Let's Encryptのcertbot-autoをいつものようにやったら(httpポート開いてないよ編)

投稿日:

いつものようにLet' Encrypt のSSL証明書の更新やったら、

certbot-auto renew --post-hook "service nginx restart"

んぉ(´`)、失敗。

certbot-auto renew --post-hook "service nginx restart"
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/www.km92.net.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.km92.net
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (www.km92.net) from /etc/letsencrypt/renewal/www.km92.net.conf produced an unexpected error: Failed authorization procedure. www.km92.net (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://www.km92.net/.well-known/acme-challenge/<ひみつ>: Timeout during connect (likely firewall problem). Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/www.km92.net/fullchain.pem (failure)

よく見ると、「http://www.km92.net/.well-known/acme-challenge/<ひみつ>にアクセスできねーよ」とのこと。

Let's Encrypt って httpのポート開けとく必要あるのかよ。そういえば、最近変なトラッキングスパムが来てたのを対応してた時にhttpポートを塞いだから、そいつか。

ポートを解放して、再度実行すると、平和に更新できた。

certbot-auto renew --post-hook "service nginx restart"
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/www.km92.net.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.km92.net
Waiting for verification...
Cleaning up challenges

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/www.km92.net/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/www.km92.net/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Running post-hook command: service nginx restart
Output from service:
Stopping nginx:                                            [  OK  ]
Starting nginx:                                            [  OK  ]

あと念の為に書いておくが、成功させる為の要件として「http://www.km92.net/.well-known/acme-challenge/」配下に、外部からhttpアクセスできるようにバーチャルホストも設けとかないといけないはず。

朝からキツイゼヨ(´Д`)

関連するタグ

関連するタグは現在ありません。