Spec and Software
- EC2 Amazon Linux2
- Flask app with Nginx as reverse proxy
- Docker
- certbot-auto
Issue
証明書が切れてから二日間くらい試行錯誤してました。何度やっても以下のエラー。
Challenge failed for domain <サイト>
http-01 challenge for <サイト>
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: <サイト>
Type: connection
Detail: unknownHost :: No valid IP addresses found for <サイト>
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
References
- https://stackoverflow.com/questions/10631933/nginx-static-file-serving-confusion-with-root-alias
- https://community.letsencrypt.org/t/how-to-nginx-configuration-to-enable-acme-challenge-support-on-all-http-virtual-hosts/5622/3
- https://community.openhab.org/t/using-nginx-reverse-proxy-authentication-and-https/14542
Root cause
- 問題点は以前証明書を発行した後に以下の内容を変えていた点。
- /etc/nginx/nginx.conf
- /etc/nginx/sites-available/<サイト>.conf
- この部分を全く考慮していなかった点。
location ^~ /.well-known/acme-challenge/ {
alias /path/to/your/directory/;
}
ちなみにこの"^~"も知らなくてここで調べました。
Fix
1)に関しては今後は気をつける
2)はログにヒントが /var/log/letsencrypt/letsencrypt.log
2019-07-22 21:49:18,483:DEBUG:certbot.plugins.webroot:Attempting to save validation to /path/to/your/directory/.well-k
nown/acme-challenge/XXXXXXXXXXXXXXXX
この行を探して/etc/nginx/sites-available/<サイト>.confで
location ^~ /.well-known/acme-challenge/ {
alias /path/to/your/directory/;
}
を追加したらサクッといけました。。。
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/<サイト>/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/<サイト>/fullchain.pem (success)
Tips
あと、まずはdryrunするといいです。自分の場合はこれになってしまいました。