Let's EncryptでDNS認証を設定するまでon macOS Server
概要
更新履歴
- 2025/02/18 初版
- 2025/02/19 「2回目以降のSSL証明書の更新」について追記.
目次
はじめに
このドキュメントは,今更だけどmacOS High Sierra上で稼働するメールサーバのSSL証明書を設定しようとして苦労した結果を残す.残念ながら,全ての作業はHigh Sierra内で完結する事はできなかった.今回は,Let's Encryptの中でもDNS認証方式で行った.
全体の流れとしては,certbotを実行して,初回はDNSレコードに登録流情報を得てネームサーバに登録.その後は発行される証明書をサーバにアップロードして登録という流れになる.
環境を作るが失敗する
HomeBrewでcerbotをインストールしてみる
- Let's EncryptのコマンドラインツールがHomeBrewにあるか確認.
$ brew search cerbot🆑
==> Formulae
certbot
==> Casks
cernbox
$- 存在したので詳細情報を確認.
$ brew info certbot🆑
==> certbot: stable 3.1.0, HEAD
Tool to obtain certs from Let's Encrypt and autoenable HTTPS
https://certbot.eff.org/
Not installed
From: https://github.com/Homebrew/homebrew-core/blob/HEAD/Formula/c/certbot.rb
License: Apache-2.0
==> Dependencies
Required: augeas ✘, certifi ✘, cryptography ✘, dialog ✘, python@3.13 ✘🈁
==> Options
--HEAD
Install HEAD version
==> Analytics
install: 5,858 (30 days), 15,387 (90 days), 61,474 (365 days)
install-on-request: 5,857 (30 days), 15,378 (90 days), 61,385 (365 days)
build-error: 3 (30 days)
[deimons:server 01:10:53 ~ ]
$- 追加でパッケージがたくさん必要な模様.
- インストールを実行.
$ brew install certbot🆑
==> Downloading https://formulae.brew.sh/api/formula.jws.json
==> Downloading https://formulae.brew.sh/api/cask.jws.json
Warning: You are using macOS 10.13.🈁
We (and Apple) do not provide support for this old version.
It is expected behaviour that some formulae will fail to build in this old version.
It is expected behaviour that Homebrew will be buggy and slow.
Do not create any issues about this on Homebrew's GitHub repositories.
Do not create any issues even if you think this message is unrelated.
Any opened issues will be immediately closed without response.
Do not ask for help from Homebrew or its maintainers on social media.
You may ask for help in Homebrew's discussions but are unlikely to receive a response.
Try to figure out the problem yourself and submit a fix as a pull request.
We will review it but may or may not accept it.
==> Fetching dependencies for certbot: readline, pkgconf, augeas, ca-certificates, certifi,
pycparser, mpdecimal, openssl@3, sqlite, xz, libffi, python@3.12, lzip, expat, python@3.13,
cffi, libssh2, cmake, libgit2@1.8, z3, lz4, zstd, ninja, pcre2, swig, llvm, rust, maturin,
python-setuptools, cryptography and dialog
==> Fetching readline
ー略ー
- macOS 10.13は古いからサポートされてないと警告が出てる.
🍺 /usr/local/Cellar/cmake/3.31.5: 3,767 files, 64.6MB, built in 42 minutes 53 seconds
==> Installing certbot dependency: libgit2@1.8
==> cmake -S . -B build -DBUILD_SHARED_LIBS=ON -DBUILD_EXAMPLES=OFF -DBUILD_TESTS=
OFF -DUSE_SSH=ON -DUSE_BUNDLED_ZLIB=OFF
==> cmake --build build
==> cmake --install build
==> cmake -S . -B build-static -DBUILD_SHARED_LIBS=OFF -DBUILD_EXAMPLES=OFF
-DBUILD_TESTS=OFF -DUSE_SSH=ON -DUSE_BUNDLED_ZLIB=OFF
==> cmake --build build-static
🍺 /usr/local/Cellar/libgit2@1.8/1.8.4: 106 files, 4.6MB, built in 2 minutes 37 seconds
==> Installing certbot dependency: z3
Error: An exception occurred within a child process:
CompilerSelectionError: z3 cannot be built with any available compilers.
Install GNU's GCC:
brew install gcc
$
- GCCがないのでz3をコンパイル,ビルドできないとのこと.
gccをインストール.
$ brew install gcc🆑
==> Downloading https://formulae.brew.sh/api/cask.jws.json
Warning: You are using macOS 10.13.
We (and Apple) do not provide support for this old version.
It is expected behaviour that some formulae will fail to build in this old version.
It is expected behaviour that Homebrew will be buggy and slow.
Do not create any issues about this on Homebrew's GitHub repositories.
Do not create any issues even if you think this message is unrelated.
Any opened issues will be immediately closed without response.
Do not ask for help from Homebrew or its maintainers on social media.
You may ask for help in Homebrew's discussions but are unlikely to receive a response.
Try to figure out the problem yourself and submit a fix as a pull request.
We will review it but may or may not accept it.
==> Fetching dependencies for gcc: autoconf, automake, libtool, gmp, isl, mpfr, libmpc,
lz4, zstd and make
==> Fetching autoconf
ー略ー
clang: note: diagnostic msg:
********************
gmake[3]: *** [Makefile:1287: sha1.o] Error 70
gmake[3]: *** Waiting for unfinished jobs....
gmake[3]: Leaving directory '/private/tmp/gcc-20250212-50730-4ptfqp/gcc-14.2.0/build/
build-x86_64-apple-darwin17/libiberty'
gmake[2]: *** [Makefile:3029: all-build-libiberty] Error 2
gmake[2]: Leaving directory '/private/tmp/gcc-20250212-50730-4ptfqp/gcc-14.2.0/build'
gmake[1]: *** [Makefile:24530: stage1-bubble] Error 2
gmake[1]: Leaving directory '/private/tmp/gcc-20250212-50730-4ptfqp/gcc-14.2.0/build'
gmake: *** [Makefile:1099: all] Error 2
Do not report this issue to Homebrew/brew or Homebrew/homebrew-core!
Error: You are using macOS 10.13.
We (and Apple) do not provide support for this old version.
It is expected behaviour that some formulae will fail to build in this old version.
It is expected behaviour that Homebrew will be buggy and slow.
Do not create any issues about this on Homebrew's GitHub repositories.
Do not create any issues even if you think this message is unrelated.
Any opened issues will be immediately closed without response.
Do not ask for help from Homebrew or its maintainers on social media.
You may ask for help in Homebrew's discussions but are unlikely to receive a response.
Try to figure out the problem yourself and submit a fix as a pull request.
We will review it but may or may not accept it.
Do not report this issue: you are running in an unsupported configuration.
$
- gccのビルドに失敗した.
- Do not report this issue to Homebrew/brew or Homebrew/homebrew-core!(この問題を報告しないでください).
- Google Geminiに問いかけたら,このエラーの対処にはHigh Sierraにはgcc@11が推奨とのこと.
$ brew install gcc@11🆑
==> Downloading https://formulae.brew.sh/api/formula.jws.json
==> Downloading https://formulae.brew.sh/api/cask.jws.json
Warning: You are using macOS 10.13.
We (and Apple) do not provide support for this old version.
It is expected behaviour that some formulae will fail to build in this old version.
It is expected behaviour that Homebrew will be buggy and slow.
Do not create any issues about this on Homebrew's GitHub repositories.
Do not create any issues even if you think this message is unrelated.
Any opened issues will be immediately closed without response.
Do not ask for help from Homebrew or its maintainers on social media.
You may ask for help in Homebrew's discussions but are unlikely to receive a response.
Try to figure out the problem yourself and submit a fix as a pull request.
We will review it but may or may not accept it.
==> Fetching gcc@11
==> Downloading https://raw.githubusercontent.com/Homebrew/homebrew-core/
892b4fc6ab123998851490fdfcf8710793876d2e/Formula/g/gcc@11.rb
#####################################################################
#####################################################################
######### 100.0%
==> Downloading https://raw.githubusercontent.com/Homebrew/formula-patches/
5c9419923ddb3e5302ddd277bc524f4d4b0f8722/gcc/gcc-11.5.0.diff
######################################################################
######################################################################
####### 100.0%
==> Downloading https://ftp.gnu.org/gnu/gcc/gcc-11.5.0/gcc-11.5.0.tar.xz
#####################################################################
#####################################################################
######### 100.0%
==> Downloading https://formulae.brew.sh/api/formula.jws.json
==> Patching
==> Applying gcc-11.5.0.diff
==> ../configure --prefix=/usr/local/opt/gcc@11 --libdir=/usr/local/opt/gcc@11/lib/gcc/11
--disable-nls --enable-checking=release --with-gcc-major-version
==> make
==> make install DESTDIR=/private/tmp/gccA11-20250212-68754-mibho9/gcc-11.5.0/
build/../instdir
==> Downloading https://formulae.brew.sh/api/formula_tap_migrations.jws.json
==> Downloading https://formulae.brew.sh/api/cask_tap_migrations.jws.json
==> Downloading https://formulae.brew.sh/api/formula.jws.json
🍺 /usr/local/Cellar/gcc@11/11.5.0: 2,255 files, 550.6MB, built in 465 minutes 8 seconds
==> Running `brew cleanup gcc@11`...
Disable this behaviour by setting HOMEBREW_NO_INSTALL_CLEANUP.
Hide these hints with HOMEBREW_NO_ENV_HINTS (see `man brew`).
Removing: /Users/deimos/Library/Caches/Homebrew/gcc@11--patch--213b332bd09452e0c
f081f874f32d028911fa871875f85b200b55c5b588ce193.diff... (1.7MB)
$
- ビルドに8時間もかかったけど終了.
- 次にZ3をインストール.
[quote]
$ brew install z3🆑
==> Auto-updating Homebrew...
Adjust how often this is run with HOMEBREW_AUTO_UPDATE_SECS or disable with
HOMEBREW_NO_AUTO_UPDATE. Hide these hints with HOMEBREW_NO_ENV_HINTS
(see `man brew`).
Installing from the API is now the default behaviour!
You can save space and time by running:
brew untap homebrew/core
brew untap homebrew/cask
==> Auto-updated Homebrew!
Updated 1 tap (homebrew/cask).
==> New Casks
autogram
pinwheel
You have 78 outdated formulae installed.
Warning: You are using macOS 10.13.
We (and Apple) do not provide support for this old version.
It is expected behaviour that some formulae will fail to build in this old version.
It is expected behaviour that Homebrew will be buggy and slow.
Do not create any issues about this on Homebrew's GitHub repositories.
Do not create any issues even if you think this message is unrelated.
Any opened issues will be immediately closed without response.
Do not ask for help from Homebrew or its maintainers on social media.
You may ask for help in Homebrew's discussions but are unlikely to receive a response.
Try to figure out the problem yourself and submit a fix as a pull request.
We will review it but may or may not accept it.
==> Fetching z3
==> Downloading https://raw.githubusercontent.com/Homebrew/homebrew-core/
ebde2c37af04d1db816ee0da2782a1f1a98d45ab/Formula/z/z3.rb
#####################################################################
#####################################################################
######### 100.0%
==> Downloading https://github.com/Z3Prover/z3/archive/refs/tags/z3-4.13.4.tar.gz
Already downloaded: /Users/deimos/Library/Caches/Homebrew/downloads/ed62fa
13423df3de358d11432294ff054e9467ef36d4fd15633fc1c0c1659c8e--z3-z3-4.13.4.tar.gz
==> cmake -S . -B build -DZ3_LINK_TIME_OPTIMIZATION=ON -DZ3_INCLUDE_GIT_
DESCRIBE=OFF -DZ3_INCLUDE_GIT_HASH=OFF -DZ3_INSTALL_PYTHON_BINDINGS=ON
-DZ3_BUILD_
==> cmake --build build
==> cmake --install build
==> make -C contrib/qprofdiff
🍺 /usr/local/Cellar/z3/4.13.4: 120 files, 47.9MB, built in 85 minutes 48 seconds
==> Running `brew cleanup z3`...
Disable this behaviour by setting HOMEBREW_NO_INSTALL_CLEANUP.
Hide these hints with HOMEBREW_NO_ENV_HINTS (see `man brew`).
$[/quote]
エラーなく終了.再度,certbotをインストールする.
$ brew install certbot🆑
==> Downloading https://formulae.brew.sh/api/formula.jws.json
==> Downloading https://formulae.brew.sh/api/cask.jws.json
ー略ー
/Library/Developer/CommandLineTools/usr/include/c++/v1/__tuple:57:34: note: did you mean struct here?
template <size_t _Ip, class _Tp> class _LIBCPP_TEMPLATE_VIS tuple_element;
^
5 warnings generated.
ninja: build stopped: subcommand failed.
ninjaのビルドでエラーになった.この原因は,llvmというコンパイラ基盤ライブラリが対応してないようで,色々と試したけど,小手先の方法ではこれを解決できなかった.この問題は19.1.7でよく出る(ChatGPT談)らしい
- 結局,certbotは最新のHigh Sierra(10.13)ではなく,Montorey(12.7.6)の環境にインストールしたら,つまづくこともなく成功して終わった....
DNS認証で証明書を作る
- 今回は,deimos.example.jpというメールサーバにSSL証明書を作成してみる.
$ sudo certbot certonly --manual --preferred-challenges dns \🆑
-d deimos.example.jp \🆑
--agree-tos --email postmaster@deimos.example.jp🆑
Password:🔑🔑🔑🔑🆑
Saving debug log to /var/log/letsencrypt/letsencrypt.log🈁
Requesting a certificate for deimos.example.jp
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name:
_acme-challenge.deimos.example.jp.🈁
with the following value:
1Yyr9-uxQjbNwpNPWG_BcLgTw4kjbxObTepekdAsnss
Before continuing, verify the TXT record has been deployed. Depending on the DNS
provider, this may take some time, from a few seconds to multiple minutes. You can
check if it has finished deploying with aid of online tools, such as the Google
Admin Toolbox: https://toolbox.googleapps.com/apps/dig/#TXT/_acme-challenge.deimos.example.jp.
Look for one or more bolded line(s) below the line ';ANSWER'. It should show the
value(s) you've just added.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue🈁
- コマンドの解説.
- -preferred-challengesをdnsとして,今回の証明書はDNS認証である事を宣言.
- -dで証明書を取得するFQDNを設定.
- --emailで証明書の管理者へ連絡がつくメールアドレスを指定.今回はメールサーバなのでpostmaster宛にした.
- これらを入力して実行すると,sudoユーザになるためにパスワードを入力.
- うまくいけば,DNSレコードに登録するTXTキーワード(_acme-challenge.deimos.example.jp.)と設定値(1YNPWG_BcLgyr9-uxQjbNwpbTeTw4kjbxOAsnpekdss)が表示された.
- "Press Enter to Continue"の部分で入力街になっているけど,この間にDNSレコードを設定する.
- 設定してしばらく待つ.
- 別のターミナルを開いてDNS設定が反映されたか,確認すると,成功していれば次のようにレコードが登録される.
$ dig txt _acme-challenge.deimos.example.jp.🆑
; <<>> DiG 9.10.6 <<>> txt _acme-challenge.deimos.example.jp.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29400
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;_acme-challenge.deimos.example.jp. IN TXT
;; ANSWER SECTION:
_acme-challenge.deimos.example.jp. 3600 IN TXT "1Yyr9-uxQjbNwpNPWG_BcLgTw4kjbxObTepekdAsnss"🈁
;; Query time: 13 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue Feb 18 13:01:28 JST 2025
;; MSG SIZE rcvd: 114
$
DNS登録された事が確認できた."Press Enter to Continue"で保留していたので,Enterキーを押す.次のように表示される.
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/deimos.example.jp/fullchain.pem🈁
Key is saved at: /etc/letsencrypt/live/deimos.example.jp/privkey.pem🈁
This certificate expires on 2025-05-14.🈁
These files will be updated when the certificate renews.
NEXT STEPS:
- This certificate will not be renewed automatically. Autorenewal of --manual certificates requires
the use of an authentication hook script (--manual-auth-hook) but one was not provided.
To renew this certificate, repeat this same certbot command before the certificate's expiry date.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
* Donating to
EFF:
https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
$- 作成された証明書のファイルを確認.
$ sudo ls -la /etc/letsencrypt/live/deimos.example.jp/fullchain.pem🆑
Password:🔑🔑🔑🔑🆑
lrwxr-xr-x 1 root wheel 42 2 14 00:54
/etc/letsencrypt/live/deimos.example.jp/fullchain.pem ->
../../archive/deimos.example.jp/fullchain1.pem
$ sudo ls -la /etc/letsencrypt/live/deimos.example.jp/privkey.pem🆑
lrwxr-xr-x 1 root wheel 40 2 14 00:54
/etc/letsencrypt/live/deimos.example.jp/privkey.pem ->
../../archive/deimos.example.jp/privkey1.pem
$ sudo cat /etc/letsencrypt/live/deimos.example.jp/fullchain.pem🆑
-----BEGIN CERTIFICATE-----
MKgAwIBAgISAy1Xx0u1GSM49BVnxOoGCCqAMKEw1MZXwFAYDVQQ
CzAJBgNVBAYTYQncyBFbmNyeXB0MQswCQIAlVTMRIDfDCCAw
ー略ー
HPHIEPNHyw2MuErPvkcI2Dxpyhru4ZKr9HWpMZsCMQD5gPjCsLTcoeUo0Q+1aQrw
l7wgY7mp6M7OoAEYe01qU0ot/QVWZT5wcGoY669coCQ=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEVzCTIECAj+gAwIFzlydw27SHyzpFKzBAgIRALBXPpgKoZIhvcNAQwDQYJLBQAw
TzELMAkCVVMxKTAnBgNVBAoGA1UEBhMlud
ー略ー
EguORxfO9cDCguODCP0CSjdR/2XuZM3kpT/Er/84dDLgD1cKiDAVysSK
Ig46vRxfO9cvyRxfO9c04=
-----END CERTIFICATE-----
$ sudo cat /etc/letsencrypt/live/deimos.example.jp/privkey.pem🆑
-----BEGIN EC PRIVATE KEY-----
MHCumP+C/LN9iICLWUuD/TxaWPrWE5
lJtop6IcpxYiLUBnG7IvoCTScCAQEEI/WS+fA==
-----END EC PRIVATE KEY------ ここで用意できたfullchain.pemとprivkey.pemのファイルを,メールサーバに登録する.
サーバにアップロードする証明書を取り出す
- certbotの実行結果でプリントされた場所に証明書があるので確認する.
$ sudo ls -la /etc/letsencrypt/live/deimos.example.jp/🆑
total 4
drwxr-xr-x 7 root wheel 224 2 18 13:52 .
drwx------ 6 root wheel 192 2 18 13:52 ..
-rw-r--r-- 1 root wheel 692 2 18 13:52 README
lrwxr-xr-x 1 root wheel 39 2 18 13:52 cert.pem -> ../../archive/deimos.example.jp/cert1.pem
lrwxr-xr-x 1 root wheel 40 2 18 13:52 chain.pem -> ../../archive/deimos.example.jp/chain1.pem
lrwxr-xr-x 1 root wheel 44 2 18 13:52 fullchain.pem -> ../../archive/deimos.example.jp/fullchain1.pem
lrwxr-xr-x 1 root wheel 42 2 18 13:52 privkey.pem -> ../../archive/deimos.example.jp/privkey1.pem
$- シンボリックリンクになっているので,実態を確認する.
$ sudo ls -la /etc/letsencrypt/archive/deimos.example.jp🆑
total 16
drwxr-xr-x 6 root wheel 192 2 18 13:52 .
drwx------ 5 root wheel 160 2 18 13:52 ..
-rw-r--r-- 1 root wheel 1273 2 18 13:52 cert1.pem
-rw-r--r-- 1 root wheel 1566 2 18 13:52 chain1.pem
-rw-r--r-- 1 root wheel 2839 2 18 13:52 fullchain1.pem
-rw------- 1 root wheel 227 2 18 13:52 privkey1.pem
$- 設定されているアクセス権の関係で,そのままメールサーバにアップロード出来ないこともあるので,書き出す.
$ sudo cat /etc/letsencrypt/live/deimos.example.jp/fullchain.pem > 1.pem🆑
$ sudo cat /etc/letsencrypt/live/deimos.example.jp/privkey.pem > 2.pem🆑
$ ls -la🆑
total 12
drwxr-xr-x 5 ujpadmin staff 160 2 18 13:54 .
drwxr-xr-x 63 ujpadmin staff 2016 2 18 13:26 ..
-rw-r--r-- 1 ujpadmin staff 2839 2 18 13:54 1.pem
-rw-r--r-- 1 ujpadmin staff 227 2 18 13:54 2.pem
$ - このファイルをサーバにアップロードする.
証明書を登録する
- サーバにアップロードした証明書ファイルはこのようになっている.
- サーバアプリを起動して,証明書を追加する.
- この部分は,コマンドでできない....
- 左ペインにある「証明書」をクリックし,画面下部にある「+」をクリックして,「証明書識別情報を読み込む」をクリック.
- 次のような画面が出てくる.
- 証明書のファイルをドラッグして登録する.
- サービスのセキュリティ保護に使用のプルダウンメニューから「カスタム」を選ぶ.
- 次のように該当サーバで利用しているサービスに,どの証明書を使うか設定できる.
- 複数の証明書を読み込んだ場合は,サービスでどの証明書を使うかを,右横のリストから選ぶことができる.
- 1つのサーバで,1つのサービスに対して複数の証明書は設定できない.
- FQDN毎に証明書を分けたい場合は,main.cfファイルを個別に編集すれば良い模様.この辺りがGUIの柔軟性の無さかもね.
2回目以降のSSL証明書の更新
- Let's Encryptは3ヶ月で証明書が切れるので定期的に更新が必要.
- 更新の際には,新規作成と同じようにcertbotコマンドを実行.
- そうすると次のように問い合わせられる.
What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Keep the existing certificate for now
2: Renew & replace the certificate (may be subject to CA rate limits)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):
- ここでは,証明書を更新して置き換えるので2番を選択.
- あまりにも頻繁に更新していたら,次のような警告が出たので注意.
An unexpected error occurred:
too many certificates (5) already issued for this exact set of domains in the last 168h0m0s,
retry after 2025-02-20 02:55:54 UTC:
see https://letsencrypt.org/docs/rate-limits/#new-certificates-per-exact-set-of-hostnames
Ask for help or search for solutions at https://community.letsencrypt.org.
See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
- seeで示されたサイトを見ると「7日ごとにまったく同じホスト名のセットごとに最大5つの証明書を発行できます。 」とあるので,連続で発行していたらその制限に合った模様.
