LoginSignup
0
2

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?

More than 5 years have passed since last update.

@uecoeco

let'sEncryptでのSSL証明書の自動更新でこけていた

Last updated at Posted at 2020-04-17

この記事はlet'sEncryptでのSSL証明書の自動更新でこけていたときの話です。

let'sEncryptの証明書はcronで
$ 0 4 1,15 * * certbot renew --deploy-hook "/etc/letsencrypt/renewal-hooks/deploy/cert_renew_mail.sh" >> /var/log/letsencrypt/letsencrypt.log 2>&
こんな感じで毎月1日と15日に更新をかけている。
※--deploy-hook 証明書ごとに実行
※/etc/letsencrypt/renewal-hooks/deploy/にスクリプトを置いてくと、certbot実行時に走る。
※cert_renew_mail.shで更新が成功するとメールを飛ばすようにしてる。

ところが、メールが飛んでいないときがありました。

まずはログを確認

↓下のほうを抜粋

/var/log/letsencrypt/letsencrypt.log
MissingCommandlineFlag: Missing command line flag or config entry for this setting:
Input the webroot for xxxx.com:

2020-04-15 04:02:38,222:INFO:certbot.renewal:Cert not yet due for renewal
2020-04-15 04:02:38,222:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None
2020-04-15 04:02:38,223:ERROR:certbot.renewal:All renewal attempts failed. The following certs could not be renewed:
2020-04-15 04:02:38,223:ERROR:certbot.renewal:  /etc/letsencrypt/live/xxxx.com/fullchain.pem (failure)
2020-04-15 04:02:38,224:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 9, in <module>
    load_entry_point('certbot==0.31.0', 'console_scripts', 'certbot')()
  File "/usr/lib/python2.7/site-packages/certbot/main.py", line 1365, in main
    return config.func(config, plugins)
  File "/usr/lib/python2.7/site-packages/certbot/main.py", line 1272, in renew
    renewal.handle_renewal_request(config)
  File "/usr/lib/python2.7/site-packages/certbot/renewal.py", line 477, in handle_renewal_request
    len(renew_failures), len(parse_failures)))
Error: 1 renew failure(s), 0 parse failure(s)

ココらへんをみると
Input the webroot for xxxx.com:
Requested authenticator webroot and installer None
webrootが設定されていないから、エラーが起きたように見える・・・。

原因は?

設定ファイルを確認

/etc/letsencrypt/renewal/xxx.com.conf
# renew_before_expiry = 30 days
version = 0.31.0
archive_dir = /etc/letsencrypt/archive/xxx.com
cert = /etc/letsencrypt/live/xxx.com/cert.pem
privkey = /etc/letsencrypt/live/xxx.com/privkey.pem
chain = /etc/letsencrypt/live/xxx.com/chain.pem
fullchain = /etc/letsencrypt/live/xxx.com/fullchain.pem

# Options used in the renewal process
[renewalparams]
authenticator = webroot
account = hoge
server = https://acme-v02.api.letsencrypt.org/directory
[[webroot_map]]

[[webroot_map]]が空。

対処

/etc/letsencrypt/renewal/xxx.com.conf
[[webroot_map]]
xxxx.com = /var/www/html/xxx.com/
www.xxxx.com = /var/www/html/www.xxx.com/

こんな感じで設定して
$ certbot renew

無事、更新できました!

0
2
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
Sign upLogin
0
2

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?