Help us understand the problem. What is going on with this article?

「certbot renew」のエラーを解決した話

備忘のため記載

先日、Webサーバーにて証明書が執行しそうだったので、certbot renewした際、エラーに悩まされたので、備忘のため記載。
なお、今回は複数の事象によりエラーとなっていたようでした。

環境:CentOS7.6(Apache/2.4.6)

①依存関係?

最初のcertbot renew --dry-run実行時は、以下のエラーが出ました。

Encountered exception during recovery: 
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/certbot/error_handler.py", line 124, in _call_registered
    self.funcs[-1]()
  File "/usr/lib/python2.7/site-packages/certbot/auth_handler.py", line 220, in _cleanup_challenges
    self.auth.cleanup(achalls)
  File "/usr/lib/python2.7/site-packages/certbot/plugins/webroot.py", line 223, in cleanup
    os.remove(validation_path)
OSError: [Errno 2] No such file or directory: '/var/lib/redmine/public/.well-known/acme-challenge/ZPghiKCbW4yZ-uCXOCAMN_HNuoLCA1r3634RiC9yejE'
Attempting to renew cert (xxx.com) from /etc/letsencrypt/renewal/xxx.com.conf produced an unexpected error: [Errno 2] No such file or directory: '/var/lib/redmine/public'. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/xxx.com/fullchain.pem (failure)

なんかWebrootが変なことになっていましたが、(redmine?誰か使ってたのかな?)いつもrenew時に行うコマンドで解決。
yum -y --enablerepo=epel update certbot

②http通信で80番ポートを開放

①の後にcertbot renew --dry-runを実行すると、エラーは以下に変わりました。

Challenge failed for domain xxx.com
http-01 challenge for xxx.com
Cleaning up challenges
Attempting to renew cert (xxx.com) from /etc/letsencrypt/renewal/xxx.com.conf produced an unexpected error: Some challenges have failed.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/xxx.com/fullchain.pem (failure)
・・・(中略)・・・
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: xxx.com
   Type:   connection
   Detail: Fetching
   http://xxx.com/.well-known/acme-challenge/ZPghiKCbW4yZ-uCXOCAMN_HNuoLCA1r3634RiC9yejE:
   Error getting validation data

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

調べてみると、letsencryptの認証サーバーは、httpで通信しにいくようで。
Let's Encrypt 総合ポータル(Let's Encrypt の使い方)

セキュリティ対策として、80番ポートでのhttp通信はfirewallで切っていたので、一時的に追加。
sudo firewall-cmd --add-service=http
sudo systemctl restart firewalld

また、サイトにBasic認証をかけていたので、念の為こちらも一時的にコメントアウト
sudo vim /etc/conf.d/http.conf

#以下の部分をコメントアウト
<Directory "/path/to/webroot">
      AuthUserFile /etc/httpd/conf/.htpasswd
      AuthGroupFile /dev/null
      AuthName "Basic Auth"
      AuthType Basic
      Require valid-user
</Directory>

③webrootの設定

②の後にcertbot renew --dry-runを実行すると、エラーは以下に変わりました。

Challenge failed for domain xxx.com
http-01 challenge for xxx.com
Cleaning up challenges
Attempting to renew cert (xxx.com) from /etc/letsencrypt/renewal/xxx.com.conf produced an unexpected error: Some challenges have failed.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/xxx.com/fullchain.pem (failure)

・・・(中略)・・・
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: xxx.com
   Type:   unauthorized
   Detail: Invalid response from
   http://xxx.com/.well-known/acme-challenge/kPuYFAZPFbxbMUBy7pvTh3SItdqNI4kYLi_xHtJVDy8
   [xxx.xxx.xxx.xxx]: "<!DOCTYPE html>\n<html>\n<head>\n  <meta
   charset=\"utf-8\" />\n  <title>404 error</title>\n
   <style>\n    body {font-family: \"Tr"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

404エラーが出ているので、一応通信はできているっぽいです。
調べてみると、認証時に一時ファイル(http://xxx.com/.well-known/acme-challenge/〜の部分)を作成するみたいですね。
しかし、/path/to/webroot/.well-known/acme-challengeにアクセスできていない模様。

http.confをいじったりしてもよいのですが、以下のコマンドでwebrootを指定してあげて解決しました。
sudo certbot renew --webroot -w /path/to/webroot
※事前にmkdir -p /path/to/webroot/.well-known/acme-challengeで念の為ディレクトリ作成もしました。

お疲れ様でした。

Webサーバー周りの知識に疎く、結構難儀しました。(15〜20分位かかりました。。。)
ただ、自力で解決できると嬉しいですね。
certbotには、--dry-runがあるので、変更しては再チャレンジを気兼ねなく試せてよかったです。

Why do not you register as a user and use Qiita more conveniently?
  1. We will deliver articles that match you
    By following users and tags, you can catch up information on technical fields that you are interested in as a whole
  2. you can read useful information later efficiently
    By "stocking" the articles you like, you can search right away
Comments
Sign up for free and join this conversation.
If you already have a Qiita account
Why do not you register as a user and use Qiita more conveniently?
You need to log in to use this function. Qiita can be used more conveniently after logging in.
You seem to be reading articles frequently this month. Qiita can be used more conveniently after logging in.
  1. We will deliver articles that match you
    By following users and tags, you can catch up information on technical fields that you are interested in as a whole
  2. you can read useful information later efficiently
    By "stocking" the articles you like, you can search right away