Let's Encryptで発行したSSL証明書をACMで使用

ref.

• Running with Docker
• AWS Certificate Manager へインポートした外部のDV証明書でも有効期限を CloudWatch でモニタリング可能なのか検証した

手順

1. Let's EncrypのSSL証明書をdockerで取得
2. ACMにSSL証明書をインポート

dockerコマンドによるLet's EncrypのSSL証明書発行はローカルで実行した。

SSL証明書発行

サイト認証

docker run -it --rm \
-v $(pwd)/etc:/etc/letsencrypt \
-v $(pwd)/var/lib:/var/lib/letsencrypt \
certbot/certbot certonly --manual

DNS認証

コマンド実行中にDNS TXTレコードの設定を求められる。
指示に従って_acme-challenge.example.com. に表示される文字列を設定する。

docker run -it --rm \
-v $(pwd)/etc:/etc/letsencrypt \
-v $(pwd)/var/lib:/var/lib/letsencrypt \
certbot/certbot certonly \
--manual \
-d example.com \
-m info@info-town.jp \
--agree-tos \
--manual-public-ip-logging-ok \
--preferred-challenges dns-01 \
--server https://acme-v02.api.letsencrypt.org/directory
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for example.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name:

_acme-challenge.example.com.

with the following value:

xxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Before continuing, verify the TXT record has been deployed. Depending on the DNS
provider, this may take some time, from a few seconds to multiple minutes. You can
check if it has finished deploying with aid of online tools, such as the Google
Admin Toolbox: https://toolbox.googleapps.com/apps/dig/#TXT/_acme-challenge.example.com.
Look for one or more bolded line(s) below the line ';ANSWER'. It should show the
value(s) you've just added.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/example.com/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/example.com/privkey.pem
This certificate expires on 2022-06-03.
These files will be updated when the certificate renews.

NEXT STEPS:
- This certificate will not be renewed automatically. Autorenewal of --manual certificates requires the use of an authentication hook script (--manual-auth-hook) but one was not provided. To renew this certificate, repeat this same certbot command before the certificate's expiry date.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

digコマンドでのTXTレコードの確認。

dig _acme-challenge.example.com TXT

; <<>> DiG 9.10.6 <<>> _acme-challenge.example.com TXT
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16812
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;_acme-challenge.example.com.	IN	TXT

;; ANSWER SECTION:
_acme-challenge.example.com. 60	IN	TXT	"xxxxxxxxxxxxxxxxxxxxxxxxxxxxx"

;; Query time: 210 msec
;; SERVER: 2402:6b00:330b:8500:fab7:97ff:fea5:f2a4#53(2402:6b00:330b:8500:fab7:97ff:fea5:f2a4)
;; WHEN: Sat Mar 05 15:43:57 JST 2022
;; MSG SIZE  rcvd: 112

発行されたSSL証明書を確認

dockerコマンド実行後にetc配下に証明書が発行される。

ls -al etc
total 0
drwxr-xr-x  9 shiroshi  staff  288  3  5 15:44 .
drwxr-xr-x  5 shiroshi  staff  160  3  5 13:58 ..
drwx------  3 shiroshi  staff   96  3  5 14:00 accounts
drwx------  3 shiroshi  staff   96  3  5 15:44 archive
drwxr-xr-x  9 shiroshi  staff  288  3  5 15:38 csr
drwx------  9 shiroshi  staff  288  3  5 15:38 keys
drwx------  4 shiroshi  staff  128  3  5 15:44 live
drwxr-xr-x  3 shiroshi  staff   96  3  5 15:44 renewal
drwxr-xr-x  5 shiroshi  staff  160  3  5 14:00 renewal-hooks

liveのは以下はarchiveへのシンボリックリンク。

ls -al etc/live/example.com
total 8
drwxr-xr-x  7 shiroshi  staff  224  3  5 15:44 .
drwx------  4 shiroshi  staff  128  3  5 15:44 ..
-rw-r--r--  1 shiroshi  staff  692  3  5 15:44 README
lrwxr-xr-x  1 shiroshi  staff   35  3  5 15:44 cert.pem -> ../../archive/example.com/cert1.pem
lrwxr-xr-x  1 shiroshi  staff   36  3  5 15:44 chain.pem -> ../../archive/example.com/chain1.pem
lrwxr-xr-x  1 shiroshi  staff   40  3  5 15:44 fullchain.pem -> ../../archive/example.com/fullchain1.pem <--------- ACMのインポートには使用しない
lrwxr-xr-x  1 shiroshi  staff   38  3  5 15:44 privkey.pem -> ../../archive/example.com/privkey1.pem

ACMにSSL証明書をインポート