Let's Encryptのcertbot-autoをいつものようにやったら(httpポート開いてないよ編)
いつものようにLet' Encrypt のSSL証明書の更新やったら、
certbot-auto renew --post-hook "service nginx restart"
んぉ(´`)、失敗。
certbot-auto renew --post-hook "service nginx restart" Saving debug log to /var/log/letsencrypt/letsencrypt.log - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Processing /etc/letsencrypt/renewal/www.km92.net.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Cert is due for renewal, auto-renewing... Plugins selected: Authenticator webroot, Installer None Renewing an existing certificate Performing the following challenges: http-01 challenge for www.km92.net Waiting for verification... Cleaning up challenges Attempting to renew cert (www.km92.net) from /etc/letsencrypt/renewal/www.km92.net.conf produced an unexpected error: Failed authorization procedure. www.km92.net (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://www.km92.net/.well-known/acme-challenge/<ひみつ>: Timeout during connect (likely firewall problem). Skipping. All renewal attempts failed. The following certs could not be renewed: /etc/letsencrypt/live/www.km92.net/fullchain.pem (failure)
よく見ると、「http://www.km92.net/.well-known/acme-challenge/<ひみつ>にアクセスできねーよ」とのこと。
Let's Encrypt って httpのポート開けとく必要あるのかよ。そういえば、最近変なトラッキングスパムが来てたのを対応してた時にhttpポートを塞いだから、そいつか。
ポートを解放して、再度実行すると、平和に更新できた。
certbot-auto renew --post-hook "service nginx restart" Saving debug log to /var/log/letsencrypt/letsencrypt.log - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Processing /etc/letsencrypt/renewal/www.km92.net.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Cert is due for renewal, auto-renewing... Plugins selected: Authenticator webroot, Installer None Renewing an existing certificate Performing the following challenges: http-01 challenge for www.km92.net Waiting for verification... Cleaning up challenges - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - new certificate deployed without reload, fullchain is /etc/letsencrypt/live/www.km92.net/fullchain.pem - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Congratulations, all renewals succeeded. The following certs have been renewed: /etc/letsencrypt/live/www.km92.net/fullchain.pem (success) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Running post-hook command: service nginx restart Output from service: Stopping nginx: [ OK ] Starting nginx: [ OK ]
あと念の為に書いておくが、成功させる為の要件として「http://www.km92.net/.well-known/acme-challenge/」配下に、外部からhttpアクセスできるようにバーチャルホストも設けとかないといけないはず。
朝からキツイゼヨ(´Д`)
関連するタグ
関連するタグは現在ありません。