Let's Encryptのcertbot-autoをいつものようにやったら失敗したので対応してみた

投稿日:

いつもどおり更新しようとして、root権限にチェンジした上で、次のコマンドを打ったら、

certbot-auto renew --post-hook "service nginx restart"

次のメッセージが出てきて失敗した。

Upgrading certbot-auto 0.24.0 to 0.25.0...
Replacing certbot-auto...
Creating virtual environment...
Installing Python packages...
Installation succeeded.
Traceback (most recent call last):
  File "/opt/eff.org/certbot/venv/bin/letsencrypt", line 7, in 
    from certbot.main import main
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/certbot/main.py", line 10, in 
    import josepy as jose
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/josepy/__init__.py", line 41, in 
    from josepy.interfaces import JSONDeSerializable
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/josepy/interfaces.py", line 8, in 
    from josepy import errors, util
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/josepy/util.py", line 4, in 
    import OpenSSL
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/OpenSSL/__init__.py", line 8, in 
    from OpenSSL import rand, crypto, SSL
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/OpenSSL/rand.py", line 12, in 
    from OpenSSL._util import (
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/OpenSSL/_util.py", line 6, in 
    from cryptography.hazmat.bindings.openssl.binding import Binding
ImportError: No module named cryptography.hazmat.bindings.openssl.binding

もっかい同じコマンドを打って具合をみたところ、今度は次のようなメッセージが出た。

Error: couldn't get currently installed version for /opt/eff.org/certbot/venv/bin/letsencrypt: 
Traceback (most recent call last):
  File "/opt/eff.org/certbot/venv/bin/letsencrypt", line 7, in 
    from certbot.main import main
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/certbot/main.py", line 10, in 
    import josepy as jose
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/josepy/__init__.py", line 41, in 
    from josepy.interfaces import JSONDeSerializable
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/josepy/interfaces.py", line 8, in 
    from josepy import errors, util
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/josepy/util.py", line 4, in 
    import OpenSSL
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/OpenSSL/__init__.py", line 8, in 
    from OpenSSL import rand, crypto, SSL
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/OpenSSL/rand.py", line 12, in 
    from OpenSSL._util import (
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/OpenSSL/_util.py", line 6, in 
    from cryptography.hazmat.bindings.openssl.binding import Binding
ImportError: No module named cryptography.hazmat.bindings.openssl.binding

どうも新しいLet's Encryptのプログラムを取得できてない?

エラーメッセージでググって解決方法が無いか見たところ、次のソースを発見。

Linux - Let's encryptの証明書更新ができなくなってしまった(65454)|teratail
https://teratail.com/questions/65454

処理を行う前に rm /root/.local/share/letsencrypt/bin/letsencrypt した後
certbotを-auto してみてはいかがでしょうか? 

という事で、次を実行した後で、renewを実行。

rm /root/.local/share/letsencrypt/bin/letsencrypt
certbot-auto renew --post-hook "service nginx restart"

しかし、次のようなメッセージが出て更新できない。

FATAL: Amazon Linux support is very experimental at present...
if you would like to work on improving it, please ensure you have backups
and then run this script again with the --debug flag!
Alternatively, you can install OS dependencies yourself and run this script
again with --no-bootstrap.

よくよく見てみると、バックアップ採ってから--debugオプションつけて実行してね、と丁寧に忠告を表示してくれてた。親切だ。

ただ、この時眠くてイライラしていたので、違うTIPS(次)を参考に、

Amazon Linux 上の Let’s Encrypt で証明書更新エラーが出た時の対処方法 | ゲンジニア日記 – presented by yskw.info
https://blog.yskw.info/articles/326/

今度は次のように実行。内容として、見ての通り係る環境変数を削除した後、certbot-auto の環境構築をやり直す模様。

unset PYTHON_INSTALL_LAYOUT
certbot-auto -v --debug

すると、ガーっと次のようなログが流れた後、

Bootstrapping dependencies for Amazon... (you can skip this with --no-bootstrap)
yum is /usr/bin/yum
yum is hashed (/usr/bin/yum)
Loaded plugins: priorities, update-motd, upgrade-helper
amzn-main                                                                                                                                                    | 2.1 kB  00:00:00     
amzn-updates                                                                                                                                                 | 2.5 kB  00:00:00     
Package gcc-4.8.5-1.22.amzn1.noarch already installed and latest version
Package augeas-libs-1.0.0-5.7.amzn1.x86_64 already installed and latest version
Package 1:openssl-1.0.2k-12.109.amzn1.x86_64 already installed and latest version
Package 1:openssl-devel-1.0.2k-12.109.amzn1.x86_64 already installed and latest version
Package libffi-devel-3.0.13-16.5.amzn1.x86_64 already installed and latest version
Package system-rpm-config-9.0.3-42.28.amzn1.noarch already installed and latest version
Package ca-certificates-2017.2.14-65.0.1.17.amzn1.noarch already installed and latest version
Package python27-devel-2.7.14-1.123.amzn1.x86_64 already installed and latest version
Package python27-virtualenv-15.1.0-1.14.amzn1.noarch already installed and latest version
Package python27-tools-2.7.14-1.123.amzn1.x86_64 already installed and latest version
Package python27-pip-9.0.3-1.26.amzn1.noarch already installed and latest version
Nothing to do
Creating virtual environment...
Already using interpreter /usr/bin/python2.7
New python executable in /opt/eff.org/certbot/venv/bin/python2.7
Also creating executable in /opt/eff.org/certbot/venv/bin/python
Installing setuptools, pip, wheel...done.
Installing Python packages...
Collecting argparse==1.4.0 (from -r /tmp/tmp.BuHjBSABdx/letsencrypt-auto-requirements.txt (line 11))
  Downloading https://files.pythonhosted.org/packages/f2/94/3af39d34be01a24a6e65433d19e107099374224905f1e0cc6bbe1fd22a2f/argparse-1.4.0-py2.py3-none-any.whl
Collecting pycparser==2.14 (from -r /tmp/tmp.BuHjBSABdx/letsencrypt-auto-requirements.txt (line 17))
  Downloading https://files.pythonhosted.org/packages/6d/31/666614af3db0acf377876d48688c5d334b6e493b96d21aa7d332169bee50/pycparser-2.14.tar.gz (223kB)
    100% |████████████████████████████████| 225kB 6.3MB/s 
Collecting asn1crypto==0.22.0 (from -r /tmp/tmp.BuHjBSABdx/letsencrypt-auto-requirements.txt (line 21))
  Downloading https://files.pythonhosted.org/packages/97/ba/7e8117d8efcee589f4d96dd2b2eb1d997f96d27d214cf2b7134ad8acf6ab/asn1crypto-0.22.0-py2.py3-none-any.whl (97kB)
    100% |████████████████████████████████| 102kB 6.2MB/s 
Collecting cffi==1.10.0 (from -r /tmp/tmp.BuHjBSABdx/letsencrypt-auto-requirements.txt (line 24))
  Downloading https://files.pythonhosted.org/packages/50/85/d74d06ac09fc2deb3d9bd6d6aca4ca13d82b8118c04494cd0e84fcd81624/cffi-1.10.0-cp27-cp27mu-manylinux1_x86_64.whl (392kB)
    100% |████████████████████████████████| 399kB 10.1MB/s 
Collecting ConfigArgParse==0.12.0 (from -r /tmp/tmp.BuHjBSABdx/letsencrypt-auto-requirements.txt (line 61))
  Downloading https://files.pythonhosted.org/packages/17/8d/4a41f11b0971017c7001f118be8003da8f7b96b010c66cd792b76658d1e1/ConfigArgParse-0.12.0.tar.gz (41kB)
    100% |████████████████████████████████| 51kB 28.3MB/s 
Collecting configobj==5.0.6 (from -r /tmp/tmp.BuHjBSABdx/letsencrypt-auto-requirements.txt (line 64))
  Downloading https://files.pythonhosted.org/packages/64/61/079eb60459c44929e684fa7d9e2fdca403f67d64dd9dbac27296be2e0fab/configobj-5.0.6.tar.gz
Collecting cryptography==2.0.2 (from -r /tmp/tmp.BuHjBSABdx/letsencrypt-auto-requirements.txt (line 67))
  Downloading https://files.pythonhosted.org/packages/b2/c3/713d3a0c964acd704ee2b8521f51706aa8053fc5addbcd43cb03d74819e7/cryptography-2.0.2-cp27-cp27mu-manylinux1_x86_64.whl (2.2MB)
    100% |████████████████████████████████| 2.2MB 17.0MB/s 
Collecting enum34==1.1.2 (from -r /tmp/tmp.BuHjBSABdx/letsencrypt-auto-requirements.txt (line 98))
  Downloading https://files.pythonhosted.org/packages/6f/e9/08fd439384b7e3d613e75a6c8236b8e64d90c47d23413493b38d4229a9a5/enum34-1.1.2.tar.gz (46kB)
    100% |████████████████████████████████| 51kB 35.3MB/s 
Collecting funcsigs==1.0.2 (from -r /tmp/tmp.BuHjBSABdx/letsencrypt-auto-requirements.txt (line 101))
  Downloading https://files.pythonhosted.org/packages/69/cb/f5be453359271714c01b9bd06126eaf2e368f1fddfff30818754b5ac2328/funcsigs-1.0.2-py2.py3-none-any.whl
Collecting idna==2.5 (from -r /tmp/tmp.BuHjBSABdx/letsencrypt-auto-requirements.txt (line 104))
  Downloading https://files.pythonhosted.org/packages/11/7d/9bbbd7bb35f34b0169542487d2a8859e44306bb2e6a4455d491800a5621f/idna-2.5-py2.py3-none-any.whl (55kB)
    100% |████████████████████████████████| 61kB 38.7MB/s 
Collecting ipaddress==1.0.16 (from -r /tmp/tmp.BuHjBSABdx/letsencrypt-auto-requirements.txt (line 107))
  Downloading https://files.pythonhosted.org/packages/23/6a/813ac29a01e4c33c19c2bded98ac3d4266ebbf0bd2c0eb0020e1c969958d/ipaddress-1.0.16-py27-none-any.whl
Collecting josepy==1.0.1 (from -r /tmp/tmp.BuHjBSABdx/letsencrypt-auto-requirements.txt (line 110))
  Downloading https://files.pythonhosted.org/packages/8f/0e/8db99b520370eb417e60a0c1c9edbaf4e57aa6a17529b8b9cdbed8b858b2/josepy-1.0.1-py2.py3-none-any.whl (53kB)
    100% |████████████████████████████████| 61kB 38.8MB/s 
Collecting linecache2==1.0.0 (from -r /tmp/tmp.BuHjBSABdx/letsencrypt-auto-requirements.txt (line 113))
  Downloading https://files.pythonhosted.org/packages/c7/a3/c5da2a44c85bfbb6eebcfc1dde24933f8704441b98fdde6528f4831757a6/linecache2-1.0.0-py2.py3-none-any.whl
Collecting mock==1.3.0 (from -r /tmp/tmp.BuHjBSABdx/letsencrypt-auto-requirements.txt (line 117))
  Downloading https://files.pythonhosted.org/packages/b2/50/664a70b87408bb6c14c1af2337efa64eb8d1af80c933531758b8fb41ec25/mock-1.3.0-py2.py3-none-any.whl (56kB)
    100% |████████████████████████████████| 61kB 38.1MB/s 
Collecting ordereddict==1.1 (from -r /tmp/tmp.BuHjBSABdx/letsencrypt-auto-requirements.txt (line 120))
  Downloading https://files.pythonhosted.org/packages/53/25/ef88e8e45db141faa9598fbf7ad0062df8f50f881a36ed6a0073e1572126/ordereddict-1.1.tar.gz
Collecting packaging==16.8 (from -r /tmp/tmp.BuHjBSABdx/letsencrypt-auto-requirements.txt (line 123))
  Downloading https://files.pythonhosted.org/packages/87/1b/c39b7c65b5612812b83d6cab7ef2885eac9f6beb0b7b8a7071a186aea3b1/packaging-16.8-py2.py3-none-any.whl
Collecting parsedatetime==2.1 (from -r /tmp/tmp.BuHjBSABdx/letsencrypt-auto-requirements.txt (line 126))
  Downloading https://files.pythonhosted.org/packages/85/1f/13fc06097e516f6259d62cea502b116451321c96e18a9d0fff9da3442e02/parsedatetime-2.1-py2-none-any.whl
Collecting pbr==1.8.1 (from -r /tmp/tmp.BuHjBSABdx/letsencrypt-auto-requirements.txt (line 129))
  Downloading https://files.pythonhosted.org/packages/fc/37/94af8387babb09796d306b18cf94ee5c70388c875a16d8a88e471500452c/pbr-1.8.1-py2.py3-none-any.whl (89kB)
    100% |████████████████████████████████| 92kB 28.4MB/s 
Collecting pyOpenSSL==16.2.0 (from -r /tmp/tmp.BuHjBSABdx/letsencrypt-auto-requirements.txt (line 132))
  Downloading https://files.pythonhosted.org/packages/ac/93/b4cd538d31adacd07f83013860db6b88d78755af1f3fefe68ec22d397e7b/pyOpenSSL-16.2.0-py2.py3-none-any.whl (43kB)
    100% |████████████████████████████████| 51kB 43.9MB/s 
Collecting pyparsing==2.1.8 (from -r /tmp/tmp.BuHjBSABdx/letsencrypt-auto-requirements.txt (line 135))
  Downloading https://files.pythonhosted.org/packages/85/b9/188515f35f78533b3f82966a2c3f1a71a86df8b801367ee75a77191a861d/pyparsing-2.1.8-py2.py3-none-any.whl (54kB)
    100% |████████████████████████████████| 61kB 35.8MB/s 
Collecting pyRFC3339==1.0 (from -r /tmp/tmp.BuHjBSABdx/letsencrypt-auto-requirements.txt (line 144))
  Downloading https://files.pythonhosted.org/packages/9b/0a/decfa17e7707afca17d6e9595ff5c79c1c71c74063ad95576f897ed3a9f1/pyRFC3339-1.0-py2.py3-none-any.whl
Collecting python-augeas==0.5.0 (from -r /tmp/tmp.BuHjBSABdx/letsencrypt-auto-requirements.txt (line 147))
  Downloading https://files.pythonhosted.org/packages/41/e6/4b6740cb3e31b82252099994cea751c648b846aa7874343c31d68c2215be/python-augeas-0.5.0.tar.gz (90kB)
    100% |████████████████████████████████| 92kB 27.3MB/s 
Collecting pytz==2015.7 (from -r /tmp/tmp.BuHjBSABdx/letsencrypt-auto-requirements.txt (line 150))
  Downloading https://files.pythonhosted.org/packages/c0/28/973f0382c803b21734cd7e97e0590928148ee21b1cbe8f7fed8b506204fb/pytz-2015.7-py2.py3-none-any.whl (476kB)
    100% |████████████████████████████████| 481kB 24.0MB/s 
Collecting requests==2.12.1 (from -r /tmp/tmp.BuHjBSABdx/letsencrypt-auto-requirements.txt (line 164))
  Downloading https://files.pythonhosted.org/packages/9b/31/e9925a2b9a06f97c3450bac6107928d3533bfe64ca5615442504104321e8/requests-2.12.1-py2.py3-none-any.whl (574kB)
    100% |████████████████████████████████| 583kB 28.2MB/s 
Collecting six==1.10.0 (from -r /tmp/tmp.BuHjBSABdx/letsencrypt-auto-requirements.txt (line 167))
  Downloading https://files.pythonhosted.org/packages/c8/0a/b6723e1bc4c516cb687841499455a8505b44607ab535be01091c0f24f079/six-1.10.0-py2.py3-none-any.whl
Collecting traceback2==1.4.0 (from -r /tmp/tmp.BuHjBSABdx/letsencrypt-auto-requirements.txt (line 170))
  Downloading https://files.pythonhosted.org/packages/17/0a/6ac05a3723017a967193456a2efa0aa9ac4b51456891af1e2353bb9de21e/traceback2-1.4.0-py2.py3-none-any.whl
Collecting unittest2==1.1.0 (from -r /tmp/tmp.BuHjBSABdx/letsencrypt-auto-requirements.txt (line 173))
  Downloading https://files.pythonhosted.org/packages/72/20/7f0f433060a962200b7272b8c12ba90ef5b903e218174301d0abfd523813/unittest2-1.1.0-py2.py3-none-any.whl (96kB)
    100% |████████████████████████████████| 102kB 34.0MB/s 
Collecting zope.component==4.2.2 (from -r /tmp/tmp.BuHjBSABdx/letsencrypt-auto-requirements.txt (line 176))
  Downloading https://files.pythonhosted.org/packages/4c/c4/3f77127c876f49af478e8ea4dc223cda17730bb273c0d1606a4114c64008/zope.component-4.2.2.tar.gz (546kB)
    100% |████████████████████████████████| 552kB 30.4MB/s 
Collecting zope.event==4.1.0 (from -r /tmp/tmp.BuHjBSABdx/letsencrypt-auto-requirements.txt (line 179))
  Downloading https://files.pythonhosted.org/packages/0e/87/75e3d62a3506953c2e56d15a150de31e5d92310e87db2c8b102dc01b0b8e/zope.event-4.1.0.tar.gz (476kB)
    100% |████████████████████████████████| 481kB 30.7MB/s 
Collecting zope.interface==4.1.3 (from -r /tmp/tmp.BuHjBSABdx/letsencrypt-auto-requirements.txt (line 182))
  Downloading https://files.pythonhosted.org/packages/9d/81/2509ca3c6f59080123c1a8a97125eb48414022618cec0e64eb1313727bfe/zope.interface-4.1.3.tar.gz (141kB)
    100% |████████████████████████████████| 143kB 46.8MB/s 
Collecting requests-toolbelt==0.8.0 (from -r /tmp/tmp.BuHjBSABdx/letsencrypt-auto-requirements.txt (line 200))
  Downloading https://files.pythonhosted.org/packages/97/8a/d710f792d6f6ecc089c5e55b66e66c3f2f35516a1ede5a8f54c13350ffb0/requests_toolbelt-0.8.0-py2.py3-none-any.whl (54kB)
    100% |████████████████████████████████| 61kB 37.7MB/s 
Collecting letsencrypt==0.7.0 (from -r /tmp/tmp.BuHjBSABdx/letsencrypt-auto-requirements.txt (line 211))
  Downloading https://files.pythonhosted.org/packages/fd/21/0c6f33829fadec8aca0c1ebb4d6f8101c05899356a58d1b2e506cb77cf18/letsencrypt-0.7.0-py2-none-any.whl
Collecting certbot==0.25.0 (from -r /tmp/tmp.BuHjBSABdx/letsencrypt-auto-requirements.txt (line 215))
  Downloading https://files.pythonhosted.org/packages/34/40/83f08b39e8a5097b509540b1ea3e4db7440da22911d00aa0ec9695f91bf9/certbot-0.25.0-py2.py3-none-any.whl (293kB)
    100% |████████████████████████████████| 296kB 22.6MB/s 
Collecting acme==0.25.0 (from -r /tmp/tmp.BuHjBSABdx/letsencrypt-auto-requirements.txt (line 218))
  Downloading https://files.pythonhosted.org/packages/23/fd/0e259e31ba3f1bbdab06ae63e1700495f8f01bbb30cd9e72cf2d6aaebe05/acme-0.25.0-py2.py3-none-any.whl (80kB)
    100% |████████████████████████████████| 81kB 39.5MB/s 
Collecting certbot-apache==0.25.0 (from -r /tmp/tmp.BuHjBSABdx/letsencrypt-auto-requirements.txt (line 221))
  Downloading https://files.pythonhosted.org/packages/12/ce/06c3192e13c07b43c5a67cbd4cd915252ac444a798bc717044c34774ec25/certbot_apache-0.25.0-py2.py3-none-any.whl (218kB)
    100% |████████████████████████████████| 225kB 37.1MB/s 
Collecting certbot-nginx==0.25.0 (from -r /tmp/tmp.BuHjBSABdx/letsencrypt-auto-requirements.txt (line 224))
  Downloading https://files.pythonhosted.org/packages/d9/ed/0d7384d714c819b5fdc76551abd8ec927d061b19bd8491643e2659c17b94/certbot_nginx-0.25.0-py2.py3-none-any.whl (77kB)
    100% |████████████████████████████████| 81kB 38.9MB/s 
Requirement already satisfied: setuptools>=1.0 in /opt/eff.org/certbot/venv/lib/python2.7/site-packages (from josepy==1.0.1->-r /tmp/tmp.BuHjBSABdx/letsencrypt-auto-requirements.txt (line 110)) (39.2.0)
Installing collected packages: argparse, pycparser, asn1crypto, cffi, ConfigArgParse, six, configobj, enum34, ipaddress, idna, cryptography, funcsigs, pyOpenSSL, josepy, linecache2, pbr, mock, ordereddict, pyparsing, packaging, parsedatetime, pytz, pyRFC3339, python-augeas, requests, traceback2, unittest2, zope.interface, zope.event, zope.component, requests-toolbelt, acme, certbot, letsencrypt, certbot-apache, certbot-nginx
  Running setup.py install for pycparser ... done
  Running setup.py install for ConfigArgParse ... done
  Running setup.py install for configobj ... done
  Running setup.py install for enum34 ... done
  Running setup.py install for ordereddict ... done
  Running setup.py install for python-augeas ... done
  Running setup.py install for zope.interface ... done
  Running setup.py install for zope.event ... done
  Running setup.py install for zope.component ... done
Successfully installed ConfigArgParse-0.12.0 acme-0.25.0 argparse-1.4.0 asn1crypto-0.22.0 certbot-0.25.0 certbot-apache-0.25.0 certbot-nginx-0.25.0 cffi-1.10.0 configobj-5.0.6 cryptography-2.0.2 enum34-1.1.2 funcsigs-1.0.2 idna-2.5 ipaddress-1.0.16 josepy-1.0.1 letsencrypt-0.7.0 linecache2-1.0.0 mock-1.3.0 ordereddict-1.1 packaging-16.8 parsedatetime-2.1 pbr-1.8.1 pyOpenSSL-16.2.0 pyRFC3339-1.0 pycparser-2.14 pyparsing-2.1.8 python-augeas-0.5.0 pytz-2015.7 requests-2.12.1 requests-toolbelt-0.8.0 six-1.10.0 traceback2-1.4.0 unittest2-1.1.0 zope.component-4.2.2 zope.event-4.1.0 zope.interface-4.1.3
Installation succeeded.
Root logging level set at 10
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requested authenticator None and installer None
Failed to find executable apachectl in PATH: /usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/opt/aws/bin:/root/bin
No installation (PluginEntryPoint#apache): Cannot find Apache control command apachectl
Traceback (most recent call last):
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/plugins/disco.py", line 127, in prepare
    self._initialized.prepare()
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot_apache/configurator.py", line 205, in prepare
    'Cannot find Apache control command {0}'.format(restart_cmd))
NoInstallationError: Cannot find Apache control command apachectl
Single candidate plugin: * nginx
Description: Nginx Web Server plugin - Alpha
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: nginx = certbot_nginx.configurator:NginxConfigurator
Initialized: 
Prep: True
Selected authenticator  and installer 
Plugins selected: Authenticator nginx, Installer nginx
Picked account: <Account(RegistrationResource(body=Registration(status=None, terms_of_service_agreed=None, contact=(u'mailto:master@km92.net',), agreement=u'https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf', key=JWKRSA(key=<ComparableRSAKey()>)), uri=u'https://acme-v01.api.letsencrypt.org/acme/reg/10343834', new_authzr_uri=u'https://acme-v01.api.letsencrypt.org/acme/new-authz', terms_of_service=u'https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf'), 7965e3fc93fa6a8e350f71f1af807788, Meta(creation_host=u'ip-10-0-0-111.ap-northeast-1.compute.internal', creation_dt=datetime.datetime(2017, 3, 4, 16, 17, 23, tzinfo=)))>
Sending GET request to https://acme-v01.api.letsencrypt.org/directory.
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
https://acme-v01.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 658
Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 658
Replay-Nonce: <ひみつ>
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Sat, 09 Jun 2018 16:36:22 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 09 Jun 2018 16:36:22 GMT
Connection: keep-alive

{
  "key-change": "https://acme-v01.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "terms-of-service": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
    "website": "https://letsencrypt.org"
  },
  "new-authz": "https://acme-v01.api.letsencrypt.org/acme/new-authz",
  "new-cert": "https://acme-v01.api.letsencrypt.org/acme/new-cert",
  "new-reg": "https://acme-v01.api.letsencrypt.org/acme/new-reg",
  "revoke-cert": "https://acme-v01.api.letsencrypt.org/acme/revoke-cert",
  "<ひみつ>": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417"
}
Not suggesting name "localhost"
Traceback (most recent call last):
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/util.py", line 310, in get_filtered_names
    filtered_names.add(enforce_le_validity(name))
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/util.py", line 531, in enforce_le_validity
    "{0} needs at least two labels".format(domain))

次のように証明書の対象ドメイン名?を入力するよう表示された。

ConfigurationError: localhost needs at least two labels
No names were found in your configuration files. Please enter in your domain
name(s) (comma and/or space separated)  (Enter 'c' to cancel):

入力する。ちなみに、Let's Encryptはつい最近ワイルドカードに対応したので、ワイルドカードを使った設定にする。

name(s) (comma and/or space separated)  (Enter 'c' to cancel): km92.net *.km92.net

入力->Enterで、次のメッセージが表示された。

Obtaining a new certificate
Generating key (2048 bits): /etc/letsencrypt/keys/0006_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0006_csr-certbot.pem
Requesting fresh nonce
Sending HEAD request to https://acme-v01.api.letsencrypt.org/acme/new-authz.
https://acme-v01.api.letsencrypt.org:443 "HEAD /acme/new-authz HTTP/1.1" 405 0
Received response:
HTTP 405
Server: nginx
Content-Type: application/problem+json
Content-Length: 91
Allow: POST
Replay-Nonce: <ひみつ>
Expires: Sat, 09 Jun 2018 16:40:47 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 09 Jun 2018 16:40:47 GMT
Connection: keep-alive


Storing nonce: <ひみつ>
JWS payload:
{
  "identifier": {
    "type": "dns", 
    "value": "km92.net"
  }, 
  "resource": "new-authz"
}
Sending POST request to https://acme-v01.api.letsencrypt.org/acme/new-authz:
{
  "protected": "<ひみつ>", 
  "payload": "<ひみつ>", 
  "signature": "<ひみつ>"
}
https://acme-v01.api.letsencrypt.org:443 "POST /acme/new-authz HTTP/1.1" 201 713
Received response:
HTTP 201
Server: nginx
Content-Type: application/json
Content-Length: 713
Boulder-Requester: 10343834
Link: <https://acme-v01.api.letsencrypt.org/acme/new-cert>;rel="next"
Location: <ひみつ>
Replay-Nonce:<ひみつ>
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Sat, 09 Jun 2018 16:40:47 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 09 Jun 2018 16:40:47 GMT
Connection: keep-alive

{
  "identifier": {
    "type": "dns",
    "value": "km92.net"
  },
  "status": "pending",
  "expires": "2018-06-16T16:40:47Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "pending",
      "uri": "<ひみつ>",
      "token": "<ひみつ>"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "uri": "<ひみつ>",
      "token": "<ひみつ>"
    }
  ],
  "combinations": [
    [
      1
    ],
    [
      0
    ]
  ]
}
Storing nonce: <ひみつ>
Exiting abnormally:
Traceback (most recent call last):
  File "/opt/eff.org/certbot/venv/bin/letsencrypt", line 11, in 
    sys.exit(main())
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py", line 1323, in main
    return config.func(config, plugins)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py", line 1086, in run
    certname, lineage)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py", line 120, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/client.py", line 383, in obtain_and_enroll_certificate
    cert, chain, key, _ = self.obtain_certificate(domains)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/client.py", line 326, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/client.py", line 360, in _get_order_and_authorizations
    raise errors.Error("The currently selected ACME CA endpoint does"
Error: The currently selected ACME CA endpoint does not support issuing wildcard certificates.
Please see the logfiles in /var/log/letsencrypt for more details.

末尾になんかエラー出てる。翻訳すると、「エラー:現在選択されているACME CAエンドポイントは、ワイルドカード証明書の発行をサポートしていません。」だって。ケッ。よくよく見て見ると、証明書の作成で使ってるAPIが古いからみたいだ(ACME v1 API).

それでもって、再度証明書の更新コマンドを実行。

certbot-auto renew --post-hook "service nginx restart"

実行結果。

Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/www.km92.net.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.km92.net
Waiting for verification...
Cleaning up challenges

-------------------------------------------------------------------------------
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/www.km92.net/fullchain.pem
-------------------------------------------------------------------------------
Plugins selected: Authenticator webroot, Installer None

-------------------------------------------------------------------------------

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/www.km92.net/fullchain.pem (success)
-------------------------------------------------------------------------------
Running post-hook command: service nginx restart
Output from service:
Stopping nginx:                                            [  OK  ]
Starting nginx:                                            [  OK  ]

意図した結果になってる模様。実際、対象のサイトに適用されてる証明書をWebブラウザから確認したが、適用されてる事確認できた。

やったことをおさらいすると、次のような感じ。

  1. 新しいバージョンのcertbot-autoのインストール前に、邪魔な古いファイルを削除。
  2. 新しいバージョンのcertbot-autoのインストール。
  3. 新しい証明書の作成
  4. 証明書の更新

ん?後半2つはどっちか要らない気がするが、、まあ更新できたからいいや、ねむい、おやすみスヤァ( ˘ω˘)

参考

ワイルドカード証明書と ACME v2 へ対応 - Let's Encrypt 総合ポータル
https://letsencrypt.jp/blog/2018-03-14.html

関連するタグ

関連するタグは現在ありません。