使用 certbot 取得 Let’s Encrypt 憑證 with openSUSE in Azure 小記2

使用 certbot 取得 Let’s Encrypt 憑證 with openSUSE in Azure 小記2

上次寫使用 certbot 建立 Let’s Encrypt 憑證是 2020/9/15

一般來說是簽發 90 天, 所以最近就有收到 Let’s Encrypt certificate expiration notice for domain 通知信件.

今天就是來寫如何手動取得憑證的小記

OS: openSUSE Leap 15.2 in Azure

DNS provider: gandi.net

首先會看到 Let’s Encrypt 官方網頁對套件做法已經改變, 他把他包進 snap 裡面

==== 原有 certbot 方式驗證是否仍可取得憑證 ====

在使用 snap 方式之前, 先來驗證如果是舊有的 certbot 指令是否可以取得 Let’s Encrypt 憑證

可以參考之前的文章

使用 zypper 指令安裝

# zypper  install  python3-certbot

# certbot  certonly  –manual  –preferred-challenges=dns  -d   ines.tw

驗證還是可以取得相關憑證的

==== 使用 snap 方式安裝並驗證可否取得憑證 ====

暫時小結論: 使用 snapd 目前會有 apparmor 問題, 所以暫時我還是使用 python3-certbot 來處理

使用 zypper 指令 新增 repo

# zypper  addrepo  –refresh https://download.opensuse.org/repositories/system:/snappy/openSUSE_Leap_15.2  snappy

Adding repository ‘snappy’ …………………………………………………………………………………[done]

Repository ‘snappy’ successfully added

URI         : https://download.opensuse.org/repositories/system:/snappy/openSUSE_Leap_15.2

Enabled     : Yes

GPG Check   : Yes

Autorefresh : Yes

Priority    : 99 (default priority)

Repository priorities are without effect. All enabled repositories share the same priority.

匯入  GPG Key

# zypper  –gpg-auto-import-keys  refresh

Retrieving repository ‘Debug Repository’ metadata …………………………………………………………….[done]

Building repository ‘Debug Repository’ cache …………………………………………………………………[done]

Retrieving repository ‘Update Repository (Debug)’ metadata …………………………………………………….[done]

Building repository ‘Update Repository (Debug)’ cache …………………………………………………………[done]

Retrieving repository ‘Non-OSS Repository’ metadata …………………………………………………………..[done]

Building repository ‘Non-OSS Repository’ cache ……………………………………………………………….[done]

Retrieving repository ‘Main Repository’ metadata ……………………………………………………………..[done]

Building repository ‘Main Repository’ cache ………………………………………………………………….[done]

Retrieving repository ‘Source Repository’ metadata ……………………………………………………………[done]

Building repository ‘Source Repository’ cache ………………………………………………………………..[done]

Retrieving repository ‘Main Update Repository’ metadata ……………………………………………………….[done]

Building repository ‘Main Update Repository’ cache ……………………………………………………………[done]

Retrieving repository ‘Update Repository (Non-Oss)’ metadata …………………………………………………..[done]

Building repository ‘Update Repository (Non-Oss)’ cache ……………………………………………………….[done]

Retrieving repository ‘snappy’ metadata ———————————————————————————–[-]

Automatically importing the following key:

  Repository:       snappy

  Key Name:         system:snappy OBS Project

  Key Fingerprint:  4F2FA05B 2C6589C3 FD12055E F7C6E425 ED340235

  Key Created:      Sat Oct 31 16:59:39 2020

  Key Expires:      Mon Jan  9 16:59:39 2023

  Rpm Name:         gpg-pubkey-ed340235-5f9d97fb

Retrieving repository ‘snappy’ metadata ……………………………………………………………………..[done]

Building repository ‘snappy’ cache ………………………………………………………………………….[done]

All repositories have been refreshed.

Upgrade package cache

# zypper  dup  –from  snappy

Loading repository data…

Reading installed packages…

Computing distribution upgrade…

Nothing to do.

安裝 snapd

# zypper  install  snapd

Loading repository data…

Reading installed packages…

Resolving package dependencies…

The following 3 NEW packages are going to be installed:

  snapd squashfs system-user-daemon

3 new packages to install.

Overall download size: 15.0 MiB. Already cached: 0 B. After the operation, additional 68.0 MiB will be used.

Continue? [y/n/v/…? shows all options] (y):  Y

安裝完之後, 雖然官方文件說 You then need to either reboot, logout/login or source /etc/profile to have /snap/bin added to PATH.

但是我試過, #source  /etc/profile  不一定會把 /snap/bin 加入 $PATH, 還是登出登入比較保險

# systemctl  enable –now  snapd

  • 這一招還不錯, 起動 snapd 的同時, 設定開機啟動, 以往我都是分開兩個指令執行

# snap  install  core

error: cannot perform the following tasks:

– Setup snap “core” (10444) security profiles (cannot setup profiles for snap “core”: cannot create host snap-confine apparmor configuration: cannot reload snap-confine apparmor profile: cannot load apparmor profiles: exit status 1

apparmor_parser output:

AppArmor parser error for /var/lib/snapd/apparmor/profiles/snap-confine.core.10444 in /var/lib/snapd/apparmor/profiles/snap-confine.core.10444 at line 2: Could not open ‘tunables/global’

  • 安裝失敗, apparmor 有問題

官方文件有提到 Tumbleweed 要額外設定 snapd.apparmor

  • 在 openSUSE Leap 15.2 使用該指令會找不到相關服務, snpad 也不是 openSUSE 的主要做法, 暫時先放棄

===================

暫時來說, 目前會先使用 python3-certbot 做法, 除非哪天只能在 snapd 才能取得再考慮 🙂

~ enjoy it

Reference

OpenSUSE Planet