最近はこんな感じでLet’s Encryptの証明書の更新を更新しているのですが今回失敗しました.
(DocumenteRootをFQDNにしている前提)
$ sudo /bin/sh -c "/usr/bin/find /etc/letsencrypt/renewal/*.conf -type f | /usr/bin/xargs /usr/bin/basename -s .conf | xargs -n1 -I{} /usr/bin/letsencrypt renew --webroot -w /var/www/{}/ -d {}"
こんなふうに怒られます.
(仕様が変わった?)
Saving debug log to /var/log/letsencrypt/letsencrypt.log Currently, the renew verb is capable of either renewing all installed certificates that are due to be renewed or renewing a single certificate specified by its name. If you would like to renew specific certificates by their domains, use the certonly command. The renew verb may provide other options for selecting certificates to renew in the future.
とりあえずはletsencrypt renewをletsencrypt certonlyにしたら通りました.
$ sudo /bin/sh -c "/usr/bin/find /etc/letsencrypt/renewal/*.conf -type f | /usr/bin/xargs /usr/bin/basename -s .conf | xargs -n1 -I{} /usr/bin/letsencrypt certonly --webroot -w /var/www/{}/ -d {}"
これで更新できたと思ったら1つのドメインで失敗しています.
Saving debug log to /var/log/letsencrypt/letsencrypt.log Cert is due for renewal, auto-renewing... Renewing an existing certificate Performing the following challenges: http-01 challenge for files.matoken.org Using the webroot path /var/www/files.matoken.org for all unmatched domains. Waiting for verification... Cleaning up challenges Failed authorization procedure. files.matoken.org (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://files.matoken.org/.well-known/acme-challenge/Be7Aiai4UH9CDqacTaEZOMH4SxSQbtFqxFcPXcCtJEs: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p" IMPORTANT NOTES: - The following errors were reported by the server: Domain: files.matoken.org Type: unauthorized Detail: Invalid response from http://files.matoken.org/.well-known/acme-challenge/Be7Aiai4UH9CDqacTaEZOMH4SxSQbtFqxFcPXcCtJEs: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p" To fix these errors, please make sure that your domain name was entered correctly and the DNS A record(s) for that domain contain(s) the right IP address.
ファイルをDoumentRootに置いてLet’s Encryptからアクセスされるのですがそこでそのファイルが見つからないと失敗しています.このドメインはhttpを設定していませんでした.
てことでapacheでRewriteの設定をしてあげると
RewriteEngine On
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]
通りました.
$ sudo /usr/bin/letsencrypt certonly --webroot -w /var/www/files.matoken.org/ -d files.mato ken.org Saving debug log to /var/log/letsencrypt/letsencrypt.log Cert is due for renewal, auto-renewing... Renewing an existing certificate Performing the following challenges: http-01 challenge for files.matoken.org Using the webroot path /var/www/files.matoken.org for all unmatched domains. Waiting for verification... Cleaning up challenges Generating key (2048 bits): /etc/letsencrypt/keys/0003_key-certbot.pem Creating CSR: /etc/letsencrypt/csr/0003_csr-certbot.pem IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/files.matoken.org/fullchain.pem. Your cert will expire on 2018-05-31. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
certbotのversionがかなり古いですね…….
$ dpkg -l|grep -i certbot ii certbot 0.10.2-1 all automatically configure HTTPS using Let's Encrypt ii python-certbot 0.10.2-1 all main library for certbot
てことでbackportのものに入れ替え.
$ sudo apt remove certbot $ sudo apt install python-certbot-apache -t stretch-backports $ apt show certbot Package: certbot Version: 0.21.1-1~bpo9+1 Priority: optional Section: web Source: python-certbot Maintainer: Debian Let's Encrypt <letsencrypt-devel@lists.alioth.debian.org> Installed-Size: 53.2 kB Provides: letsencrypt Depends: python3-certbot (= 0.21.1-1~bpo9+1), python3:any Suggests: python3-certbot-apache, python3-certbot-nginx, python-certbot-doc Breaks: letsencrypt (<= 0.6.0) Replaces: letsencrypt Homepage: https://certbot.eff.org/ Download-Size: 20.4 kB APT-Manual-Installed: no APT-Sources: http://ftp.jp.debian.org/debian stretch-backports/main amd64 Packages Description: automatically configure HTTPS using Let's Encrypt The objective of Certbot, Let's Encrypt, and the ACME (Automated Certificate Management Environment) protocol is to make it possible to set up an HTTPS server and have it automatically obtain a browser-trusted certificate, without any human intervention. This is accomplished by running a certificate management agent on the web server. . This agent is used to: . - Automatically prove to the Let's Encrypt CA that you control the website - Obtain a browser-trusted certificate and set it up on your web server - Keep track of when your certificate is going to expire, and renew it - Help you revoke the certificate if that ever becomes necessary. . This package contains the main application, including the standalone and the manual authenticators. N: There is 1 additional record. Please use the '-a' switch to see it
てことでclientが古かったのであまり参考になら無さそうなメモでした.