Help us understand the problem. What is going on with this article?

WordPress with NGINX and SSL Certified by Bitnami で Let's EncryptのSSL証明書を更新する

公式マニュアルのとおりといえばそれまでなのだけど、ちょっとハマったのでメモ。

ちなみに、試した環境はGCP環境(VMインスタンス)

https://docs.bitnami.com/virtual-machine/how-to/generate-install-lets-encrypt-ssl/#step-5-renew-the-let-s-encrypt-certificate

このドキュメントの最初の方に
「Use The Bitnami HTTPS Configuration Tool」 という項目があるのだが
その下に

IMPORTANT: The Bitnami HTTPS Configuration Tool does not support configuring NGINX web servers yet. If you use NGINX, please follow the alternative approach section.

とあり、残念ながらNGINXでは使えないとのことなので
alternative approach の方で行う。

この alternative approach の Step-5が 証明書更新に関する手順なのだが
手順のコマンドをみると

sudo /opt/bitnami/ctlscript.sh stop
sudo /opt/bitnami/letsencrypt/lego --tls --email="EMAIL-ADDRESS" --domains="DOMAIN" --path="/opt/bitnami/letsencrypt" renew --days 90
sudo /opt/bitnami/ctlscript.sh start

とある。この ctlscript.sh stop が問題で、これは Bitnamiで管理しているサービススタック
(今回の場合、WordPress with NGINXなので、 nginx/php-fpm/mysql) の停止がかかってしまう。

※ちなみに、無停止で renewできないかとコマンド叩いてみたけどダメだった。

$ sudo /opt/bitnami/letsencrypt/lego --path="/opt/bitnami/letsencrypt" --tls --email="nobody@example.com"  --domains=example.com --domains=www.example.com renew --days 90
2019/08/05 02:22:12 [INFO] [example.com] acme: Trying renewal with 141 hours remaining
2019/08/05 02:22:12 [INFO] [example.com, www.example.com] acme: Obtaining bundled SAN certificate
2019/08/05 02:22:14 [INFO] [example.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz/***********-**********-********************
2019/08/05 02:22:14 [INFO] [www.example.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz/***********-**********-********************
2019/08/05 02:22:14 [INFO] [example.com] acme: use tls-alpn-01 solver
2019/08/05 02:22:14 [INFO] [www.example.com] acme: use tls-alpn-01 solver
2019/08/05 02:22:14 [INFO] [example.com] acme: Trying to solve TLS-ALPN-01
2019/08/05 02:22:14 [INFO] [www.example.com] acme: Trying to solve TLS-ALPN-01
2019/08/05 02:22:14 acme: Error -> One or more domains had a problem:
[example.com] [example.com] acme: error presenting token: could not start HTTPS server for challenge -> listen tcp :443: bind: address already in use
[www.example.com] [www.example.com] acme: error presenting token: could not start HTTPS server for challenge -> listen tcp :443: bind: address already in use

できるだけ無停止(正確にはnginxの設定 reload)だけでいけないものかと
方法を探ったのだが、見つけられなかったので、観念してサービスダウン時間を許容してもらい、SSL証明書更新作業をすることにした。

Bitnami の公式マニュアルには、全サービス止める手順になっていたが
SSL証明書更新なので、nginxだけ止めれば大丈夫だろうと踏んで作業した。結果問題なく更新できた。

$ sudo /opt/bitnami/ctlscript.sh stop nginx
Unmonitored nginx
/opt/bitnami/nginx/scripts/ctl.sh : Nginx stopped

$ sudo /opt/bitnami/letsencrypt/lego --path="/opt/bitnami/letsencrypt" --tls --email="nobody@example.com"  --domains=example.com --domains=www.example.com renew --days 90
2019/08/05 04:47:11 [INFO] [example.com] acme: Trying renewal with 139 hours remaining
2019/08/05 04:47:11 [INFO] [example.com, www.example.com] acme: Obtaining bundled SAN certificate
2019/08/05 04:47:12 [INFO] [example.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz/***********-**********-********************
2019/08/05 04:47:12 [INFO] [www.example.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz/***********-**********-********************
2019/08/05 04:47:12 [INFO] [www.example.com] acme: use tls-alpn-01 solver
2019/08/05 04:47:12 [INFO] [example.com] acme: use tls-alpn-01 solver
2019/08/05 04:47:12 [INFO] [www.example.com] acme: Trying to solve TLS-ALPN-01
2019/08/05 04:47:18 [INFO] [www.example.com] The server validated our request
2019/08/05 04:47:18 [INFO] [example.com] acme: Trying to solve TLS-ALPN-01
2019/08/05 04:47:25 [INFO] [example.com] The server validated our request
2019/08/05 04:47:25 [INFO] [example.com, www.example.com] acme: Validations succeeded; requesting certificates
2019/08/05 04:47:27 [INFO] [example.com] Server responded with a certificate.

$ sudo /opt/bitnami/ctlscript.sh start nginx
/opt/bitnami/nginx/scripts/ctl.sh : Nginx started
Monitored nginx

今回実行した3コマンドは、crontabしかけておけば、自動で実行できるので
1分程度のサービス断が許容される時間帯を確認して、自動化をしておく。

certbot 導入すれば、サービス断無くいけそうな気がするのだが
そこまで検証している余裕がなかったので、今回は公式ドキュメントの手順が良いだろうと判断した。

サービス断無しで(nginxの設定reloadだけで)、証明書更新する方法ご存知の方いたらご教示ください。

Why not register and get more from Qiita?
  1. We will deliver articles that match you
    By following users and tags, you can catch up information on technical fields that you are interested in as a whole
  2. you can read useful information later efficiently
    By "stocking" the articles you like, you can search right away
Comments
Sign up for free and join this conversation.
If you already have a Qiita account
Why do not you register as a user and use Qiita more conveniently?
You need to log in to use this function. Qiita can be used more conveniently after logging in.
You seem to be reading articles frequently this month. Qiita can be used more conveniently after logging in.
  1. We will deliver articles that match you
    By following users and tags, you can catch up information on technical fields that you are interested in as a whole
  2. you can read useful information later efficiently
    By "stocking" the articles you like, you can search right away