yes

Enter email(s) for notifications about problems and abuse (comma seperated):　aaaa@bbb.ccc.jp

⑯　次の表示で、aを入力

N: Create new certificate (simple for IIS)
M: Create new certificate (full options)
R: Run scheduled renewals (0 currently due)
A: Manage renewals (1 total)
O: More options…
Q: Quit

Please choose from the menu: a

⑰　次の表示で、dを入力

Welcome to the renewal manager. Actions selected in the menu below will be
applied to the following list of renewals. You may filter the list to target
your action at a more specific set of renewals, or sort it to make it easier
to find what you’re looking for.

1: [Manual] *.XXX.com – renewed 1 time, due after 2020/4/11 13:00:32

Currently selected 1 of 1 renewal

F: Apply filter
S: Sort renewals
X: Reset sorting and filtering
D: Show details for all renewals
R: Run all renewals
C: Cancel all renewals
V: Revoke all renewals
Q: Back

Please choose from the menu: d

⑱　次の表示（生成された鍵ペア、公開鍵証明書情報の表示）で、Enterを入力

Details for renewal 1/1

Id: wevEXTJP-E6zIjF846FZ3g
File: wevEXTJP-E6zIjF846FZ3g.renewal.json
FriendlyName: [Auto] [Manual] *.XXX.com
.pfx password: UiequCLty8X199Ac5qi+/iTTOLOul5T/8XWFToKPhWg=
Renewal due: 2020/04/11 13:00:32
Renewed: 1 times
Target —————————————————————–

• Plugin: Manual – (Manual input)
• CommonName: *.XXX.com
• AlternativeNames *.XXX.com
  Validation —————————————————————–
• Plugin: Manual – (Create verification records manually
  (auto-renew not possible))
  CSR —————————————————————–
• Plugin: RSA – (RSA key)
  Store —————————————————————–
• Plugin: PemFiles – (PEM encoded files (Apache, nginx, etc.))
• Path: C:\Users\Administrator\Desktop\install
  Installation —————————————————————–
• Plugin: None – (No (additional) installation steps)
  History —————————————————————– 1: 2020/02/16 4:00:32 – Success – Thumbprint DEB36EB38B5A6C162F05E666D9E2934B55D353CE Press to continue

Press to continue


⑲　次の表示で、qを入力し、終了

Welcome to the renewal manager. Actions selected in the menu below will be
applied to the following list of renewals. You may filter the list to target
your action at a more specific set of renewals, or sort it to make it easier
to find what you’re looking for.

1: [Manual] *.m-iruka.com – renewed 1 time, due after 2020/4/11 13:00:32

Currently selected 1 of 1 renewal

F: Apply filter
S: Sort renewals
X: Reset sorting and filtering
D: Show details for all renewals
R: Run all renewals
C: Cancel all renewals
V: Revoke all renewals
Q: Back

Please choose from the menu: q

指定したパス配下に次のファイルが生成されます。

　_.XXX.com-chain.pem　　→　公開鍵証明書のルート証明書チェーン
　_.XXX.com-crt.pem　　　→　鍵ペア
　_.XXX.com-key.pem　　 →　公開鍵証明書

■　Flaskでの設定例

Flaskで用意されているWebサーバ機能をHTTPSで稼働させるには、__main__で動作させるWSGIServerの引数に、ルート証明書チェーンファイル（ _.XXX.com-chain.pem ）と鍵ペアファイル（ _.XXX.com-key.pem ）を指定します。

# -*- coding: utf-8 -*-
from flask import render_template  # 追加
from flask import jsonify
from flask import request
from flask import Flask
from flask import abort
from flask import make_response
from flask_cors import CORS, cross_origin

・・・

if __name__ == '__main__':
    app.debug = True

    #host='192.168.100.101'
    #port = 5000
    host=G_CONST_REA_FEP_DOMAIN
    port = G_CONST_REA_FEP_PORT

    host_port = (host, port)
    server = WSGIServer(
       host_port,
       app,
       certfile='C:\\Users\\Administrator\\Desktop\\install\\_.XXX.com-chain.pem',
       keyfile='C:\\Users\\Administrator\\Desktop\\install\\_.XXX.com-key.pem')

    server.serve_forever()

■　定期更新の通知メール

3か月毎に、Let’s Encryptから以下のような通知メールが期限切れ11日前に送付されます。
これを見て、公開鍵証明書の定期更新を実施します。

Let's Encrypt certificate expiration notice for domain "*.XXX.com"
Let's Encrypt Expiry Bot <expiry@letsencrypt.org> 
	
Hello,

Your certificate (or certificates) for the names listed below will expire in 11 days (on 24 Mar 22 09:24 +0000). 
Please make sure to renew your certificate before then, or visitors to your web site will encounter errors.

We recommend renewing certificates automatically when they have a third of their total lifetime left. 
For Let's Encrypt's current 90-day certificates, that means renewing 30 days before expiration. See https://letsencrypt.org/docs/integration-guide/ for details.

*.XXX.com

For any questions or support, please visit: https://community.letsencrypt.org/ Unfortunately, we can't provide support by email.

For details about when we send these emails, please visit: https://letsencrypt.org/docs/expiration-emails/ 
In particular, note that this reminder email is still sent if you've obtained a slightly different certificate by adding or removing names.
If you've replaced this certificate with a newer one that covers more or fewer names than the list above, you may be able to ignore this message.

If you are receiving this email in error, unsubscribe at:
  http://delivery.letsencrypt.org/track/unsub.php?u=30850198&id=dcf4e185dd314471bee3765deaa125af.UOACelRhpkgrul%2BGMeVg63wwTcQ%3D&r=https%3A%2F%2Fmandrillapp.com%2Funsub%3Fmd_email%3Ds%252A%252A%252A%252A%2540g%252A%252A%252A%252A.%252A%252A%252A
Please note that this would also unsubscribe you from other Let's Encrypt service notices, including expiration reminders for any other certificates.

Regards,
The Let's Encrypt Team

■　公開鍵証明書の定期更新（手動）

コマンドプロンプトからwacs.exeを実行します。

① 次の表示で、r を入力

Create certificate failed: Authorization failed

N: Create new certificate (simple for IIS)
M: Create new certificate (full options)
R: Run scheduled renewals (0 currently due)
A: Manage renewals (0 total)
O: More options…
Q: Quit

Please choose from the menu: r

②　次の表示で、 指定されたドメイン認証用のTXTレコードをドメイン名を取得したドメインサーバに設定

Renewing certificate for [Manual] *.m-iruka.com
Authorize identifier: m-iruka.com
Authorizing m-iruka.com using dns-01 validation (Manual)

Domain: m-iruka.com
Record: _acme-challenge.XXX.com
Type: TXT
Content: “i-pP6ZIorJkXl_dKpVxOv8yjliqBNuWdNw-goPtVoco”
Note: Some DNS managers add quotes automatically. A single set
is needed.


③　ドメインサーバに設定したら、次の表示で、Enterを入力（ドメイン認証成功が表示される）

Please press after you’ve created and verified the record

Preliminary validation succeeded
Answer should now be available at _acme-challenge.XXX.com
Preliminary validation succeeded
First chance error calling into ACME server, retrying with new nonce…

Domain: m-iruka.com
Record: _acme-challenge.XXX.com
Type: TXT
Content: “i-pP6ZIorJkXl_dKpVxOv8yjliqBNuWdNw-goPtVoco”

④　TXTレコードをドメインサーバから削除した後、 次の表示で、Enterを入力（公開鍵証明書などが更新される）

Please press after you’ve deleted the record

Authorization result: valid
First chance error calling into ACME server, retrying with new nonce…
Requesting certificate [Manual] *.XXX.com
Store with PemFiles…
Exporting .pem files to C:\Users\Administrator\Desktop\install
Installing with None…
Next renewal scheduled at 2022/5/11 21:32:37
Renewal for [Manual] *.m-iruka.com succeeded

⑤　次の表示で、qを入力し、終了

N: Create new certificate (simple for IIS)
M: Create new certificate (full options)
R: Run scheduled renewals (0 currently due)
A: Manage renewals (1 total)
O: More options…
Q: Quit

Please choose from the menu:

指定したパス配下の 公開鍵証明書などファイル一式が更新されます。

　_.XXX.com-chain.pem　　→　公開鍵証明書のルート証明書チェーン
　_.XXX.com-crt.pem　　　→　鍵ペア
　_.XXX.com-key.pem　　 →　公開鍵証明書

■　まとめ

以下のようなCA局（認証局）から正式に公開鍵証明書を取得するには費用がかかります。

・セコムのSSLサーバー証明

・SSL・電子証明書のGMOグローバルサイン

フリーで本格的な公開鍵証明書を使えることに感謝しなければなりません。
クラウドサーバで小規模なサービスを立ち上げる場合など、低コストで迅速に稼働させる際にとても役立ちます。