カテゴリー
コミュニケーションズ

Let’s Encryptの更新 エラーの対処法

このマジシャンのサイトで使っている無料のSSL証明書:Let’s Encryptから期限が切れるとのメールが届いたので更新したのですがエラーが出て中々更新ができませんでした。
焦りましたが結局「/etc/letsencrypt/renewal/magician.tokyo.conf」のファイルを変更することで更新ができました。

Let’s Encryptから届いたメール

Let’s Encrypt certificate expiration notice for domain “magician.tokyo”

Hello,

Your certificate (or certificates) for the names listed below will expire in 20 days (on 19 Apr 20 00:57 +0000). Please make sure to renew your certificate before then, or visitors to your website will encounter errors.

We recommend renewing certificates automatically when they have a third of their
total lifetime left. For Let’s Encrypt’s current 90-day certificates, that means
renewing 30 days before expiration. See
https://letsencrypt.org/docs/integration-guide/ for details.

magician.tokyo

90日で期限が切れて使えなくなるのでその前に更新をしないといけません。
めんどいですね。

Let’s Encryptの更新

なのでサーバーにSSHで接続。
期限を確認

$ sudo certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Found the following certs:
Certificate Name: magician.tokyo
Domains: magician.tokyo h.magician.tokyo www.magician.tokyo
Expiry Date: 2020-04-23 17:00:26+00:00 (VALID: 24 days)
Certificate Path: /etc/letsencrypt/live/magician.tokyo/fullchain.pem
Private Key Path: /etc/letsencrypt/live/magician.tokyo/privkey.pem


後24日で期限が切れるようです。

更新可能かどうかのチェック

実際に更新する前に「–dry-run」を付けてチェックします。
何度も失敗すると制限がかかってしまうようです。

$ sudo certbot renew –dry-run

Attempting to renew cert (magician.tokyo) from /etc/letsencrypt/renewal/magician.tokyo.conf produced an unexpected
error: urn:ietf:params:acme:error:malformed :: The request message was malformed :: Method not allowed. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/magician.tokyo/fullchain.pem (failure)

エラーが出ました。

その他のエラー

–dry-runを付けないでやったり、設定をいじったりしましたがエラーが出て上手く行かず。

Attempting to renew cert (magician.tokyo) from /etc/letsencrypt/renewal/magician.tokyo.conf produced an unexpected
error: Missing command line flag or config entry for this setting:
Input the webroot for h.magician.tokyo:. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/magician.tokyo/fullchain.pem (failure)

Attempting to renew cert (magician.tokyo) from /etc/letsencrypt/renewal/magician.tokyo.conf produced an unexpected error: urn:ietf:params:acme:error:malformed :: The request message was malformed :: Method not allowed. Skipping.All renewal attempts failed. The following certs could not be renewed: /etc/letsencrypt/live/magician.tokyo/fullchain.pem (failure)

Let’s Encryptの更新に成功した設定

最終的にはmagician.tokyo.confを変更して成功しました。

変更前

$ cat /etc/letsencrypt/renewal/magician.tokyo.conf

renew_before_expiry = 30 days
version = 0.28.0
archive_dir = /etc/letsencrypt/archive/magician.tokyo
cert = /etc/letsencrypt/live/magician.tokyo/cert.pem
privkey = /etc/letsencrypt/live/magician.tokyo/privkey.pem
chain = /etc/letsencrypt/live/magician.tokyo/chain.pem
fullchain = /etc/letsencrypt/live/magician.tokyo/fullchain.pem

Options used in the renewal process
[renewalparams]
account = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
authenticator = standalone
installer = apache
server = https://acme-v02.api.letsencrypt.org/directory

変更後

$ vi /etc/letsencrypt/renewal/magician.tokyo.conf

renew_before_expiry = 30 days
version = 0.28.0
archive_dir = /etc/letsencrypt/archive/magician.tokyo
cert = /etc/letsencrypt/live/magician.tokyo/cert.pem
privkey = /etc/letsencrypt/live/magician.tokyo/privkey.pem
chain = /etc/letsencrypt/live/magician.tokyo/chain.pem
fullchain = /etc/letsencrypt/live/magician.tokyo/fullchain.pem
Options used in the renewal process

[renewalparams]
account = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
authenticator = webroot
installer = apache
server = https://acme-v02.api.letsencrypt.org/directory
[[webroot_map]]
magician.tokyo = /var/www/html
h.magician.tokyo = /var/www/html
www.magician.tokyo = /var/www/html

変更箇所

「authenticator」を「webroot」から「standalone」に変更。
サーバーを止めなくても更新ができるように成るようです。

追加箇所

以下の記載がなかったので追加しています。

[[webroot_map]]
magician.tokyo = /var/www/html
h.magician.tokyo = /var/www/html
www.magician.tokyo = /var/www/html

実行

$ sudo certbot renew

Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/magician.tokyo/fullchain.pem (success)

更新の確認

ちゃんと更新されました。

$ sudo certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Found the following certs:
Certificate Name: magician.tokyo
Domains: magician.tokyo h.magician.tokyo www.magician.tokyo
Expiry Date: 2020-06-28 01:36:57+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/magician.tokyo/fullchain.pem
Private Key Path: /etc/letsencrypt/live/magician.tokyo/privkey.pem


参考にしたサイト

作成者: えいち / H

マジシャンのえいち / Hです。
東京でプロマジシャン|出張、派遣をやってます。
記事の感想、コメント、質問などはTwitterにお願いします。
フォローも良かったらお願いします。
Instagram / YouTube / Facebook