無料SSLのLet’s Encrypt、便利ですねー。更新が失敗するので設定ファイル修正しました。
letsencryptの更新が失敗したので設定変えてみた
無料SSLのLet’s Encryptを使っていますが、certbot renewでこのサイトのSSLだけ毎回更新失敗しているようで、Let’s Encryptからもメールで「更新できてないよ」と何度もお知らせが来たので見てみました。
一応更新はchertbot renewをcronに入れてあって自動更新になっているのですが、どうも1つだけ毎回失敗しています。
# certbot renew - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Processing /etc/letsencrypt/renewal/*****.net.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Cert not yet due for renewal - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Processing /etc/letsencrypt/renewal/freesim.tokyo.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Cert is due for renewal, auto-renewing... Plugins selected: Authenticator standalone, Installer None Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org Renewing an existing certificate Performing the following challenges: http-01 challenge for freesim.tokyo Cleaning up challenges Attempting to renew cert (freesim.tokyo) from /etc/letsencrypt/renewal/freesim.tokyo.conf produced an unexpected error: Problem binding to port 80: Could not bind to IPv4 or IPv6.. Skipping. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Processing /etc/letsencrypt/renewal/tomereru.net.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Cert not yet due for renewal - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - The following certs are not due for renewal yet: /etc/letsencrypt/live/****.net/fullchain.pem expires on 2019-10-29 (skipped) All renewal attempts failed. The following certs could not be renewed: /etc/letsencrypt/live/freesim.tokyo/fullchain.pem (failure) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1 renew failure(s), 0 parse failure(s)
うーん。なんだろ?色々見てみると、80番ポートを開けて確認できるようにしないとダメとかありますが・・・SSL更新のためにわざわざ80から443にリダイレクトしている設定をまた書き換える、というのも本末転倒な感じだし・・・そもそもほかのドメインは更新できてるのになんでこれだけ・・・?と調べていくと、どうやら更新方法はwebrootとstandaloneの2つがある、というのに気づきました。
# grep authenticator /etc/letsencrypt/renewal/*.conf ****.net.conf:authenticator = webroot freesim.tokyo.conf:authenticator = standalone
ああ、この差異を変えてあげればいいのね、ということで、修正。
この/etc/letsencrypt/renewal/*.confの設定ファイルをstandaloneからwebrootに変えるには、
{ドメイン名}.conf:authenticator = standalone
を
{ドメイン名}.conf:authenticator = webroot
に変えて、最後の行に
[[webroot_map]] *****.net = /www/****.net/httpdocs
、という風にドキュメントルートへのパスを追加してあげるだけ。
すると・・・
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Processing /etc/letsencrypt/renewal/freesim.tokyo.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Cert is due for renewal, auto-renewing... Plugins selected: Authenticator webroot, Installer None Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org Renewing an existing certificate Performing the following challenges: http-01 challenge for freesim.tokyo Waiting for verification... Cleaning up challenges # renew_before_expiry = 30 days version = 0.36.0 archive_dir = /etc/letsencrypt/archive/freesim.tokyo cert = /etc/letsencrypt/live/freesim.tokyo/cert.pem privkey = /etc/letsencrypt/live/freesim.tokyo/privkey.pem chain = /etc/letsencrypt/live/freesim.tokyo/chain.pem fullchain = /etc/letsencrypt/live/freesim.tokyo/fullchain.pem - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - new certificate deployed without reload, fullchain is /etc/letsencrypt/live/freesim.tokyo/fullchain.pem - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
お。いけたっぽい。
The following certs are not due for renewal yet: /etc/letsencrypt/live/****.net/fullchain.pem expires on 2019-09-12 (skipped) Congratulations, all renewals succeeded. The following certs have been renewed: /etc/letsencrypt/live/freesim.tokyo/fullchain.pem (success) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
・・・ということで成功しました!
