IISの証明書をLet's Encrypt,AWS Route 53でDNS-01 チャレンジでやってみた

らら
らら

はじめに

パッケージを非公開Windowsサーバーに導入しようとしたら、IISとSSLを入れろと・・・

本当は、前からパッケージは入れていて、一部機能が動作しないまま放置てきな・・・汗

実は、以前、下記でサーバーを壊しかけたので・・・・

Exchange 2019でLet's Encryptではまった件

記事
https://www.omakase.net/blog/2021/05/exchange-2019lets-encrypt.html

やってみるか・・

ローカルのドメインは下記な感じ・・・

www.wins.xxx.xxx.xxx

下記よりwin-acmeとroute53のプラグインをダウンロード・・

https://github.com/win-acme/win-acme/releases/

win-acme.v2.2.8.1635.x86.pluggable.zip

plugin.validation.dns.route53.v2.2.8.1635.zip

あ、あと条件は、自社のドメインサーバーがroute53で管理されているってことね。。

2つとも解凍して、プラグイン方は、解凍されたファイルを、win-acmeのほうへぶち込むだけ・・・

こんな感じ・・


│  AWSSDK.Core.dll
│  AWSSDK.Route53.dll
│  PKISharp.WACS.Plugins.ValidationPlugins.Route53.dll
│  public_suffix_list.dat
│  settings_default.json
│  version.txt
│  wacs.exe
│  Web_Config.xml
│  
└─Scripts
        EasyDNS.ps1
        ImportADFS.ps1
        ImportAzureADApplicationProxy.ps1
        ImportAzureApplicationGateway.ps1
        ImportExchange.ps1
        ImportExchange.v2.ps1
        ImportExchangeHybrid.ps1
        ImportJKS.ps1
        ImportKemp.ps1
        ImportRDGateway.ps1
        ImportRDListener.ps1
        ImportRDS.ps1
        ImportRDSFull.ps1
        ImportSQL.ps1
        ImportSSTP.ps1
        ImportVRBCloudGateway.ps1
        ImportWindowsAdminCenter.ps1
        ImportWinRM.ps1
        ImportWinRM.v2.ps1
        microsoft-dns.ps1
        PSRDSCerts.bat
        PSScript.bat

DOS窓を管理者権限で起動して・・

操作時のログはこんな感じ・・

IISに入れるから・・IISの番号選択しちゃいそうだけど・・・

下記で成功したみたいです。

事前にAWS access key IDとAWS secret access keyをアマゾン側で発行しておく必要があります。


Microsoft Windows [Version 10.0.17763.5696]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\>cd "Program Files\letsencrypt"
C:\Program Files\letsencrypt>wacs
 A simple Windows ACMEv2 client (WACS)
 Software version 2.2.8.1635 (release, pluggable, standalone, 64-bit)
 Connecting to https://acme-v02.api.letsencrypt.org/...
 Connection OK!
 Scheduled task not configured yet
 Please report issues at https://github.com/win-acme/win-acme
 N: Create certificate (default settings)
 M: Create certificate (full options)
 R: Run renewals (0 currently due)
 A: Manage renewals (0 total)
 O: More options...
 Q: Quit
 Please choose from the menu: M
 Running in mode: Interactive, Advanced
 Please specify how the list of domain names that will be included in the
 certificate should be determined. If you choose for one of the "all bindings"
 options, the list will automatically be updated for future renewals to
 reflect the bindings at that time.
 1: Read bindings from IIS
 2: Manual input
 3: CSR created by another program
 C: Abort
 How shall we determine the domain(s) to include in the certificate?: 2
Description:         A host name to get a certificate for. This may be a
                     comma-separated list.
 Host: www.wins.xxx.xxx.xxx
 Source generated using plugin Manual: www.wins.xxx.xxx.xxx
 Friendly name '[Manual] www.wins.xxx.xxx.xxx'.  to accept or type desired name: 
 By default your source identifiers are covered by a single certificate. But
 if you want to avoid the 100 domain limit, want to prevent information
 disclosure via the SAN list, and/or reduce the operational impact of a single
 validation failure, you may choose to convert one source into multiple
 certificates, using different strategies.
 1: Separate certificate for each domain (e.g. *.example.com)
 2: Separate certificate for each host (e.g. sub.example.com)
 3: Separate certificate for each IIS site
 4: Single certificate
 C: Abort
 Would you like to split this source into multiple certificates?: 4
 The ACME server will need to verify that you are the owner of the domain
 names that you are requesting the certificate for. This happens both during
 initial setup *and* for every future renewal. There are two main methods of
 doing so: answering specific http requests (http-01) or create specific dns
 records (dns-01). For wildcard identifiers the latter is the only option.
 Various additional plugins are available from
 https://github.com/win-acme/win-acme/.
 1: [http] Save verification files on (network) path
 2: [http] Serve verification files from memory
 3: [http] Upload verification files via FTP(S)
 4: [http] Upload verification files via SSH-FTP
 5: [http] Upload verification files via WebDav
 6: [dns] Create verification records in AWS Route 53
 7: [dns] Create verification records manually (auto-renew not possible)
 8: [dns] Create verification records with acme-dns (https://github.com/joohoi/acme-dns)
 9: [dns] Create verification records with your own script
 10: [tls-alpn] Answer TLS verification request from win-acme
 C: Abort
 How would you like prove ownership for the domain(s)?: 6
Description:         AWS IAM role for the current EC2 instance to login into
                     Amazon Route 53. Note that you should provide the IAM
                     name instead of the ARN.
 IAM role name (leave blank to use access key): 
Description:         Access key ID to login into Amazon Route 53.
 Access key ID: xxxxxxxxxxxxxxxxxxxxxxxx
Description:         Secret access key to login into Amazon Route 53.
 1: Type/paste in console
 2: Search in vault
 Choose from the menu: 1
 Secret access key: ****************************************
 Save to vault for future reuse? (y/n*) - yes
 Please provide a unique name to reference this secret: route53
 Key route53 already exists in vault, overwrite? (y*/n) - yes
 After ownership of the domain(s) has been proven, we will create a
 Certificate Signing Request (CSR) to obtain the actual certificate. The CSR
 determines properties of the certificate like which (type of) key to use. If
 you are not sure what to pick here, RSA is the safe default.
 1: Elliptic Curve key
 2: RSA key
 C: Abort
 What kind of private key should be used for the certificate?: 2
 When we have the certificate, you can store in one or more ways to make it
 accessible to your applications. The Windows Certificate Store is the default
 location for IIS (unless you are managing a cluster of them).
 1: IIS Central Certificate Store (.pfx per host)
 2: PEM encoded files (Apache, nginx, etc.)
 3: PFX archive
 4: Windows Certificate Store (Local Computer)
 5: No (additional) store steps
 How would you like to store the certificate?: 4
 1: [WebHosting] - Dedicated store for IIS
 2: [My] - General computer store (for Exchange/RDS)
 3: [Default] - Use global default, currently WebHosting
 Choose store to use, or type the name of another unlisted store: 3
 1: IIS Central Certificate Store (.pfx per host)
 2: PEM encoded files (Apache, nginx, etc.)
 3: PFX archive
 4: Windows Certificate Store (Local Computer)
 5: No (additional) store steps
 Would you like to store it in another way too?: 5
 With the certificate saved to the store(s) of your choice, you may choose one
 or more steps to update your applications, e.g. to configure the new
 thumbprint, or to update bindings.
 1: Create or update bindings in IIS
 2: Start external script or program
 3: No (additional) installation steps
 Which installation step should run first?: 1
 This plugin will update *all* binding using the previous certificate in both
 Web and FTP sites, regardless of whether those bindings were created manually
 or by the program itself. Therefor you'll never need to run this installation
 step twice.
 During initial setup, it will try to make as few changes as possible to IIS
 to cover the source identifiers. If new bindings are needed, by default it
 will create those at the same site where the HTTP binding for that host was
 found.
 1: Default Web Site
 Choose site to create new bindings: 1
 1: Create or update bindings in IIS
 2: Start external script or program
 3: No (additional) installation steps
 Add another installation step?: 3
 Plugin Manual generated source www.wins.xxx.xxx.xxx with 1 identifiers
 Plugin Single created 1 order
 Cached order has status invalid, discarding
 [www.wins.xxx.xxx.xxx] Authorizing...
 [www.wins.xxx.xxx.xxx] Authorizing using dns-01 validation (Route53)
 Creating TXT record _acme-challenge.www.wins.xxx.xxx.xxx with value xxxxxxxxxxx
 [www.wins.xxx.xxx.xxx] Record xxxxxxxxxx successfully created
 Waiting for DNS changes propagation
 [www.wins.xxx.xxx.xxx] Preliminary validation succeeded
 [www.wins.xxx.xxx.xxx] Authorization result: valid
 [www.wins.xxx.xxx.xxx] Record xxxxxxxxxxxxxx deleted
 Downloading certificate [Manual] www.wins.xxx.xxx.xxx
 Store with CertificateStore...
 Installing certificate in the certificate store
 Adding certificate [Manual] www.wins.xxx.xxx.xxx @ 2022/4/17 to store WebHosting
 Installing with IIS...
 Adding new https binding *:443:
 Committing 1 https binding changes to IIS while updating site 1
 Adding Task Scheduler entry with the following settings
 - Name win-acme renew (acme-v02.api.letsencrypt.org)
 - Path C:\Program Files\letsencrypt
 - Command wacs.exe --renew --baseuri "https://acme-v02.api.letsencrypt.org/"
 - Start at 09:00:00
 - Random delay 04:00:00
 - Time limit 02:00:00
 Do you want to specify the user the task will run as? (y/n*) - yes
 Enter the username (Domain\username): userxxxxxxxx
 Enter the user's password: ********
 Adding renewal for [Manual] www.wins.xxx.xxx.xxx
 Next renewal due after 2024/6/11
 Certificate [Manual] www.wins.xxx.xxx.xxx created
 N: Create certificate (default settings)
 M: Create certificate (full options)
 R: Run renewals (0 currently due)
 A: Manage renewals (1 total)
 O: More options...
 Q: Quit
 Please choose from the menu: Q

さいごに

実は・・みんなが出社する前に、早く出社してやっちゃおうと思ったら・・・

寝ぼけてて・・・以前壊しかけた・・ほうで作業仕掛けて・・・半分壊した・・っていうのは内緒で・・

新規の方は無事成功したからね。

メモで残しておきます・・

関連記事