\u7121\u6599\u3067\u8a3c\u660e\u66f8\u3092\u767a\u884c\u3067\u304d\u308bLet’s Encrypt \u3067\u77ed\u671f\u8a3c\u660e\u66f8\u3068 IP \u30a2\u30c9\u30ec\u30b9\u8a3c\u660e\u66f8\u306e\u4e00\u822c\u63d0\u4f9b\u304c\u958b\u59cb\u3055\u308c\u307e\u3057\u305f\uff0e
\n\n\n\n\n\nShort-lived and IP address certificates are now generally available from Let\u2019s Encrypt. These certificates are valid for 160 hours, just over six days. In order to get a short-lived certificate subscribers simply need to select the \u2018shortlived\u2019 certificate profile in their ACME client.
\n
\u8208\u5473\u304c\u3042\u308b\u306e\u3067\u5c11\u3057\u8a66\u3057\u3066\u307f\u307e\u3057\u305f\uff0e
\n\n
certbot \u30b3\u30de\u30f3\u30c9\u3067\u8a66\u305d\u3046\u3068\u601d\u3063\u305f\u306e\u3067\u3059\u304c\uff0cDebian package\u7248\u306ecertbot \u306funstable \u3067\u30824.0.0 \u3067\u5bfe\u5fdc\u3057\u3066\u3044\u307e\u305b\u3093\uff0e
\n$ certbot --ip-address\nusage:\n certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...\n\nCertbot can obtain and install HTTPS/TLS/SSL certificates. By default,\nit will attempt to use a webserver both for obtaining and installing the\ncertificate.\ncertbot: error: unrecognized arguments: --ip-address\n$ certbot --version\ncertbot 4.0.0\n$ rmadison certbot\ncertbot | 1.12.0-2 | oldoldstable | all\ncertbot | 2.1.0-4 | oldstable | all\ncertbot | 4.0.0-2 | stable | all\ncertbot | 4.0.0-2 | testing | all\ncertbot | 4.0.0-2 | unstable | all\n
2\u65e5\u524d\u306e 58724f6 \u3067Commit \u3055\u308c\u3066\u3044\u308b\u3088\u3046\u3067\u3059\uff0e
\n\u3068\u3044\u3046\u3053\u3068\u3067Developer Guide \u3092\u898b\u306a\u304c\u3089source \u304b\u3089\u5c0e\u5165\u3057\u3066\u8a66\u3057\u307e\u3057\u305f\uff0e
\n$ sudo apt install python3-dev python3-venv libaugeas-dev gcc (1)\n$ git clone https://github.com/certbot/certbot (2)\n$ cd certbot\n$ git log --pretty=oneline -1\n58724f68ec46c57dd3c3c8ed4ae686c2d7ad893b (HEAD -> 58724f6) Add CLI flag --ip-address (#10495)\n$ python3 tools/venv.py (3)\n$ source venv/bin/activate (4)\n$ which certbot\n/home/matoken/src/certbot/venv/bin/certbot\n$ certbot --version\ncertbot 5.3.0.dev0\n
\u4f9d\u5b58\u30d1\u30c3\u30b1\u30fc\u30b8\u5c0e\u5165
\nsource \u5165\u624b
\nbuild
\ncertbot\u74b0\u5883\u306b\u5165\u308b
\n$ certbot help all | grep -A2 -- --ip-address\n --ip-address IP_ADDRESSES\n IP addresses to include. For multiple IP addresses you\n can use multiple --ip-address flags. All IP addresses\n will be included as Subject Alternative Names on the\n certificate. (default: [])\n$ certbot help all | grep -A8 -- --preferred-profile\n --preferred-profile PREFERRED_PROFILE\n Request the given profile name from the ACME server,\n or fallback to default. If the given profile name\n exists in the ACME directory, use it to request a a\n certificate. Otherwise, fall back to requesting a\n certificate without a profile (which means the CA will\n use its default profile). This allows renewals to\n succeed even if the CA deprecates and removes a given\n profile. (default: None)\n
$ sudo bash -c \"source venv/bin/activate && certbot certonly --ip-address 84.247.152.162 --preferred-profile shortlived\"\n
$ sudo cat /etc/letsencrypt/live/84.247.152.162/cert.pem | openssl x509 -noout -issuer -subject -dates\nissuer=C=US, O=Let's Encrypt, CN=YE2\nsubject=\nnotBefore=Jan 18 23:06:01 2026 GMT\nnotAfter=Jan 25 15:06:00 2026 GMT\n$ sudo cat /etc/letsencrypt/live/84.247.152.162/cert.pem | openssl x509 -noout -text\nCertificate:\n Data:\n Version: 3 (0x2)\n Serial Number:\n 06:e7:4e:65:fe:41:f7:9b:9e:38:12:12:64:13:85:b4:f3:dd\n Signature Algorithm: ecdsa-with-SHA384\n Issuer: C=US, O=Let's Encrypt, CN=YE2\n Validity\n Not Before: Jan 18 23:06:01 2026 GMT\n Not After : Jan 25 15:06:00 2026 GMT\n Subject:\n Subject Public Key Info:\n Public Key Algorithm: id-ecPublicKey\n Public-Key: (256 bit)\n pub:\n 04:d9:d9:68:d2:fe:7b:09:0d:c4:97:1e:fc:e4:1e:\n 65:50:90:cc:63:ec:6a:98:a3:5c:77:b6:d0:33:f5:\n 4d:8f:ec:38:d5:e8:1d:01:75:fb:d6:93:15:b9:f3:\n f8:7e:a4:a9:7b:bf:d7:4d:a3:5e:d0:ca:8f:74:e5:\n 7a:98:bc:8e:9e\n ASN1 OID: prime256v1\n NIST CURVE: P-256\n X509v3 extensions:\n X509v3 Key Usage: critical\n Digital Signature\n X509v3 Extended Key Usage:\n TLS Web Server Authentication\n X509v3 Basic Constraints: critical\n CA:FALSE\n X509v3 Authority Key Identifier:\n B9:59:F2:8E:CF:22:F0:86:D3:37:48:FF:76:14:18:BA:82:D8:55:87\n Authority Information Access:\n CA Issuers - URI:http://ye2.i.lencr.org/\n X509v3 Subject Alternative Name: critical\n IP Address:84.247.152.162\n X509v3 Certificate Policies:\n Policy: 2.23.140.1.2.1\n X509v3 CRL Distribution Points:\n Full Name:\n URI:http://ye2.c.lencr.org/94.crl\n\n CT Precertificate SCTs:\n Signed Certificate Timestamp:\n Version : v1 (0x0)\n Log ID : 0E:57:94:BC:F3:AE:A9:3E:33:1B:2C:99:07:B3:F7:90:\n DF:9B:C2:3D:71:32:25:DD:21:A9:25:AC:61:C5:4E:21\n Timestamp : Jan 19 00:04:31.276 2026 GMT\n Extensions: none\n Signature : ecdsa-with-SHA256\n 30:45:02:20:19:47:12:58:F2:D7:9C:08:A5:0D:C0:5B:\n F0:E7:DF:73:0F:64:77:B2:39:39:A4:3C:A1:D3:F0:39:\n 4E:7B:0D:91:02:21:00:87:BA:CE:E6:6E:F6:D3:52:D2:\n BC:C4:ED:BE:26:6F:DE:BC:B7:17:5F:B6:47:4A:82:75:\n A9:95:56:A0:68:FD:1F\n Signed Certificate Timestamp:\n Version : v1 (0x0)\n Log ID : E3:23:8D:F2:8D:A2:88:E0:AA:E0:AC:F0:FA:90:C9:85:\n F0:B6:BF:F5:D2:A5:27:B0:01:FC:1C:44:58:C4:B6:E8\n Timestamp : Jan 19 00:04:31.523 2026 GMT\n Extensions: 00:00:05:00:2F:CD:F8:E5\n Signature : ecdsa-with-SHA256\n 30:46:02:21:00:CD:4B:99:89:27:23:A9:B5:4E:68:D9:\n A0:59:63:45:F5:8F:6A:5C:1F:C2:39:24:AF:60:E4:25:\n FF:E6:53:08:4E:02:21:00:DE:9F:73:AB:35:BC:7D:5D:\n E7:7A:CB:DE:A7:25:FE:2E:09:A3:2A:33:6E:3B:E4:4E:\n D7:AD:67:B9:02:E5:36:B8\n Signature Algorithm: ecdsa-with-SHA384\n Signature Value:\n 30:64:02:30:09:90:c5:7b:2d:7c:21:7e:7a:21:77:3a:2d:8e:\n cd:a1:4d:d1:5e:08:2f:8c:e7:b9:ad:19:39:33:d7:67:41:76:\n 68:39:26:f5:cf:8e:4d:42:5e:cf:45:69:e2:8a:18:ef:02:30:\n 2b:7f:6c:90:27:d1:e5:b1:dd:a2:2a:cb:20:d4:8c:27:0c:7c:\n 6d:9b:06:c8:52:bd:23:d6:aa:83:61:f5:13:fd:77:55:e9:ab:\n 29:e2:bd:82:84:4d:4f:81:4b:3b:76:8a\n
$ echo $(( $( date +%s --date 'Jan 25 15:06:00 2026 GMT' ) - $( date +%s --date='Jan 18 23:06:01 2026 GMT' ) )) (1)\n575999\n$ echo $((160*60*60)) (2)\n576000\n
notBefore \u3068 notAfter \u306e\u9593\u306e\u79d2\u6570\u3092\u78ba\u8a8d
\n160\u6642\u9593\u3092\u79d2\u6570\u306b\u5909\u63db
\n$ git log --pretty=oneline -1\n58724f68ec46c57dd3c3c8ed4ae686c2d7ad893b (HEAD -> 58724f6) Add CLI flag --ip-address (#10495)\n$ dpkg-query -W python3-dev python3-venv libaugeas-dev gcc\ngcc 4:14.2.0-1\nlibaugeas-dev:amd64 1.14.1-1+b3\npython3-dev 3.13.5-1\npython3-venv 3.13.5-1\n$ lsb_release -dr\nDescription: Debian GNU/Linux 13 (trixie)\nRelease: 13\n$ arch\nx86_64\n
\u6700\u8fd1\u306f\u3053\u3093\u306a\u611f\u3058\u3067Let’s Encrypt\u306e\u8a3c\u660e\u66f8\u306e\u66f4\u65b0\u3092\u66f4\u65b0\u3057\u3066\u3044\u308b\u306e\u3067\u3059\u304c\u4eca\u56de\u5931\u6557\u3057\u307e\u3057\u305f\uff0e
\n\uff08DocumenteRoot\u3092FQDN\u306b\u3057\u3066\u3044\u308b\u524d\u63d0\uff09
$ sudo /bin/sh -c "/usr/bin/find /etc/letsencrypt/renewal/*.conf -type f | /usr/bin/xargs /usr/bin/basename -s .conf | xargs -n1 -I{} /usr/bin/letsencrypt renew --webroot -w /var/www/{}/ -d {}"\r\n\n\u3053\u3093\u306a\u3075\u3046\u306b\u6012\u3089\u308c\u307e\u3059\uff0e
\n(\u4ed5\u69d8\u304c\u5909\u308f\u3063\u305f?)
Saving debug log to /var/log/letsencrypt/letsencrypt.log\r\nCurrently, the renew verb is capable of either renewing all installed certificates that are due to be renewed or renewing a single certificate specified by its name. If you would like to renew specific certificates by their domains, use the certonly command. The renew verb may provide other options for selecting certificates to renew in the future.\r\n\n
\u3068\u308a\u3042\u3048\u305a\u306fletsencrypt renew\u3092letsencrypt certonly\u306b\u3057\u305f\u3089\u901a\u308a\u307e\u3057\u305f\uff0e
$ sudo /bin/sh -c "/usr/bin/find /etc/letsencrypt/renewal/*.conf -type f | /usr/bin/xargs /usr/bin/basename -s .conf | xargs -n1 -I{} /usr/bin/letsencrypt certonly --webroot -w /var/www/{}/ -d {}"\r\n\n\u3053\u308c\u3067\u66f4\u65b0\u3067\u304d\u305f\u3068\u601d\u3063\u305f\u30891\u3064\u306e\u30c9\u30e1\u30a4\u30f3\u3067\u5931\u6557\u3057\u3066\u3044\u307e\u3059\uff0e
\nSaving debug log to /var/log/letsencrypt/letsencrypt.log\r\nCert is due for renewal, auto-renewing...\r\nRenewing an existing certificate\r\nPerforming the following challenges:\r\nhttp-01 challenge for files.matoken.org\r\nUsing the webroot path /var/www/files.matoken.org for all unmatched domains.\r\nWaiting for verification...\r\nCleaning up challenges\r\nFailed authorization procedure. files.matoken.org (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://files.matoken.org/.well-known/acme-challenge/Be7Aiai4UH9CDqacTaEZOMH4SxSQbtFqxFcPXcCtJEs: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">\r\n<html><head>\r\n<title>404 Not Found</title> \r\n</head><body>\r\n<h1>Not Found</h1>\r\n<p"\r\n\r\nIMPORTANT NOTES:\r\n - The following errors were reported by the server:\r\n\r\n Domain: files.matoken.org \r\n Type: unauthorized\r\n Detail: Invalid response from\r\n http://files.matoken.org/.well-known/acme-challenge/Be7Aiai4UH9CDqacTaEZOMH4SxSQbtFqxFcPXcCtJEs:\r\n "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">\r\n <html><head>\r\n <title>404 Not Found</title>\r\n </head><body>\r\n <h1>Not Found</h1>\r\n <p"\r\n\r\n To fix these errors, please make sure that your domain name was\r\n entered correctly and the DNS A record(s) for that domain\r\n contain(s) the right IP address.\r\n\n
\u30d5\u30a1\u30a4\u30eb\u3092DoumentRoot\u306b\u7f6e\u3044\u3066Let’s Encrypt\u304b\u3089\u30a2\u30af\u30bb\u30b9\u3055\u308c\u308b\u306e\u3067\u3059\u304c\u305d\u3053\u3067\u305d\u306e\u30d5\u30a1\u30a4\u30eb\u304c\u898b\u3064\u304b\u3089\u306a\u3044\u3068\u5931\u6557\u3057\u3066\u3044\u307e\u3059\uff0e\u3053\u306e\u30c9\u30e1\u30a4\u30f3\u306fhttp\u3092\u8a2d\u5b9a\u3057\u3066\u3044\u307e\u305b\u3093\u3067\u3057\u305f\uff0e
\n\u3066\u3053\u3068\u3067apache\u3067Rewrite\u306e\u8a2d\u5b9a\u3092\u3057\u3066\u3042\u3052\u308b\u3068
RewriteEngine On\r\nRewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]\r\n\n\u901a\u308a\u307e\u3057\u305f\uff0e
\n$ sudo /usr/bin/letsencrypt certonly --webroot -w /var/www/files.matoken.org/ -d files.mato\r\nken.org\r\nSaving debug log to /var/log/letsencrypt/letsencrypt.log\r\nCert is due for renewal, auto-renewing...\r\nRenewing an existing certificate\r\nPerforming the following challenges:\r\nhttp-01 challenge for files.matoken.org\r\nUsing the webroot path /var/www/files.matoken.org for all unmatched domains.\r\nWaiting for verification...\r\nCleaning up challenges\r\nGenerating key (2048 bits): /etc/letsencrypt/keys/0003_key-certbot.pem\r\nCreating CSR: /etc/letsencrypt/csr/0003_csr-certbot.pem\r\n\r\nIMPORTANT NOTES:\r\n - Congratulations! Your certificate and chain have been saved at\r\n /etc/letsencrypt/live/files.matoken.org/fullchain.pem. Your cert\r\n will expire on 2018-05-31. To obtain a new or tweaked version of\r\n this certificate in the future, simply run certbot again. To\r\n non-interactively renew *all* of your certificates, run "certbot\r\n renew"\r\n - If you like Certbot, please consider supporting our work by:\r\n\r\n Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate\r\n Donating to EFF: https://eff.org/donate-le\r\n\n
certbot\u306eversion\u304c\u304b\u306a\u308a\u53e4\u3044\u3067\u3059\u306d\u2026\u2026\uff0e
\n$ dpkg -l|grep -i certbot\r\nii certbot 0.10.2-1 all automatically configure HTTPS using Let's Encrypt\r\nii python-certbot 0.10.2-1 all main library for certbot\r\n\n
\u3066\u3053\u3068\u3067backport\u306e\u3082\u306e\u306b\u5165\u308c\u66ff\u3048\uff0e
\n$ sudo apt remove certbot\r\n$ sudo apt install python-certbot-apache -t stretch-backports\r\n$ apt show certbot\r\nPackage: certbot\r\nVersion: 0.21.1-1~bpo9+1\r\nPriority: optional\r\nSection: web\r\nSource: python-certbot\r\nMaintainer: Debian Let's Encrypt <letsencrypt-devel@lists.alioth.debian.org>\r\nInstalled-Size: 53.2 kB\r\nProvides: letsencrypt\r\nDepends: python3-certbot (= 0.21.1-1~bpo9+1), python3:any\r\nSuggests: python3-certbot-apache, python3-certbot-nginx, python-certbot-doc\r\nBreaks: letsencrypt (<= 0.6.0)\r\nReplaces: letsencrypt\r\nHomepage: https://certbot.eff.org/\r\nDownload-Size: 20.4 kB\r\nAPT-Manual-Installed: no\r\nAPT-Sources: http://ftp.jp.debian.org/debian stretch-backports/main amd64 Packages\r\nDescription: automatically configure HTTPS using Let's Encrypt\r\n The objective of Certbot, Let's Encrypt, and the ACME (Automated\r\n Certificate Management Environment) protocol is to make it possible\r\n to set up an HTTPS server and have it automatically obtain a\r\n browser-trusted certificate, without any human intervention. This is\r\n accomplished by running a certificate management agent on the web\r\n server.\r\n .\r\n This agent is used to:\r\n .\r\n - Automatically prove to the Let's Encrypt CA that you control the website\r\n - Obtain a browser-trusted certificate and set it up on your web server\r\n - Keep track of when your certificate is going to expire, and renew it\r\n - Help you revoke the certificate if that ever becomes necessary.\r\n .\r\n This package contains the main application, including the standalone\r\n and the manual authenticators.\r\n\r\nN: There is 1 additional record. Please use the '-a' switch to see it\r\n\n
\u3066\u3053\u3068\u3067client\u304c\u53e4\u304b\u3063\u305f\u306e\u3067\u3042\u307e\u308a\u53c2\u8003\u306b\u306a\u3089\u7121\u3055\u305d\u3046\u306a\u30e1\u30e2\u3067\u3057\u305f\uff0e
\n\n\n
\n$ sudo letsencrypt renew\u3067
\n2017-10-19 06:59:12,982:WARNING:letsencrypt.cli:Attempting to renew cert from /etc/letsencrypt/renewal/example.com.conf produced an unexpected error: 'server'. Skipping.\u306e\u3088\u3046\u306a\u30a8\u30e9\u30fc\u3067\u8a3c\u660e\u66f8\u304c\u66f4\u65b0\u3067\u304d\u306a\u304b\u3063\u305f\uff0e \u4ed6\u306e\u8a2d\u5b9a\u30d5\u30a1\u30a4\u30eb\u306b\u6bd4\u3079\u3066\u5bb9\u91cf\u304c\u5c11\u306a\u3044\uff0e
\n$ ls -lA /etc/letsencrypt/renewal/\r\n\u5408\u8a08 20\r\n-rw-r--r-- 1 root root 1873 10\u6708 17 13:44 example2.com.conf\r\n-rw-r--r-- 1 root root 483 7\u6708 19 03:10 example.com.conf\u8a2d\u5b9a\u30d5\u30a1\u30a4\u30eb\u306b
\nserver = https://acme-v01.api.letsencrypt.org/directory\r\nconfig_file = None\u3092\u30d5\u30a1\u30a4\u30eb\u672b\u5c3e\u306b\u8ffd\u8a18\u3057\u3066\u518d\u5ea6renew\u3057\u305f\u3089\u901a\u3063\u305f
\n