【KUSANAGI】またしてもLet’s EncryptのSSL証明書が更新できなくて苦労した話。

2022年6月5日

また例によって、Let’s Encryptからメールが来ていた。

Hello,

Your certificate (or certificates) for the names listed below will expire in 19 days (on 29 Nov 21 19:51 +0000). Please make sure to renew your certificate before then, or visitors to your web site will encounter errors.

さて、前回(3ヶ月前)に更新ができなかった時に、仕様変更でDNSにwwwつきドメインをAレコードに追加して解決したはずだったんだが……🤔

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Cert is due for renewal, auto-renewing...
Renewing an existing certificate for ice-military.com and www.ice-military.com
Performing the following challenges:
http-01 challenge for ice-military.com
http-01 challenge for www.ice-military.com
Using the webroot path /home/kusanagi/wordpress/DocumentRoot for all unmatched domains.
Waiting for verification...
Challenge failed for domain www.ice-military.com
Challenge failed for domain ice-military.com
http-01 challenge for www.ice-military.com
http-01 challenge for ice-military.com
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:
- The following errors were reported by the server:

Domain: www.ice-military.com
Type: connection
Detail: Fetching
https://ice-military.com/.well-known/acme-challenge/UJxTXD-TWalqSCwDJPh6vhSHMRoTK4g4sdg9-ZdC_tY:
Timeout during connect (likely firewall problem)

Domain: ice-military.com
Type: connection
Detail: Fetching
https://ice-military.com/.well-known/acme-challenge/ElMvdlb2KpA4SNEy-lUvIqI3JKsCWyJiePiDq2yrJuQ:
Timeout during connect (likely firewall problem)

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.

今回もまた手っ取り早く再構築を考えたが、これではいつまで経っても埒が明かないを思い、さらにいろいろ調べてみることにしました。

そこで見つけたのがcertbotのサイト。

このページの手順通りに作業を進めてみることにしました。

  1. Install snapdYou’ll need to install snapd and make sure you follow any instructions to enable classic snap support.(snapdのインストールと、クラシックスナップサポートを有効にする。)
    1. snapdのインストール

      # yum install snapd
      読み込んだプラグイン:fastestmirror
      Loading mirror speeds from cached hostfile
      * base: ftp.tsukuba.wide.ad.jp
      * epel: ftp.jaist.ac.jp
      * extras: ftp.tsukuba.wide.ad.jp
      * updates: ftp.tsukuba.wide.ad.jp
      依存性の解決をしています
      --> トランザクションの確認を実行しています。
      ---> パッケージ snapd.x86_64 0:2.53.2-1.el7 を インストール
      --> 依存性解決を終了しました。
      
      依存性を解決しました
      
      ========================================================================================================================================
      Package アーキテクチャー バージョン リポジトリー 容量
      ========================================================================================================================================
      インストール中:
      snapd x86_64 2.53.2-1.el7 epel 16 M
      
      トランザクションの要約
      ========================================================================================================================================
      インストール 1 パッケージ
      
      総ダウンロード容量: 16 M
      インストール容量: 47 M
      Is this ok [y/d/N]: y
      Downloading packages:
      snapd-2.53.2-1.el7.x86_64.rpm | 16 MB 00:00:02
      Running transaction check
      Running transaction test
      Transaction test succeeded
      Running transaction
      インストール中 : snapd-2.53.2-1.el7.x86_64 1/1
      検証中 : snapd-2.53.2-1.el7.x86_64 1/1
      
      インストール:
      snapd.x86_64 0:2.53.2-1.el7
      
      完了しました!
      
      # systemctl enable --now snapd.socket
      Created symlink from /etc/systemd/system/sockets.target.wants/snapd.socket to /usr/lib/systemd/system/snapd.socket.
      
    2. クラシックスナップサポートを有効にする
      # systemctl enable --now snapd.socket
      Created symlink from /etc/systemd/system/sockets.target.wants/snapd.socket to /usr/lib/systemd/system/snapd.socket.
      
    3. スナップサポートを有効にするため、シンボリックを作成する。
      # ln -s /var/lib/snapd/snap /snap
      
  2. Ensure that your version of snapd is up to date(snapdが最新バージョンであることを確認する)
    # snap install core
    core 16-2.52.1 from Canonical? installed
    
    # sudo snap refresh core
    snap "core" has no updates available
    
  3. Remove certbot-auto and any Certbot OS packages(certbot-autoを削除する)
    # yum remove certbot
    
  4. Install Certbot(Certbotをインストールする)
    # snap install --classic certbot
    certbot 1.21.0 from Certbot Project (certbot-eff?) installed
    # snap install --classic certbot
    
  5. Prepare the Certbot command(コマンドライン上でCertbotコマンドが実行できることを確認する)
    # ln -s /snap/bin/certbot /usr/bin/certbot
    
  6. Choose how you’d like to run Certbot(Certbotの実行方法を選択し、証明書を取得する)
    # certbot --nginx
    Saving debug log to /var/log/letsencrypt/letsencrypt.log
    
    Which names would you like to activate HTTPS for?
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    1: ice-military.com
    2: www.ice-military.com
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Select the appropriate numbers separated by commas and/or spaces, or leave input
    blank to select all options shown (Enter 'c' to cancel):
    Certificate not yet due for renewal
    
    You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
    (ref: /etc/letsencrypt/renewal/ice-military.com.conf)
    
    What would you like to do?
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    1: Attempt to reinstall this existing certificate
    2: Renew & replace the certificate (may be subject to CA rate limits)
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
    Renewing an existing certificate for ice-military.com and www.ice-military.com
    
    Successfully received certificate.
    Certificate is saved at: /etc/letsencrypt/live/ice-military.com/fullchain.pem
    Key is saved at: /etc/letsencrypt/live/ice-military.com/privkey.pem
    This certificate expires on 2022-02-28.
    These files will be updated when the certificate renews.
    Certbot has set up a scheduled task to automatically renew this certificate in the background.
    
    Deploying certificate
    Successfully deployed certificate for ice-military.com to /etc/nginx/conf.d/wordpress_ssl.conf
    Successfully deployed certificate for www.ice-military.com to /etc/nginx/conf.d/wordpress_ssl.conf
    Your existing certificate has been successfully renewed, and the new certificate has been installed.
    
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    If you like Certbot, please consider supporting our work by:
    * Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
    * Donating to EFF: https://eff.org/donate-le
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    

     

  7. Test automatic renewal(自動更新をテストする)
    # certbot renew --dry-run
    Saving debug log to /var/log/letsencrypt/letsencrypt.log- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Processing /etc/letsencrypt/renewal/ice-military.com-0001.conf
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Simulating renewal of an existing certificate for ice-military.com
    
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Processing /etc/letsencrypt/renewal/ice-military.com.conf
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Simulating renewal of an existing certificate for ice-military.com and www.ice-military.com
    
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Congratulations, all simulated renewals succeeded:
    /etc/letsencrypt/live/ice-military.com-0001/fullchain.pem (success)
    /etc/letsencrypt/live/ice-military.com/fullchain.pem (success)
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    

今回はこの手順により無事に証明書を更新する事ができました。

Posted by webmaster