このマジシャンのサイトで使っている無料のSSL証明書:Let’s Encryptから期限が切れるとのメールが届いたので更新したのだけどエラーが出て中々更新ができなかった。
焦ったけど結局「/etc/letsencrypt/renewal/magician.tokyo.conf」のファイルを変更することで更新ができた。
Let’s Encryptから届いたメール
Let’s Encrypt certificate expiration notice for domain “magician.tokyo”
Hello,
Your certificate (or certificates) for the names listed below will expire in 20 days (on 19 Apr 20 00:57 +0000). Please make sure to renew your certificate before then, or visitors to your website will encounter errors.
We recommend renewing certificates automatically when they have a third of their
total lifetime left. For Let’s Encrypt’s current 90-day certificates, that means
renewing 30 days before expiration. See
https://letsencrypt.org/docs/integration-guide/ for details.
magician.tokyo
90日で期限が切れて使えなくなるのでその前に更新をしないといけません。
めんどいね。
Let’s Encryptの更新
なのでサーバーにSSHで接続。
期限を確認
$ sudo certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Found the following certs:
Certificate Name: magician.tokyo
Domains: magician.tokyo h.magician.tokyo www.magician.tokyo
Expiry Date: 2020-04-23 17:00:26+00:00 (VALID: 24 days)
Certificate Path: /etc/letsencrypt/live/magician.tokyo/fullchain.pem
Private Key Path: /etc/letsencrypt/live/magician.tokyo/privkey.pem
後24日で期限が切れるようだ。
更新可能かどうかのチェック
実際に更新する前に「–dry-run」を付けてチェックします。
何度も失敗すると制限がかかってしまうようだ。
$ sudo certbot renew –dry-run
Attempting to renew cert (magician.tokyo) from /etc/letsencrypt/renewal/magician.tokyo.conf produced an unexpected
error: urn:ietf:params:acme:error:malformed :: The request message was malformed :: Method not allowed. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/magician.tokyo/fullchain.pem (failure)
エラーが出ました。
その他のエラー
–dry-runを付けないでやったり、設定をいじったりしたけどエラーが出て上手く行かず。
Attempting to renew cert (magician.tokyo) from /etc/letsencrypt/renewal/magician.tokyo.conf produced an unexpected
error: Missing command line flag or config entry for this setting:
Input the webroot for h.magician.tokyo:. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/magician.tokyo/fullchain.pem (failure)
Attempting to renew cert (magician.tokyo) from /etc/letsencrypt/renewal/magician.tokyo.conf produced an unexpected error: urn:ietf:params:acme:error:malformed :: The request message was malformed :: Method not allowed. Skipping.All renewal attempts failed. The following certs could not be renewed: /etc/letsencrypt/live/magician.tokyo/fullchain.pem (failure)
Let’s Encryptの更新に成功した設定
最終的にはmagician.tokyo.confを変更して成功した。
変更前
$ cat /etc/letsencrypt/renewal/magician.tokyo.conf
renew_before_expiry = 30 days
version = 0.28.0
archive_dir = /etc/letsencrypt/archive/magician.tokyo
cert = /etc/letsencrypt/live/magician.tokyo/cert.pem
privkey = /etc/letsencrypt/live/magician.tokyo/privkey.pem
chain = /etc/letsencrypt/live/magician.tokyo/chain.pem
fullchain = /etc/letsencrypt/live/magician.tokyo/fullchain.pem
Options used in the renewal process
[renewalparams]
account = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
authenticator = standalone
installer = apache
server = https://acme-v02.api.letsencrypt.org/directory
変更後
$ vi /etc/letsencrypt/renewal/magician.tokyo.conf
renew_before_expiry = 30 days
version = 0.28.0
archive_dir = /etc/letsencrypt/archive/magician.tokyo
cert = /etc/letsencrypt/live/magician.tokyo/cert.pem
privkey = /etc/letsencrypt/live/magician.tokyo/privkey.pem
chain = /etc/letsencrypt/live/magician.tokyo/chain.pem
fullchain = /etc/letsencrypt/live/magician.tokyo/fullchain.pem
Options used in the renewal process
[renewalparams]
account = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
authenticator = webroot
installer = apache
server = https://acme-v02.api.letsencrypt.org/directory
[[webroot_map]]
magician.tokyo = /var/www/html
h.magician.tokyo = /var/www/html
www.magician.tokyo = /var/www/html
変更箇所
「authenticator」を「webroot」から「standalone」に変更。
サーバーを止めなくても更新ができるように成るようだ。
追加箇所
以下の記載がなかったので追加している。
[[webroot_map]]
magician.tokyo = /var/www/html
h.magician.tokyo = /var/www/html
www.magician.tokyo = /var/www/html
実行
$ sudo certbot renew
Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/magician.tokyo/fullchain.pem (success)
更新の確認
ちゃんと更新された。
$ sudo certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Found the following certs:
Certificate Name: magician.tokyo
Domains: magician.tokyo h.magician.tokyo www.magician.tokyo
Expiry Date: 2020-06-28 01:36:57+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/magician.tokyo/fullchain.pem
Private Key Path: /etc/letsencrypt/live/magician.tokyo/privkey.pem
参考にしたサイト
- Let’s Encrypt更新!certbot renewコマンドでうまくいかなかったときの対処法
- certbot renew –dry-runでエラーとなったときの対処法
- Let’s Encrypt で webroot 利用時に更新(renew)がこけた時の対処方法