20250919 letsencrypt certbot ssl

#certbot -d cycht.org.tw -d www.cycht.org.tw -d main.cycht.org.tw

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Certbot has detected that apache version < 2.4.11 or compiled against openssl < 1.0.2l. Since these are deprecated, the configuration file being installed at /etc/letsencrypt/options-ssl-apache.conf will not receive future updates. To get the latest configuration version, update apache.
Requesting a certificate for cycht.org.tw and 2 more domains

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/cycht.org.tw/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/cycht.org.tw/privkey.pem
This certificate expires on 2025-12-18.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

Deploying certificate
Some rewrite rules copied from /etc/httpd/sites-enabled/www.cycht.org.tw.conf were disabled in the vhost for your HTTPS site located at /etc/httpd/sites-available/www.cycht.org.tw-le-ssl.conf because they have the potential to create redirection loops.
Successfully deployed certificate for cycht.org.tw to /etc/httpd/sites-available/www.cycht.org.tw-le-ssl.conf
Successfully deployed certificate for www.cycht.org.tw to /etc/httpd/sites-available/www.cycht.org.tw-le-ssl.conf
Some rewrite rules copied from /etc/httpd/sites-enabled/main.cycht.org.tw.conf were disabled in the vhost for your HTTPS site located at /etc/httpd/sites-available/main.cycht.org.tw-le-ssl.conf because they have the potential to create redirection loops.
Successfully deployed certificate for main.cycht.org.tw to /etc/httpd/sites-available/main.cycht.org.tw-le-ssl.conf
Congratulations! You have successfully enabled HTTPS on https://cycht.org.tw, https://www.cycht.org.tw, and https://main.cycht.org.tw

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
 

Test ssl 

https://www.ssllabs.com/ssltest/analyze.html?d=greencom.tw&latest

 

DNS CAA

No (more info)

5. Publish Your CAA Policy

Add the following CAA records to your domain's DNS. Your DNS must be hosted with a service that supports CAA.

Generic

For Google Cloud DNS, Route 53, DNSimple, and other hosted DNS services

Name	Type	Value
greencom.tw.	CAA	0 issue ";"

Standard Zone File

For BIND ≥9.9.6, PowerDNS ≥4.0.0, NSD ≥4.0.1, Knot DNS ≥2.2.0

greencom.tw.	IN	CAA	0 issue ";"

Legacy Zone File (RFC 3597 Syntax)

For BIND <9.9.6, NSD <4.0.1, Windows Server 2016

greencom.tw.	IN	TYPE257	\# 8 000569737375653B

tinydns

 

:greencom.tw:257:\000\005\151\163\163\165\145\073

dnsmasq

 

--dns-rr=greencom.tw,257,000569737375653B