新サーバーの DNS へ切り替えたのち、hook 付き certbot を実行して、renewal 設定を作成する。

1. TSIG 鍵の作成。

~]# tsig-keygen -a hmac-sha256 certbot-key > /var/named/certbot.key ~]# chown root:named /var/named/certbot.key ~]# chmod 640 /var/named/certbot.key

2. named.conf に TSIG 鍵を登録。

~]# vi /etc/named.conf

追記。

include "/var/named/certbot.key"; zone "wave440.com" { type master; file "wave440.com.db.wan"; update-policy { grant certbot-key name _acme-challenge.wave440.com. txt; }; allow-query { any; }; allow-transfer { 216.218.133.2; 2001:470:600::2; }; notify yes; };

設定反映。

~]# rndc reconfig

3. Certbot hook スクリプトを作成。

manual-auth-hook（TXT 追加）

~]# vi /usr/local/bin/certbot-auth.sh

#!/bin/bash nsupdate -k /var/named/certbot.key << EOF server 127.0.0.1 zone wave440.com. update add _acme-challenge.wave440.com. 60 IN TXT "$CERTBOT_VALIDATION" send EOF

manual-cleanup-hook（TXT 削除）

~]# vi /usr/local/bin/certbot-cleanup.sh

#!/bin/bash nsupdate -k /var/named/certbot.key << EOF server 127.0.0.1 zone wave440.com. update delete _acme-challenge.wave440.com. TXT send EOF

deploy-hook（更新後に httpd / Postfix / Dovecot を reload）

~]# vi /usr/local/bin/certbot-deploy.sh

#!/bin/bash systemctl reload httpd systemctl reload postfix systemctl reload dovecot

権限。

chmod 700 /usr/local/bin/certbot-*.sh

4. 新サーバーの DNS で取得（DNS‑01 manual）
入力

~]# certbot certonly \ --manual \ --preferred-challenges dns \ --manual-auth-hook /usr/local/bin/certbot-auth.sh \ --manual-cleanup-hook /usr/local/bin/certbot-cleanup.sh \ --deploy-hook /usr/local/bin/certbot-deploy.sh \ -d '*.wave440.com' -d wave440.com \ --agree-tos \ --email xxxxx@wave440.com ・・・ ・・・ What would you like to do? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: Keep the existing certificate for now 2: Renew & replace the certificate (may be subject to CA rate limits) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2 Renewing an existing certificate for *.wave440.com and wave440.com Successfully received certificate. Certificate is saved at: /etc/letsencrypt/live/wave440.com/fullchain.pem Key is saved at: /etc/letsencrypt/live/wave440.com/privkey.pem ・・・ ・・・

systemd タイマー確認。

~]# systemctl list-timers

renewal 設定確認。

~]# cat /etc/letsencrypt/renewal/wave440.com.conf

deploy-hook 付きで実行しても、renewal 設定には renew_hook として保存されるようです。
renew_hook は古い互換用らしいので、手動で deploy_hook に変更編集しました。