朝起きたら、次のメールが届いていた。
Update your client software to continue using Let's Encrypt
Hi,
According to our records, the software client you're using to get Let's
Encrypt TLS/SSL certificates issued or renewed at least one HTTPS certificate
in the past two weeks using the ACMEv1 protocol. Here are the details of one
recent ACMEv1 request from each of your account(s):
Client IP address: 222.95.333.197 111.44.333.216
User agent: CertbotACMEClient/0.10.0.dev0 (CentOS Linux 7 (Core)) Authenticator/webroot Installer/None CertbotACMEClient/0.10.0.dev0 (CentOS Linux 7 (Core)) Authenticator/webroot Installer/None
Hostname(s): "caba-ageha.com" "host-sweet.com"
Request time: 2020-02-29 15:35:24 UTC 2020-02-29 15:45:11 UTC
Beginning June 1, 2020, we will stop allowing new domains to validate using
the ACMEv1 protocol. You should upgrade to an ACMEv2 compatible client before
then, or certificate issuance will fail. For most people, simply upgrading to
the latest version of your existing client will suffice. You can view the
client list at: https://letsencrypt.org/docs/client-options/
If you're unsure how your certificate is managed, get in touch with the
person who installed the certificate for you. If you don't know who to
contact, please view the help section in our community forum at
https://community.letsencrypt.org/c/help and use the search bar to check if
there's an existing solution for your question. If there isn't, please create
a new topic and fill out the help template.
ACMEv1 API deprecation details can be found in our community forum:
https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1
As a reminder: In the future, Let's Encrypt will be performing multiple
domain validation requests for each domain name when you issue a certificate.
While you're working on migrating to ACMEv2, please check that your system
configuration will not block validation requests made by new Let's Encrypt IP
addresses, or block multiple matching requests. Per our FAQ
(https://letsencrypt.org/docs/faq/), we don't publish a list of IP addresses
we use to validate, and this list may change at any time.
To receive more frequent updates, subscribe to our API Announcements:
https://community.letsencrypt.org/t/about-the-api-announcements-category
Thank you for joining us on our mission to create a more secure and privacy-
respecting Web!
All the best,
Let's Encrypt
If you are receiving this email in error, unsubscribe at:
http://mandrillapp.com/track/unsub.php?u=30850198&id=53ed4da6599643e0aa2f3f830fa65075.wn%2Bpm3FGaXNSGXpOMRutv5qyumw%3D&r=https%3A%2F%2Fmandrillapp.com%2Funsub%3Fmd_email%3Dh%2540okws.jp
Please note that this would also unsubscribe you from other Let's Encrypt
service notices, like expiration reminders.
なんですねん!?
ということで、翻訳すると書かれているドメインのソフトをアップグレードしないとSSL切れまっせ。ということだった。
参考
https://qiita.com/matsumoto_sp/items/93275ca2123d92615bd7
ということで、僕なりのアップグレード方法。
先にnginxを止めて置かないとエラーが出るので要注意。
また、自動再起動のmonitとか使っていると、止めても再起動しちゃうので、monitなども止めておく。
Problem binding to port 80: Could not bind to IPv4 or IPv6.
nginx 止める
/usr/bin/systemctl stop nginx
更新する
/root/certbot/certbot-auto certonly --standalone -d yourdomain.com
選択肢は 2 を選ぶ
What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Keep the existing certificate for now
2: Renew & replace the cert (limit ~5 per 7 days)
nginxを再起動
/usr/bin/systemctl restart nginx
チェック
https://checkhost.unboundtest.com/ にアクセスし、ドメイン名を入力。
The certificate currently available on twi.ski is OK. It is not one of the certificates affected by the Let's Encrypt CAA rechecking problem. Its serial number is 0429dac1b3ff8d1194feaaae33f9b37793
ってな感じでOKとでりゃ OK。