Let's Encrypt 試行錯誤履歴 2019年4月

セキュリティLet's Encrypt

目次一覧

 状態:-  閲覧数:788  投稿日:2019-02-01  更新日:2019-04-18
httpsドメイン
2019/4/12「Let's Encrypt certificate expiration notice for domain」メール受信

現在設定済みのhttpsホスト

 閲覧数:127 投稿日:2018-08-31 更新日:2019-05-21 

現在設定済みのhttpsホスト


a.example.com
e.example.org
g.example.net
p.example.com
example.com


2019/4/12「Let's Encrypt certificate expiration notice for domain」メール受信 / certbotバージョン確認 / SSL証明書取得失敗

 閲覧数:159 投稿日:2019-01-31 更新日:2019-05-21 

受信メール内容


1通目
・英語本文
Hello,

Your certificate (or certificates) for the names listed below will expire in 20 days (on 01 May 19 22:55 +0000). Please make sure to renew your certificate before then, or visitors to your website will encounter errors.

We recommend renewing certificates automatically when they have a third of their
total lifetime left. For Let's Encrypt's current 90-day certificates, that means
renewing 30 days before expiration. See
https://letsencrypt.org/docs/integration-guide/ for details.

*.example.com
*.example.net
*.example.com
example.com
example.net
example.com

For any questions or support, please visit https://community.letsencrypt.org/. Unfortunately, we can't provide support by email.

If you are receiving this email in error, unsubscribe at http://mandrillapp.com/track/unsub.php?u=xxxx

You may need to update your client to the latest version in case it is still using the deprecated TLS-SNI-01 validation method. https://community.letsencrypt.org/t/february-13-2019-end-of-life-for-all-tls-sni-01-validation-support/74209

Step-by-step instructions for updating Certbot are here: https://community.letsencrypt.org/t/how-to-stop-using-tls-sni-01-with-certbot/83210

Regards,
The Let's Encrypt Team


・日本語訳
こんにちは、

下記の名前の証明書は20日で有効期限が切れる(5月19日22時55分+0000)。その前に必ず証明書を更新してくれ。そうしないと、あなたのウェブサイトへの訪問者はエラーに遭遇するだろう。
証明書の有効期間の3分の1が残っている場合は、証明書を自動的に更新することをお勧めする。 Let's Encryptの現在の90日間の証明書では、有効期限の30日前に更新することを意味する。
詳細については https://letsencrypt.org/docs/integration-guide/ を参照してくれ。

* .example.com
* .example.net
* .example.com
example.com
example.net
example.com

質問やサポートが必要な場合は、https://community.letsencrypt.org/にアクセスしてくれ。残念ながら、メールでサポートを提供することはできない。

このEメールを誤って受信している場合は、http://mandrillapp.com/track/unsub.php?u=xxxxで登録解除してくれ。

まだ非推奨のTLS-SNI-01検証方法を使用している場合は、クライアントを最新バージョンに更新する必要がある。 https://community.letsencrypt.org/t/february-13-2019-end-of-life-for-all-tls-sni-01-validation-support/74209

Certbotを更新するためのステップバイステップの説明はここにある:https://community.letsencrypt.org/t/how-to-stop-using-tls-sni-01-with-certbot/83210

よろしく、
Let's Encryptチーム


2通目
・英語本文
Hello,

Your certificate (or certificates) for the names listed below will expire in 20 days (on 02 May 19 00:27 +0000).
//中略

g.example.net


・日本語訳
こんにちは、

下記の名前の証明書は20日で有効期限が切れる(5月19日00時27分+0000)。
//中略

g.example.net


certbotバージョン確認


$ certbot --version || / path / to / certbot-auto --version
certbot 0.29.1


SSL証明書取得失敗


CertbotがNginx設定ファイルを自動的に編集

$ sudo certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/a.example.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for a.example.com
http-01 challenge for b.example.com
http-01 challenge for c.example.org
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (a.example.com) from /etc/letsencrypt/renewal/a.example.com.conf produced an unexpected error: Failed authorization procedure. c.example.org (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: dns :: DNS problem: NXDOMAIN looking up A for c.example.org. Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/example.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Attempting to parse the version 0.30.2 renewal configuration file found at /etc/letsencrypt/renewal/example.com.conf with version 0.29.1 of Certbot. This might not work.
Cert is due for renewal, auto-renewing...
Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',)
Attempting to renew cert (example.com) from /etc/letsencrypt/renewal/example.com.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',). Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/g.example.net.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for g.example.net
Waiting for verification...
Cleaning up challenges
Resetting dropped connection: acme-staging-v02.api.letsencrypt.org

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of nginx server; fullchain is
/etc/letsencrypt/live/g.example.net/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/p.example.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for p.example.com
Waiting for verification...
Cleaning up challenges
Resetting dropped connection: acme-staging-v02.api.letsencrypt.org

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of nginx server; fullchain is
/etc/letsencrypt/live/p.example.com/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/e.example.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for e.example.com
Waiting for verification...
Cleaning up challenges
Resetting dropped connection: acme-staging-v02.api.letsencrypt.org

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of nginx server; fullchain is
/etc/letsencrypt/live/e.example.com/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The following certs could not be renewed:
 /etc/letsencrypt/live/a.example.com/fullchain.pem (failure)
 /etc/letsencrypt/live/example.com/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

The following certs were successfully renewed:
 /etc/letsencrypt/live/g.example.net/fullchain.pem (success)
 /etc/letsencrypt/live/p.example.com/fullchain.pem (success)
 /etc/letsencrypt/live/e.example.com/fullchain.pem (success)

The following certs could not be renewed:
 /etc/letsencrypt/live/a.example.com/fullchain.pem (failure)
 /etc/letsencrypt/live/example.com/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
- The following errors were reported by the server:

  Domain: c.example.org
  Type:   connection
  Detail: dns :: DNS problem: NXDOMAIN looking up A for c.example.org

  To fix these errors, please make sure that your domain name was
  entered correctly and the DNS A/AAAA record(s) for that domain
  contain(s) the right IP address. Additionally, please check that
  your computer has a publicly routable IP address and that no
  firewalls are preventing the server from communicating with the
  client. If you're using the webroot plugin, you should also verify
  that you are serving files from the webroot path you provided.


確認 / Nginx設定ファイル削除 / Nginx再起動

 閲覧数:133 投稿日:2019-01-31 更新日:2019-05-21 

確認


証明書へのシンボリックリンクを確認
$ sudo ls -la /etc/letsencrypt/live/
合計 8
drwx------ 7 root root  141  2月  8 13:21 .
drwxr-xr-x 9 root root 4096  4月 12 22:56 ..
-rw-r--r-- 1 root root  740  2月  1 08:55 README
drwxr-xr-x 2 root root   88  2月 17 05:05 a.example.com
drwxr-xr-x 2 root root   88  4月 10 02:16 e.example.com
drwxr-xr-x 2 root root   88  2月  1 10:27 g.example.net
drwxr-xr-x 2 root root   88  4月  3 05:40 p.example.com
drwxr-xr-x 2 root root   88  2月  1 08:55 example.com


Nginx設定ファイルを確認
$ less /etc/nginx/conf.d/c.conf
server {
   server_name  c.example.co.jp;
   root   /var/www/html/example.co.jp/c.example.co.jp;
   index  index.php index.html index.htm;
   #charset koi8-r;
   #access_log  /var/log/nginx/host.access.log  main;

   location / {
       #root   /usr/share/nginx/html;
       #index  index.html index.htm;
       try_files $uri $uri/ /index.php?$query_string;
   }

   #error_page  404              /404.html;

   # redirect server error pages to the static page /50x.html
   #
   error_page   500 502 503 504  /50x.html;
   location = /50x.html {
       root   /usr/share/nginx/html;
   }

   # proxy the PHP scripts to Apache listening on 127.0.0.1:80
   #
   #location ~ \.php$ {
   #    proxy_pass   http://127.0.0.1;
   #}

   # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
   #
   #location ~ \.php$ {
   #    root           html;
   #    fastcgi_pass   127.0.0.1:9000;
   #    fastcgi_index  index.php;
   #    fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;
   #    include        fastcgi_params;
   #}

   # deny access to .htaccess files, if Apache's document root
   # concurs with nginx's one
   #
   #location ~ /\.ht {
   #    deny  all;
   #}

   location ~ \.php$ {
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass unix:/var/run/php-fpm.sock;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param PATH_INFO $fastcgi_path_info;
        include fastcgi_params;
   }


   listen 443 ssl; # managed by Certbot
   ssl_certificate /etc/letsencrypt/live/a.example.com/fullchain.pem; # managed by Certbot
   ssl_certificate_key /etc/letsencrypt/live/a.example.com/privkey.pem; # managed by Certbot
   include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
   ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot


}
server {
   if ($host = c.example.co.jp) {
       return 301 https://$host$request_uri;
   } # managed by Certbot


   listen       80;
   server_name  c.example.co.jp;
   return 404; # managed by Certbot


}


Nginx設定ファイル削除


Nginx設定ファイル削除実行
$ sudo rm  /etc/nginx/conf.d/c.conf

Nginx設定ファイル削除を確認
$ less /etc/nginx/conf.d/c.conf
/etc/nginx/conf.d/c.conf: そのようなファイルやディレクトリはありません


Nginx再起動


$ sudo systemctl restart nginx.service
$ sudo systemctl stop nginx.service
$ sudo systemctl start nginx.service


Webページ作成 / Webページ削除 / Certbotバージョンに起因するエラーメッセージ

 閲覧数:123 投稿日:2019-04-12 更新日:2019-05-21 

Webページ作成


$ less /var/www/html/example.org/c.example.org/index.php
<?php echo 'c'; ?>


Webページ削除


$ sudo rm -rf /var/www/html/example.org/c.example.org/

Certbotバージョンに起因するエラーメッセージ


/etc/letsencrypt/renewal/example.com.confにあるバージョン0.30.2の更新設定ファイルをCertbotのバージョン0.29.1で解析しようとしました。これはうまくいかないかもしれません。


acme更新 / Certbotアップデート / Certbotバージョン確認

 閲覧数:157 投稿日:2019-04-13 更新日:2019-05-21 

acme更新


$ sudo yum --enablerepo=epel update python2-acme
読み込んだプラグイン:fastestmirror, langpacks
Repodata is over 2 weeks old. Install yum-cron? Or run: yum makecache fast
base                                                                                        | 3.6 kB  00:00:00    
epel/x86_64/metalink                                                                        | 5.3 kB  00:00:00    
epel                                                                                        | 4.7 kB  00:00:00    
extras                                                                                      | 3.4 kB  00:00:00    
ius                                                                                         | 2.3 kB  00:00:00    
mysql-connectors-community                                                                  | 2.5 kB  00:00:00    
mysql-tools-community                                                                       | 2.5 kB  00:00:00    
mysql57-community                                                                           | 2.5 kB  00:00:00    
nginx                                                                                       | 2.9 kB  00:00:00    
remi-safe                                                                                   | 3.0 kB  00:00:00    
updates                                                                                     | 3.4 kB  00:00:00    
(1/8): epel/x86_64/updateinfo                                                               | 986 kB  00:00:00    
(2/8): mysql-connectors-community/x86_64/primary_db                                         |  37 kB  00:00:00    
(3/8): extras/7/x86_64/primary_db                                                           | 187 kB  00:00:00    
(4/8): mysql-tools-community/x86_64/primary_db                                              |  54 kB  00:00:00    
(5/8): updates/7/x86_64/primary_db                                                          | 3.4 MB  00:00:01    
(6/8): epel/x86_64/primary_db                                                               | 6.7 MB  00:00:01    
(7/8): ius/x86_64/primary_db                                                                | 297 kB  00:00:02    
(8/8): remi-safe/primary_db                                                                 | 1.4 MB  00:00:02    
Determining fastest mirrors
* base: ftp.iij.ad.jp
* epel: ftp.iij.ad.jp
* extras: ftp.iij.ad.jp
* ius: mirrors.tuna.tsinghua.edu.cn
* remi-safe: ftp.riken.jp
* updates: ftp.iij.ad.jp
依存性の解決をしています
--> トランザクションの確認を実行しています。
---> パッケージ python2-acme.noarch 0:0.29.1-1.el7 を 更新
---> パッケージ python2-acme.noarch 0:0.31.0-1.el7 を アップデート
--> 依存性解決を終了しました。

依存性を解決しました

===================================================================================================================
Package                       アーキテクチャー        バージョン                      リポジトリー           容量
===================================================================================================================
更新します:
python2-acme                  noarch                  0.31.0-1.el7                    epel                  148 k

トランザクションの要約
===================================================================================================================
更新  1 パッケージ

総ダウンロード容量: 148 k
Is this ok [y/d/N]:

y
Downloading packages:
Delta RPMs disabled because /usr/bin/applydeltarpm not installed.
python2-acme-0.31.0-1.el7.noarch.rpm                                                        | 148 kB  00:00:00    
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
 更新します              : python2-acme-0.31.0-1.el7.noarch                                                   1/2
 整理中                  : python2-acme-0.29.1-1.el7.noarch                                                   2/2
 検証中                  : python2-acme-0.31.0-1.el7.noarch                                                   1/2
 検証中                  : python2-acme-0.29.1-1.el7.noarch                                                   2/2

更新:
 python2-acme.noarch 0:0.31.0-1.el7                                                                              

完了しました!


Certbotアップデート


$ sudo yum --enablerepo=epel update certbot
読み込んだプラグイン:fastestmirror, langpacks
Loading mirror speeds from cached hostfile
* base: ftp.iij.ad.jp
* epel: ftp.iij.ad.jp
* extras: ftp.iij.ad.jp
* ius: mirrors.tuna.tsinghua.edu.cn
* remi-safe: ftp.riken.jp
* updates: ftp.iij.ad.jp
依存性の解決をしています
--> トランザクションの確認を実行しています。
---> パッケージ certbot.noarch 0:0.29.1-1.el7 を 更新
---> パッケージ certbot.noarch 0:0.31.0-2.el7 を アップデート
--> 依存性の処理をしています: python2-certbot = 0.31.0-2.el7 のパッケージ: certbot-0.31.0-2.el7.noarch
--> トランザクションの確認を実行しています。
---> パッケージ python2-certbot.noarch 0:0.29.1-1.el7 を 更新
---> パッケージ python2-certbot.noarch 0:0.31.0-2.el7 を アップデート
--> 依存性解決を終了しました。

依存性を解決しました

===================================================================================================================
Package                         アーキテクチャー       バージョン                      リポジトリー          容量
===================================================================================================================
更新します:
certbot                         noarch                 0.31.0-2.el7                    epel                  37 k
依存性関連での更新をします:
python2-certbot                 noarch                 0.31.0-2.el7                    epel                 547 k

トランザクションの要約
===================================================================================================================
更新  1 パッケージ (+1 個の依存関係のパッケージ)

総ダウンロード容量: 584 k
Is this ok [y/d/N]:

y
Downloading packages:
Delta RPMs disabled because /usr/bin/applydeltarpm not installed.
(1/2): certbot-0.31.0-2.el7.noarch.rpm                                                      |  37 kB  00:00:01    
(2/2): python2-certbot-0.31.0-2.el7.noarch.rpm                                              | 547 kB  00:00:00    
-------------------------------------------------------------------------------------------------------------------
合計                                                                               201 kB/s | 584 kB  00:00:02    
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
 更新します              : python2-certbot-0.31.0-2.el7.noarch                                                1/4
 更新します              : certbot-0.31.0-2.el7.noarch                                                        2/4
SELinux:  Could not downgrade policy file /etc/selinux/targeted/policy/policy.31, searching for an older version.
SELinux:  Could not downgrade policy file /etc/selinux/targeted/policy/policy.30, searching for an older version.
SELinux:  Could not open policy file <= /etc/selinux/targeted/policy/policy.31:  No such file or directory
/sbin/load_policy:  Can't load policy:  No such file or directory
libsemanage.semanage_reload_policy: load_policy returned error code 2. (No such file or directory).
SELinux:  Could not downgrade policy file /etc/selinux/targeted/policy/policy.31, searching for an older version.
SELinux:  Could not downgrade policy file /etc/selinux/targeted/policy/policy.30, searching for an older version.
SELinux:  Could not open policy file <= /etc/selinux/targeted/policy/policy.31:  No such file or directory
/sbin/load_policy:  Can't load policy:  No such file or directory
libsemanage.semanage_reload_policy: load_policy returned error code 2. (No such file or directory).
OSError: No such file or directory
 整理中                  : certbot-0.29.1-1.el7.noarch                                                        3/4
 整理中                  : python2-certbot-0.29.1-1.el7.noarch                                                4/4
 検証中                  : certbot-0.31.0-2.el7.noarch                                                        1/4
 検証中                  : python2-certbot-0.31.0-2.el7.noarch                                                2/4
 検証中                  : certbot-0.29.1-1.el7.noarch                                                        3/4
 検証中                  : python2-certbot-0.29.1-1.el7.noarch                                                4/4

更新:
 certbot.noarch 0:0.31.0-2.el7                                                                                    

依存性を更新しました:
 python2-certbot.noarch 0:0.31.0-2.el7                                                                            

完了しました!


Certbotバージョン確認


$ certbot --version || / path / to / certbot-auto --version
certbot 0.31.0




「SSL証明書」を取得しているホストを確認 / エラーと思われる原因 / 複数ホストで取得した「SSL証明書」の内、1ホストのみ削除

 閲覧数:145 投稿日:2019-04-13 更新日:2019-05-21 

「SSL証明書」を取得しているホストを確認


certbotが管理している証明書の情報を表示
$ sudo certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
 Certificate Name: a.example.com
   Domains: c.example.org a.example.com b.example.com
   Expiry Date: 2019-05-17 19:05:46+00:00 (VALID: 35 days)
   Certificate Path: /etc/letsencrypt/live/a.example.com/fullchain.pem
   Private Key Path: /etc/letsencrypt/live/a.example.com/privkey.pem
 Certificate Name: entrepreneur.example.com
   Domains: entrepreneur.example.com
   Expiry Date: 2019-07-08 16:16:24+00:00 (VALID: 87 days)
   Certificate Path: /etc/letsencrypt/live/entrepreneur.example.com/fullchain.pem
   Private Key Path: /etc/letsencrypt/live/entrepreneur.example.com/privkey.pem
 Certificate Name: g.example.net
   Domains: g.example.net
   Expiry Date: 2019-05-02 00:27:49+00:00 (VALID: 19 days)
   Certificate Path: /etc/letsencrypt/live/g.example.net/fullchain.pem
   Private Key Path: /etc/letsencrypt/live/g.example.net/privkey.pem
 Certificate Name: p.example.com
   Domains: p.example.com
   Expiry Date: 2019-07-01 19:40:02+00:00 (VALID: 80 days)
   Certificate Path: /etc/letsencrypt/live/p.example.com/fullchain.pem
   Private Key Path: /etc/letsencrypt/live/p.example.com/privkey.pem
 Certificate Name: example.com
   Domains: *.example.com *.example.com *.example.net example.com example.net example.com
   Expiry Date: 2019-05-01 22:55:56+00:00 (VALID: 19 days)
   Certificate Path: /etc/letsencrypt/live/example.com/fullchain.pem
   Private Key Path: /etc/letsencrypt/live/example.com/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -


エラーと思われる原因


複数ホストを1つの証明書で取得したのに、その内の1ホストへアクセスできないため
・「c.example.org」ドメインを削除するためには、この証明書を削除しなければいけないみたい
  Certificate Name: a.example.com
   Domains: c.example.org a.example.com b.example.com
   Expiry Date: 2019-05-17 19:05:46+00:00 (VALID: 35 days)
   Certificate Path: /etc/letsencrypt/live/a.example.com/fullchain.pem
   Private Key Path: /etc/letsencrypt/live/a.example.com/privkey.pem


複数ホストで取得した「SSL証明書」の内、1ホストのみ削除


$ sudo certbot delete --cert-name c.example.org
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Deleted all files relating to certificate a.example.com.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -


これでイケたと思ったのに
・嘘やん! 前よりひどくなったよ
$ sudo certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/entrepreneur.example.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Error while running nginx -c /etc/nginx/nginx.conf -t.

nginx: [emerg] BIO_new_file("/etc/letsencrypt/live/a.example.com/fullchain.pem") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/letsencrypt/live/a.example.com/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)
nginx: configuration file /etc/nginx/nginx.conf test failed

Could not choose appropriate plugin: The nginx plugin is not working; there may be problems with your existing configuration.
The error was: MisconfigurationError('Error while running nginx -c /etc/nginx/nginx.conf -t.\n\nnginx: [emerg] BIO_new_file("/etc/letsencrypt/live/a.example.com/fullchain.pem") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen(\'/etc/letsencrypt/live/a.example.com/fullchain.pem\',\'r\') error:2006D080:BIO routines:BIO_new_file:no such file)\nnginx: configuration file /etc/nginx/nginx.conf test failed\n',)
Attempting to renew cert (entrepreneur.example.com) from /etc/letsencrypt/renewal/entrepreneur.example.com.conf produced an unexpected error: The nginx plugin is not working; there may be problems with your existing configuration.
The error was: MisconfigurationError('Error while running nginx -c /etc/nginx/nginx.conf -t.\n\nnginx: [emerg] BIO_new_file("/etc/letsencrypt/live/a.example.com/fullchain.pem") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen(\'/etc/letsencrypt/live/a.example.com/fullchain.pem\',\'r\') error:2006D080:BIO routines:BIO_new_file:no such file)\nnginx: configuration file /etc/nginx/nginx.conf test failed\n',). Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/g.example.net.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Error while running nginx -c /etc/nginx/nginx.conf -t.

nginx: [emerg] BIO_new_file("/etc/letsencrypt/live/a.example.com/fullchain.pem") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/letsencrypt/live/a.example.com/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)
nginx: configuration file /etc/nginx/nginx.conf test failed

Could not choose appropriate plugin: The nginx plugin is not working; there may be problems with your existing configuration.
The error was: MisconfigurationError('Error while running nginx -c /etc/nginx/nginx.conf -t.\n\nnginx: [emerg] BIO_new_file("/etc/letsencrypt/live/a.example.com/fullchain.pem") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen(\'/etc/letsencrypt/live/a.example.com/fullchain.pem\',\'r\') error:2006D080:BIO routines:BIO_new_file:no such file)\nnginx: configuration file /etc/nginx/nginx.conf test failed\n',)
Attempting to renew cert (g.example.net) from /etc/letsencrypt/renewal/g.example.net.conf produced an unexpected error: The nginx plugin is not working; there may be problems with your existing configuration.
The error was: MisconfigurationError('Error while running nginx -c /etc/nginx/nginx.conf -t.\n\nnginx: [emerg] BIO_new_file("/etc/letsencrypt/live/a.example.com/fullchain.pem") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen(\'/etc/letsencrypt/live/a.example.com/fullchain.pem\',\'r\') error:2006D080:BIO routines:BIO_new_file:no such file)\nnginx: configuration file /etc/nginx/nginx.conf test failed\n',). Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/p.example.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Error while running nginx -c /etc/nginx/nginx.conf -t.

nginx: [emerg] BIO_new_file("/etc/letsencrypt/live/a.example.com/fullchain.pem") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/letsencrypt/live/a.example.com/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)
nginx: configuration file /etc/nginx/nginx.conf test failed

Could not choose appropriate plugin: The nginx plugin is not working; there may be problems with your existing configuration.
The error was: MisconfigurationError('Error while running nginx -c /etc/nginx/nginx.conf -t.\n\nnginx: [emerg] BIO_new_file("/etc/letsencrypt/live/a.example.com/fullchain.pem") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen(\'/etc/letsencrypt/live/a.example.com/fullchain.pem\',\'r\') error:2006D080:BIO routines:BIO_new_file:no such file)\nnginx: configuration file /etc/nginx/nginx.conf test failed\n',)
Attempting to renew cert (p.example.com) from /etc/letsencrypt/renewal/p.example.com.conf produced an unexpected error: The nginx plugin is not working; there may be problems with your existing configuration.
The error was: MisconfigurationError('Error while running nginx -c /etc/nginx/nginx.conf -t.\n\nnginx: [emerg] BIO_new_file("/etc/letsencrypt/live/a.example.com/fullchain.pem") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen(\'/etc/letsencrypt/live/a.example.com/fullchain.pem\',\'r\') error:2006D080:BIO routines:BIO_new_file:no such file)\nnginx: configuration file /etc/nginx/nginx.conf test failed\n',). Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/example.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',)
Attempting to renew cert (example.com) from /etc/letsencrypt/renewal/example.com.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',). Skipping.
All renewal attempts failed. The following certs could not be renewed:
 /etc/letsencrypt/live/entrepreneur.example.com/fullchain.pem (failure)
 /etc/letsencrypt/live/g.example.net/fullchain.pem (failure)
 /etc/letsencrypt/live/p.example.com/fullchain.pem (failure)
 /etc/letsencrypt/live/example.com/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
 /etc/letsencrypt/live/entrepreneur.example.com/fullchain.pem (failure)
 /etc/letsencrypt/live/g.example.net/fullchain.pem (failure)
 /etc/letsencrypt/live/p.example.com/fullchain.pem (failure)
 /etc/letsencrypt/live/example.com/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 renew failure(s), 0 parse failure(s)


$ nginx -t
nginx: [alert] could not open error log file: open() "/var/log/nginx/error.log" failed (13: Permission denied)
2019/04/13 00:53:05 [warn] 10026#10026: the "user" directive makes sense only if the master process runs with super-user privileges, ignored in /etc/nginx/nginx.conf:1
2019/04/13 00:53:05 [emerg] 10026#10026: BIO_new_file("/etc/letsencrypt/live/a.example.com/fullchain.pem") failed (SSL: error:0200100D:system library:fopen:Permission denied:fopen('/etc/letsencrypt/live/a.example.com/fullchain.pem','r') error:2006D002:BIO routines:BIO_new_file:system lib)
nginx: configuration file /etc/nginx/nginx.conf test failed


大トラブル発生 /「SSL証明書」取得と削除 vs「Nginx設定ファイル」の関係 /「SSL証明書」削除時の「Nginx再起動」の危険性

 閲覧数:127 投稿日:2019-04-13 更新日:2019-05-21 

大トラブル発生


Nginx起動しなくなる
・全サイトが表示されなくなる大変な事態に発展
I ran "certbot delete --cert-name". Failed to restart Nginx

「SSL証明書」取得と削除 vs「Nginx設定ファイル」の関係


「SSL証明書」取得
・CertbotがNginx設定ファイルを自動的に編集
$ sudo certbot --nginx

「SSL証明書」削除
・Certbotが「SSL証明書」取得時にNginx設定ファイルへ追加した内容を削除しない
$ sudo certbot revoke --cert-pat=/etc/letsencrypt/live/xxxx.example.com/cert.pem

その結果
・Nginx設定ファイル内容に不一致が生じる
・(Certbotが「SSL証明書」取得時にNginx設定ファイルへ自動追加した内容を手動で削除しないと)Nginx再起動に失敗する
→ 全サイトが表示されなくなる

「SSL証明書」削除時の「Nginx再起動」の危険性


下記でエラーが表示されている場合、(エラーを解決していない状態のまま)Nginxを停止したり、再起動してはダメ
→ Nginxが起動しなくなるから
$ nginx -t

CentOS7 で設定ファイルのチェック後、Nginx起動

疑問点 / 修正すべきと思われる点 / 「SSL証明書」を削除しようとするも

 閲覧数:131 投稿日:2019-04-13 更新日:2019-05-21 

疑問点


# ls /etc/nginx/conf.d/
・「a.example.com.conf」がない
・ 「a.conf」はコメントアウトしたが効果がなかったため、結局削除した
・なのに、まだ呼び出そうとするのはなぜか?
server {
   server_name  a.example.com;
   root   /var/www/html/example.com/a.example.com;
   index  index.php index.html index.htm;
   #charset koi8-r;
   #access_log  /var/log/nginx/host.access.log  main;

   location / {
       #root   /usr/share/nginx/html;
       #index  index.html index.htm;
       try_files $uri $uri/ /index.php?$query_string;
   }

   #error_page  404              /404.html;

   # redirect server error pages to the static page /50x.html
   #
   error_page   500 502 503 504  /50x.html;
   location = /50x.html {
       root   /usr/share/nginx/html;
   }

   # proxy the PHP scripts to Apache listening on 127.0.0.1:80
   #
   #location ~ \.php$ {
   #    proxy_pass   http://127.0.0.1;
   #}

   # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
   #
   #location ~ \.php$ {
   #    root           html;
   #    fastcgi_pass   127.0.0.1:9000;
   #    fastcgi_index  index.php;
   #    fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;
   #    include        fastcgi_params;
   #}

   # deny access to .htaccess files, if Apache's document root
   # concurs with nginx's one
   #
   #location ~ /\.ht {
   #    deny  all;
   #}

   location ~ \.php$ {
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass unix:/var/run/php-fpm.sock;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param PATH_INFO $fastcgi_path_info;
        include fastcgi_params;
   }


#    listen 443 ssl; # managed by Certbot
#    ssl_certificate /etc/letsencrypt/live/a.example.com/fullchain.pem; # managed by Certbot
#    ssl_certificate_key /etc/letsencrypt/live/a.example.com/privkey.pem; # managed by Certbot
#    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
#    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot


}
#server {
#    if ($host = a.example.com) {
#        return 301 https://$host$request_uri;
#    } # managed by Certbot


#    listen       80;
#    server_name  a.example.com;
#    return 404; # managed by Certbot


#}


修正すべきと思われる点


etc/letsencrypt/live/指定ディレクトリを読みにいかないようにする
・設定項目(/etc/nginx/nginx.conf 内にあると思われる)から(証明書を呼び出している)該当箇所を削除する

「a.example.com証明書」に3ホストが含まれている
・この内の「c.example.org」だけを使用していないため削除しようとしたが、その処理方法を間違えたみたい
Certificate Name: a.example.com
  Domains: c.example.org a.example.com b.example.com

一旦全削除後、使用ホストのみでSSL証明書を新規取得した方が分かりやすかったと思われる

「SSL証明書」を削除しようとするも


# ./certbot-auto delete -d a.example.com
Upgrading certbot-auto 0.30.2 to 0.33.1...
Replacing certbot-auto...
Creating virtual environment...
Installing Python packages...
Installation succeeded.
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Which certificate(s) would you like to delete?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: e.example.com
2: g.example.net
3: p.example.com
4: example.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):


キャンセル実行
c
User ended interaction.




エラーと思われる原因 / エラー対応 /「間違った考え方」あるいは「関係なかった処理」

 閲覧数:114 投稿日:2019-04-13 更新日:2019-05-21 

エラーと思われる原因


下記で、a.example.com.conf関連を削除するのだと思われ
・しかし、初期に作成したファイルということもあり、ファイル名がa.confになっていたため関連付け出来ず、該当箇所を削除できなかったのではないか
$ sudo certbot delete --cert-name a.example.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Deleted all files relating to certificate a.example.com.


→ Certbot「SSL証明書」削除時には、(Certbotが「SSL証明書」取得時にNginx設定ファイルへ自動追加した内容を手動で削除しないと)Nginx再起動に失敗する 

エラー対応


# ls /etc/nginx/conf.d/
# less /etc/nginx/conf.d/b.conf
# vi /etc/nginx/conf.d/b.conf



# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

# systemctl start nginx.service


「間違った考え方」あるいは「関係なかった処理」


a.example.com.confファイル削除
・後で戻しておかなければいけない
・https://a.example.com/

ディレクトリとファイル作成
・「'/etc/letsencrypt/live/a.example.com/fullchain.pem'」へアクセス出来ないのが原因なら作成すれば良い
・ただ単に作成しただけではダメなことが判明。正常に読み込ませる必要があるみたい
# mkdir -m 777 /etc/letsencrypt/live/a.example.com/
# ls /etc/letsencrypt/live/
README  a.example.com  e.example.com  g.example.net  p.example.com  example.com
# nginx -t
nginx: [emerg] BIO_new_file("/etc/letsencrypt/live/a.example.com/fullchain.pem") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/letsencrypt/live/a.example.com/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)
nginx: configuration file /etc/nginx/nginx.conf test failed

# touch /etc/letsencrypt/live/a.example.com/fullchain.pem
# nginx -t
nginx: [emerg] PEM_read_bio_X509_AUX("/etc/letsencrypt/live/a.example.com/fullchain.pem") failed (SSL: error:0906D06C:PEM routines:PEM_read_bio:no start line:Expecting: TRUSTED CERTIFICATE)
nginx: configuration file /etc/nginx/nginx.conf test failed




2019/4/13。.well-known/acme-challenge/ へアクセスできないエラー発生

 閲覧数:150 投稿日:2019-04-14 更新日:2019-05-21 

SSL証明書取得失敗


CertbotがNginx設定ファイルを自動的に編集
$ sudo certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/e.example.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for e.example.com
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (e.example.com) from /etc/letsencrypt/renewal/e.example.com.conf produced an unexpected error: Failed authorization procedure. e.example.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://e.example.com/.well-known/acme-challenge/fhhSxxxx [IPアドレス]: "<!doctype html>\r\n<html lang=\"ja\">\r\n<head>\r\n\t<meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\" />\r\n\t<meta http-e". Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/g.example.net.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for g.example.net
Waiting for verification...
Cleaning up challenges
Resetting dropped connection: acme-staging-v02.api.letsencrypt.org

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of nginx server; fullchain is
/etc/letsencrypt/live/g.example.net/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/php-demo.example.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for php-demo.example.com
Waiting for verification...
Cleaning up challenges
Resetting dropped connection: acme-staging-v02.api.letsencrypt.org

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of nginx server; fullchain is
/etc/letsencrypt/live/php-demo.example.com/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/example.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',)
Attempting to renew cert (example.com) from /etc/letsencrypt/renewal/example.com.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',). Skipping.
The following certs could not be renewed:
 /etc/letsencrypt/live/e.example.com/fullchain.pem (failure)
 /etc/letsencrypt/live/example.com/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

The following certs were successfully renewed:
 /etc/letsencrypt/live/g.example.net/fullchain.pem (success)
 /etc/letsencrypt/live/php-demo.example.com/fullchain.pem (success)

The following certs could not be renewed:
 /etc/letsencrypt/live/e.example.com/fullchain.pem (failure)
 /etc/letsencrypt/live/example.com/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
- The following errors were reported by the server:

  Domain: e.example.com
  Type:   unauthorized
  Detail: Invalid response from
  https://e.example.com/.well-known/acme-challenge/fhhSxxxx
  [IPアドレス]: "<!doctype html>\r\n<html
  lang=\"ja\">\r\n<head>\r\n\t<meta http-equiv=\"Content-Type\"
  content=\"text/html; charset=UTF-8\" />\r\n\t<meta http-e"

  To fix these errors, please make sure that your domain name was
  entered correctly and the DNS A/AAAA record(s) for that domain
  contain(s) the right IP address.


/.well-known/acme-challenge


アクセスできなければエラー発生
・ドメインの確認のため、certbotが臨時の公開鍵で署名したファイルをディレクトリー/.well-known/acme-challengeに置いて、そこへACME Challengeしてくる
・もしそのディレクトリーに適正にアクセスできなければ、エラーが発生する

Let's Encrypt用にwebrootを別に設定する
・webrootの場所はどこでも良い
・403エラーとならないようにしておく
# mkdir -p /var/www/acme-challenge
# chown -R ★★:★★ /var/www/acme-challenge
Let's Encrypt更新に失敗


$ ls -la /var/www/acme-challenge
合計 0
drwxr-xr-x 2 ★★ ★★  6  6月 22  2018 .
drwxr-xr-x 5 root       root       52 11月  5 10:47 ..

$ sudo chown -R ★★:★★ /var/www/acme-challenge
$ ls -la /var/www/acme-challenge
合計 0
drwxr-xr-x 2 ★★ ★★  6  6月 22  2018 .
drwxr-xr-x 5 root       root       52 11月  5 10:47 ..


SSL証明書取得失敗


CertbotがNginx設定ファイルを自動的に編集
$ sudo certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/e.example.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for e.example.com
Waiting for verification...
Cleaning up challenges
Resetting dropped connection: acme-staging-v02.api.letsencrypt.org

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of nginx server; fullchain is
/etc/letsencrypt/live/e.example.com/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/g.example.net.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for g.example.net
Waiting for verification...
Cleaning up challenges
Resetting dropped connection: acme-staging-v02.api.letsencrypt.org

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of nginx server; fullchain is
/etc/letsencrypt/live/g.example.net/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/php-demo.example.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for php-demo.example.com
Waiting for verification...
Cleaning up challenges
Resetting dropped connection: acme-staging-v02.api.letsencrypt.org

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of nginx server; fullchain is
/etc/letsencrypt/live/php-demo.example.com/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/example.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',)
Attempting to renew cert (example.com) from /etc/letsencrypt/renewal/example.com.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',). Skipping.
The following certs could not be renewed:
 /etc/letsencrypt/live/example.com/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

The following certs were successfully renewed:
 /etc/letsencrypt/live/e.example.com/fullchain.pem (success)
 /etc/letsencrypt/live/g.example.net/fullchain.pem (success)
 /etc/letsencrypt/live/php-demo.example.com/fullchain.pem (success)

The following certs could not be renewed:
 /etc/letsencrypt/live/example.com/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)


(Http-01): urn: ietf: params: acme: error: unauthorized error when I execute "$ sudo certbot renew --dry-run" command

2019/4/14。authenticator = manual / 「Let's Encrypt」を理解できない理由

 閲覧数:165 投稿日:2019-04-14 更新日:2019-05-22 

2019/4/14。authenticator = manual


$ sudo ls /etc/letsencrypt/live/
README  a.example.com  e.example.com  g.example.net  p.example.com  example.com

「/a.example.com」は中身が空のディレクトリ
$ sudo ls /etc/letsencrypt/live/a.example.com
$ sudo ls -la  /etc/letsencrypt/live/a.example.com
合計 0
drwxrwxrwx 2 root root   6  4月 13 01:56 .
drwx------ 7 root root 141  4月 13 01:52 ..

$ sudo ls /etc/letsencrypt/renewal/
e.example.com  g.example.net.conf  p.example.com.conf  example.com.conf

$ sudo less /etc/letsencrypt/renewal/example.com.conf
# renew_before_expiry = 30 days
version = 0.30.2
archive_dir = /etc/letsencrypt/archive/example.com
cert = /etc/letsencrypt/live/example.com/cert.pem
privkey = /etc/letsencrypt/live/example.com/privkey.pem
chain = /etc/letsencrypt/live/example.com/chain.pem
fullchain = /etc/letsencrypt/live/example.com/fullchain.pem

# Options used in the renewal process
[renewalparams]
authenticator = manual
account = a611xxxx
pref_challs = dns-01,
manual_public_ip_logging_ok = True
server = https://acme-v02.api.letsencrypt.org/directory
/etc/letsencrypt/renewal/example.com.conf (END)


「Let's Encrypt」を理解できない理由


「Let's Encrypt」を理解できない理由がようやく分かった(letsencrypt自体を理解できたわけではない)
・それは、「Let's Encrypt」が何をやっているか全く理解できていないから
・コマンド打つと、何のために、何のファイルが作成されるか、把握できていないから

2019/4/16。authenticator / 「$ sudo certbot renew --dry-run」の結果が一定ではない

 閲覧数:134 投稿日:2019-04-16 更新日:2019-05-21 

2019/4/16。authenticator


authenticator = nginx
$ less /etc/letsencrypt/renewal/p.example.com.conf
# renew_before_expiry = 30 days
version = 0.29.1
archive_dir = /etc/letsencrypt/archive/p.example.com
cert = /etc/letsencrypt/live/p.example.com/cert.pem
privkey = /etc/letsencrypt/live/p.example.com/privkey.pem
chain = /etc/letsencrypt/live/p.example.com/chain.pem
fullchain = /etc/letsencrypt/live/p.example.com/fullchain.pem

# Options used in the renewal process
[renewalparams]
authenticator = nginx
installer = nginx
account = a611xxxx
server = https://acme-v02.api.letsencrypt.org/directory
/etc/letsencrypt/renewal/p.example.com.conf (END)


authenticator = nginx
$ less /etc/letsencrypt/renewal/e.example.com.conf
# renew_before_expiry = 30 days
version = 0.29.1
archive_dir = /etc/letsencrypt/archive/e.example.com
cert = /etc/letsencrypt/live/e.example.com/cert.pem
privkey = /etc/letsencrypt/live/e.example.com/privkey.pem
chain = /etc/letsencrypt/live/e.example.com/chain.pem
fullchain = /etc/letsencrypt/live/e.example.com/fullchain.pem

# Options used in the renewal process
[renewalparams]
authenticator = nginx
installer = nginx
account = a611xxxx
server = https://acme-v02.api.letsencrypt.org/directory
/etc/letsencrypt/renewal/e.example.com.conf (END)


authenticator = manual
$ less /etc/letsencrypt/renewal/example.com.conf
# renew_before_expiry = 30 days
version = 0.30.2
archive_dir = /etc/letsencrypt/archive/example.com
cert = /etc/letsencrypt/live/example.com/cert.pem
privkey = /etc/letsencrypt/live/example.com/privkey.pem
chain = /etc/letsencrypt/live/example.com/chain.pem
fullchain = /etc/letsencrypt/live/example.com/fullchain.pem

# Options used in the renewal process
[renewalparams]
authenticator = manual
account = a611xxxx
pref_challs = dns-01,
manual_public_ip_logging_ok = True
server = https://acme-v02.api.letsencrypt.org/directory
/etc/letsencrypt/renewal/example.com.conf (END)



/etc/nginx/conf.d/default.conf の location の default_type について

「$ sudo certbot renew --dry-run」の結果が一定ではない


2019/4/15
・下記で「e.example.com」エラー表示されなくなったのに、
$ sudo chown -R ★★:★★ /var/www/acme-challenge
$ sudo certbot renew --dry-run

今日(2019/4/16)「$ sudo certbot renew --dry-run」試したら、
・また「e.example.com」エラー表示されている
 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/e.example.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for e.example.com
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (e.example.com) from /etc/letsencrypt/renewal/e.example.com.conf produced an unexpected error: Failed authorization procedure. e.example.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://e.example.com/.well-known/acme-challenge/Fcojxxxx [IPアドレス]: "<!doctype html>\r\n<html lang=\"ja\">\r\n<head>\r\n\t<meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\" />\r\n\t<meta http-e". Skipping.

・何なの?
・もしかして、「$ sudo certbot renew --dry-run」コマンドは打つたびに、結果が異なるの?

2016/4/16
・下記修正で「e.example.com」エラー表示されなくなる

▼/etc/nginx/conf.d/default.conf
・修正前
server {
   //中略
   location ^~ /.well-known/acme-challenge/ {
       root /var/www/acme-challenge;
   }

・修正後
server {
   //中略
   location ^~ /.well-known/acme-challenge/ {
       default_type "text/plain";
       root /var/www/acme-challenge;
   }


2019/4/17
・またかよ!
・昨日は「successfully renewed」だったやん!
$ sudo certbot renew --dry-run
Attempting to renew cert (e.0mode.tokyo) from /etc/letsencrypt/renewal/e.example.com.conf produced an unexpected error: Failed authorization procedure. e.example.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://e.example.com/.well-known/acme-challenge/F1yqxxxx [IPアドレス]: "<!doctype html>\r\n<html lang=\"ja\">\r\n<head>\r\n\t<meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\" />\r\n\t<meta http-e". Skipping.


現状整理


下記4証明書
・e.example.com
・g.example.net
・p.example.com
・example.com

下記2証明書は、「$ sudo certbot renew --dry-run」コマンドは打つたびに必ず成功する
・g.example.net
・p.example.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

The following certs were successfully renewed:
 /etc/letsencrypt/live/g.example.net/fullchain.pem (success)
 /etc/letsencrypt/live/p.example.com/fullchain.pem (success)

The following certs could not be renewed:
 /etc/letsencrypt/live/e.example.com/fullchain.pem (failure)
 /etc/letsencrypt/live/example.com/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 renew failure(s), 0 parse failure(s)


下記証明書は挙動不審
・基本的には失敗するが、何かの拍子に成功する時もある
・成功要件が分からない
・e.example.com

下記証明書は常に失敗する
・多分、ワイルドカード証明書だから
・example.com

一つの可能性として考えられることは
・もしかするとだが、下記はhttps化できていなかったのではないか
http://e.example.com/
・Nginx再起動したら、設定が反映されて、https化できたとか
・少なくとも、現状ではhttps化できている

2019/4/17

 閲覧数:130 投稿日:2019-04-17 更新日:2019-05-22 

letsencrypt.log


$ sudo less /var/log/letsencrypt/letsencrypt.log
To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address.


ドメイン管理
修正前
・「ワイルドカード証明書」取得時に追記した内容がそのまま残っている
a * さくらVPSのIPアドレス
mx @ 10
txt @ v=spf1 a:example.com ~all
txt _acme-challenge 7VVYxxxx
txt _acme-challenge 5Qe9xxxx


修正後
a * さくらVPSのIPアドレス
mx @ 10
txt @ v=spf1 さくらVPSのIPアドレス ~all


DNS浸透待ちなの?

残る一つを先に取り組む
$ sudo vi /etc/letsencrypt/renewal/example.com.conf
# renew_before_expiry = 30 days
version = 0.30.2
archive_dir = /etc/letsencrypt/archive/example.com
cert = /etc/letsencrypt/live/example.com/cert.pem
privkey = /etc/letsencrypt/live/example.com/privkey.pem
chain = /etc/letsencrypt/live/example.com/chain.pem
fullchain = /etc/letsencrypt/live/example.com/fullchain.pem

# Options used in the renewal process
[renewalparams]
#authenticator = manual
authenticator = nginx
installer = nginx
account = a611xxxx
#pref_challs = dns-01,
#manual_public_ip_logging_ok = True
server = https://acme-v02.api.letsencrypt.org/directory
/etc/letsencrypt/renewal/example.com.conf (END)


$ sudo certbot renew --dry-run
The following certs were successfully renewed:
 /etc/letsencrypt/live/ginza-chronology.example.net/fullchain.pem (success)
 /etc/letsencrypt/live/p.example.com/fullchain.pem (success)

The following certs could not be renewed:
 /etc/letsencrypt/live/e.example.com/fullchain.pem (failure)
 /etc/letsencrypt/live/example.com/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 renew failure(s), 0 parse failure(s)


$ sudo less /var/log/letsencrypt/letsencrypt.log
raise errors.AuthorizationError(msg)
AuthorizationError: Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.


「ワイルドカード証明書」削除


$ sudo certbot delete --cert-name example.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Deleted all files relating to certificate example.com.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -


$ sudo certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/e.example.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for e.example.com
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (e.example.com) from /etc/letsencrypt/renewal/e.example.com.conf produced an unexpected error: Failed authorization procedure. e.example.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://e.example.com/.well-known/acme-challenge/lxZcxxxx [さくらVPSのIPアドレス]: "<!doctype html>\r\n<html lang=\"ja\">\r\n<head>\r\n\t<meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\" />\r\n\t<meta http-e". Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/ginza-chronology.example.net.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for ginza-chronology.example.net
Waiting for verification...
Cleaning up challenges
Resetting dropped connection: acme-staging-v02.api.letsencrypt.org

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of nginx server; fullchain is
/etc/letsencrypt/live/ginza-chronology.example.net/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/p.example.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for p.example.com
Waiting for verification...
Cleaning up challenges
Resetting dropped connection: acme-staging-v02.api.letsencrypt.org

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of nginx server; fullchain is
/etc/letsencrypt/live/p.example.com/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The following certs could not be renewed:
 /etc/letsencrypt/live/e.example.com/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

The following certs were successfully renewed:
 /etc/letsencrypt/live/ginza-chronology.example.net/fullchain.pem (success)
 /etc/letsencrypt/live/p.example.com/fullchain.pem (success)

The following certs could not be renewed:
 /etc/letsencrypt/live/e.example.com/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
- The following errors were reported by the server:

  Domain: e.example.com
  Type:   unauthorized
  Detail: Invalid response from
  https://e.example.com/.well-known/acme-challenge/lxZcxxxx
  [さくらVPSのIPアドレス]: "<!doctype html>\r\n<html
  lang=\"ja\">\r\n<head>\r\n\t<meta http-equiv=\"Content-Type\"
  content=\"text/html; charset=UTF-8\" />\r\n\t<meta http-e"

  To fix these errors, please make sure that your domain name was
  entered correctly and the DNS A/AAAA record(s) for that domain
  contain(s) the right IP address.


$ sudo vi /etc/letsencrypt/renewal/e.example.com.conf
# renew_before_expiry = 30 days
version = 0.29.1
archive_dir = /etc/letsencrypt/archive/e.example.com
cert = /etc/letsencrypt/live/e.example.com/cert.pem
privkey = /etc/letsencrypt/live/e.example.com/privkey.pem
chain = /etc/letsencrypt/live/e.example.com/chain.pem
fullchain = /etc/letsencrypt/live/e.example.com/fullchain.pem

# Options used in the renewal process
[renewalparams]
authenticator = nginx
installer = nginx
account = a611xxxx
server = https://acme-v02.api.letsencrypt.org/directory
webroot_path = /var/www/html/example.com/e.example.com




$ sudo certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/e.example.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for e.example.com
Waiting for verification...
Cleaning up challenges
Resetting dropped connection: acme-staging-v02.api.letsencrypt.org

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of nginx server; fullchain is
/etc/letsencrypt/live/e.example.com/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/ginza-chronology.example.net.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for ginza-chronology.example.net
Waiting for verification...
Cleaning up challenges
Resetting dropped connection: acme-staging-v02.api.letsencrypt.org

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of nginx server; fullchain is
/etc/letsencrypt/live/ginza-chronology.example.net/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/p.example.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for p.example.com
Waiting for verification...
Cleaning up challenges
Resetting dropped connection: acme-staging-v02.api.letsencrypt.org

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of nginx server; fullchain is
/etc/letsencrypt/live/p.example.com/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
 /etc/letsencrypt/live/e.example.com/fullchain.pem (success)
 /etc/letsencrypt/live/ginza-chronology.example.net/fullchain.pem (success)
 /etc/letsencrypt/live/p.example.com/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

letsencryptのconfファイルに、webroot_path指定したらようやく「Congratulations」表示されたけど、これって本当にあってるの?
・何が嫌かって、「$ sudo certbot renew --dry-run」実行する度に結果が異なることほど嫌なことはないよ

4/15
・「$ sudo chown -R ★★:★★ /var/www/acme-challenge」でsuccessだったのに、翌日「$ sudo certbot renew --dry-run」したらfail

4/16
・▼/etc/nginx/conf.d/default.confの「location ^~ /.well-known/acme-challenge/ {」に「default_type "text/plain";」追記後Nginx再起動したら、successだったのに、念のためと思い再度「$ sudo certbot renew --dry-run」したらfail

4/17
・letsencryptのconfファイルに、webroot_path指定したらようやく「Congratulations」表示された。念のためと思い再度「$ sudo certbot renew --dry-run」したらfail。エラーになってるやんけ! なんでやねん!


Type:   unauthorized
Detail: Invalid response from https://e.example.com/.well-known/acme-challenge/Murnxxxx



・その後1回失敗してNginx再起動したら2回続けて成功した。なんで?


下記が異なる(同じか)
$ less /etc/nginx/conf.d/eexample.com.conf
    location / {
       try_files $uri $uri/ /index.php?$query_string;
   }

   error_page   500 502 503 504  /50x.html;
   location = /50x.html {
       root   /usr/share/nginx/html;
   }

   location ~ \.php$ {
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass unix:/var/run/php-fpm.sock;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param PATH_INFO $fastcgi_path_info;
        include fastcgi_params;
   }


   listen 443 ssl; # managed by Certbot
   ssl_certificate /etc/letsencrypt/live/e.example.com/fullchain.pem; # managed by Certbot
   ssl_certificate_key /etc/letsencrypt/live/e.example.com/privkey.pem; # managed by Certbot
   include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
   ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}


server {
   if ($host = e.example.com) {
       return 301 https://$host$request_uri;
   } # managed by Certbot


   listen       80;
   server_name  e.example.com;
   return 404; # managed by Certbot


}


$ less /etc/nginx/conf.d/p.example.com.conf
    location / {
       try_files $uri $uri/ /index.php?$query_string;
   }

   error_page   500 502 503 504  /50x.html;
   location = /50x.html {
       root   /usr/share/nginx/html;
   }

   location ~ \.php$ {
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass unix:/var/run/php-fpm.sock;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param PATH_INFO $fastcgi_path_info;
        include fastcgi_params;
   }


   listen 443 ssl; # managed by Certbot
   ssl_certificate /etc/letsencrypt/live/p.example.com/fullchain.pem; # managed by Certbot
   ssl_certificate_key /etc/letsencrypt/live/p.example.com/privkey.pem; # managed by Certbot
   include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
   ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

#server {
#    listen 443 ssl;
#    server_name p.example.com;
#    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
#    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
#    ssl_session_tickets on;
#    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
#    ssl_ciphers AESGCM:HIGH:!aNULL:!MD5;
#    ssl_prefer_server_ciphers on;
#    root /var/www/html/example.com/p.example.com;
#}
server {
   if ($host = p.example.com) {
       return 301 https://$host$request_uri;
   } # managed by Certbot


   listen       80;
   server_name  p.example.com;
   return 404; # managed by Certbot


}



・Nginxのdefault.confにacme書いているのが間違いかも。でもそれだと他がエラーにならない理由が不明
・何かもうしんどくなってきたので、明日failになったら、削除して最初からやり直す!

2019/4/18
・ 「Congratulations」だった。なんでやねん!

cron


# vi /etc/cron.d/certbot
・cron で自動更新(0時前後と12時前後に renew)
0 0,12 * * * python -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew



# ls -l /etc/cron.d
合計 32
-rw-r--r--  1 root root 128  3月 22  2018 0hourly
-rw-r--r--  1 root root 130  7月  6  2018 access_analysis
-rw-r--r--  1 root root  70  4月  9  2018 backup_by_database
-rw-r--r--  1 root root 106  4月 20 00:46 certbot
-rw-r--r--  1 root root  65  4月 20 00:20 letsencrypt
-rw-r--r--  1 root root  64  4月  9  2018 mysql_backup
-rw-r--r--. 1 root root 108  8月  3  2016 raid-check
-rw-------. 1 root root 235  3月  6  2015 sysstat



# /bin/systemctl restart  crond.service
$ sudo sh -c 'nginx -t && systemctl restart nginx.service || systemctl status nginx.service -l'

2019/4/20
$ sudo less /var/log/cron
Apr 20 04:01:01 hoge CROND[23124]: (root) CMD (/usr/bin/certbot renew && systemctl restart nginx)


 閲覧数:121 投稿日:2019-04-20 更新日:2019-05-21 
$ less /etc/nginx/conf.d/default.conf
    location ^~ /.well-known/acme-challenge/ {
       default_type "text/plain";
       root /var/www/acme-challenge;
   }


「/.well-known/acme-challenge/」のパターンマッチ演算子
・「^~」
・最優先で判定され、マッチすると他のパターンマッチは行われない


Let's Encryptでワイルドカード証明書の取得に成功したが、無料SSL導入に失敗

既存サブドメインへ Let's Encryptの無料SSL導入



週間人気ページランキング / 9-14 → 9-20
順位 ページタイトル抜粋 アクセス数
1 PHPのmb_send_mail関数でメール送信できない | メール処理システム 29
2 Nginx設定。エラーログレベル | Nginx(Webサーバ) 21
3 Python 3.5 アンインストール / yum remove | Python(プログラミング言語) 11
4 FFmpeg 2.8.15 を yum インストール | ソフトウェアスイート 10
5 PHP実行ユーザ設定 / CentOS6 / Apache | PHP(プログラミング言語) 9
6 PHP Version 7.1.2 php-mecabエクステンション対応 / PHP 7.0.14 からのアップグレード  | MeCab(形態素解析) 8
6 ソースからビルドしたPython 2.7.3 アンインストール失敗 | Python(プログラミング言語) 8
7 touch コマンド / viコマンド。新規ファイル作成時の違い | Linuxコマンド 7
7 さくらVPS0 7
8 9回目-13.MySQL5.7.21設定 | CentOS 7 2週間無料のお試し期間 9回目(さくらVPS) 6
8 「設定ファイルに、暗号化 (blowfish_secret) 用の非公開パスフレーズの設定を必要とするようになりました。」対応 6
9 PHPファイルでchmodエラー | PHP(プログラミング言語) 5
9 設定 2019/1/22 / 一般ユーザがmailコマンドでメール送信 / 管理者がmailコマンドでメール送信 5
10 Postfix | メール処理システム 4
10 CentOSでcpコマンド動作確認するためには、Control + T ではなく、 -v オプションを使用 | cp(Linuxコマンド) 4
10 499 (Request has been forbidden by antivirus) | HTTP(通信プロトコル) 4
10 tar | Linuxコマンド 4
10 Python 3.6 インストール / make altinstall | Python(プログラミング言語) 4
10 「CentOS6」から「CentOS7」への移行 | CentOS 7 (CentOS) 4
10 echo と cat の違い 4
2021/9/21 1:01 更新