また例によって、Let’s Encryptからメールが来ていた。
Hello,
Your certificate (or certificates) for the names listed below will expire in 19 days (on 29 Nov 21 19:51 +0000). Please make sure to renew your certificate before then, or visitors to your web site will encounter errors.
さて、前回(3ヶ月前)に更新ができなかった時に、仕様変更でDNSにwwwつきドメインをAレコードに追加して解決したはずだったんだが……🤔
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 |
Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator webroot, Installer None Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org Cert is due for renewal, auto-renewing... Renewing an existing certificate for ice-military.com and www.ice-military.com Performing the following challenges: http-01 challenge for ice-military.com http-01 challenge for www.ice-military.com Using the webroot path /home/kusanagi/wordpress/DocumentRoot for all unmatched domains. Waiting for verification... Challenge failed for domain www.ice-military.com Challenge failed for domain ice-military.com http-01 challenge for www.ice-military.com http-01 challenge for ice-military.com Cleaning up challenges Some challenges have failed. IMPORTANT NOTES: - The following errors were reported by the server: Domain: www.ice-military.com Type: connection Detail: Fetching https://ice-military.com/.well-known/acme-challenge/UJxTXD-TWalqSCwDJPh6vhSHMRoTK4g4sdg9-ZdC_tY: Timeout during connect (likely firewall problem) Domain: ice-military.com Type: connection Detail: Fetching https://ice-military.com/.well-known/acme-challenge/ElMvdlb2KpA4SNEy-lUvIqI3JKsCWyJiePiDq2yrJuQ: Timeout during connect (likely firewall problem) To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. If you're using the webroot plugin, you should also verify that you are serving files from the webroot path you provided. |
今回もまた手っ取り早く再構築を考えたが、これではいつまで経っても埒が明かないを思い、さらにいろいろ調べてみることにしました。
そこで見つけたのがcertbotのサイト。
certbot
このページの手順通りに作業を進めてみることにしました。
- Install snapdYou’ll need to install snapd and make sure you follow any instructions to enable classic snap support.(snapdのインストールと、クラシックスナップサポートを有効にする。)
-
snapdのインストール
12345678910111213141516171819202122232425262728293031323334353637383940# yum install snapd読み込んだプラグイン:fastestmirrorLoading mirror speeds from cached hostfile* base: ftp.tsukuba.wide.ad.jp* epel: ftp.jaist.ac.jp* extras: ftp.tsukuba.wide.ad.jp* updates: ftp.tsukuba.wide.ad.jp依存性の解決をしています---> トランザクションの確認を実行しています。---> パッケージ snapd.x86_64 0:2.53.2-1.el7 を インストール---> 依存性解決を終了しました。依存性を解決しました========================================================================================================================================Package アーキテクチャー バージョン リポジトリー 容量========================================================================================================================================インストール中:snapd x86_64 2.53.2-1.el7 epel 16 Mトランザクションの要約========================================================================================================================================インストール 1 パッケージ総ダウンロード容量: 16 Mインストール容量: 47 MIs this ok [y/d/N]: yDownloading packages:snapd-2.53.2-1.el7.x86_64.rpm | 16 MB 00:00:02Running transaction checkRunning transaction testTransaction test succeededRunning transactionインストール中 : snapd-2.53.2-1.el7.x86_64 1/1検証中 : snapd-2.53.2-1.el7.x86_64 1/1インストール:snapd.x86_64 0:2.53.2-1.el7完了しました!12# systemctl enable --now snapd.socketCreated symlink from /etc/systemd/system/sockets.target.wants/snapd.socket to /usr/lib/systemd/system/snapd.socket. - クラシックスナップサポートを有効にする
12# systemctl enable --now snapd.socketCreated symlink from /etc/systemd/system/sockets.target.wants/snapd.socket to /usr/lib/systemd/system/snapd.socket. - スナップサポートを有効にするため、シンボリックを作成する。
1# ln -s /var/lib/snapd/snap /snap
-
- Ensure that your version of snapd is up to date(snapdが最新バージョンであることを確認する)
12# snap install corecore 16-2.52.1 from Canonical? installed12# sudo snap refresh coresnap "core" has no updates available - Remove certbot-auto and any Certbot OS packages(certbot-autoを削除する)
1# yum remove certbot - Install Certbot(Certbotをインストールする)
123# snap install --classic certbotcertbot 1.21.0 from Certbot Project (certbot-eff?) installed# snap install --classic certbot - Prepare the Certbot command(コマンドライン上でCertbotコマンドが実行できることを確認する)
1# ln -s /snap/bin/certbot /usr/bin/certbot - Choose how you’d like to run Certbot(Certbotの実行方法を選択し、証明書を取得する)
12345678910111213141516171819202122232425262728293031323334353637383940# certbot --nginxSaving debug log to /var/log/letsencrypt/letsencrypt.logWhich names would you like to activate HTTPS for?- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -1: ice-military.com2: www.ice-military.com- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Select the appropriate numbers separated by commas and/or spaces, or leave inputblank to select all options shown (Enter 'c' to cancel):Certificate not yet due for renewalYou have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.(ref: /etc/letsencrypt/renewal/ice-military.com.conf)What would you like to do?- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -1: Attempt to reinstall this existing certificate2: Renew & replace the certificate (may be subject to CA rate limits)- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2Renewing an existing certificate for ice-military.com and www.ice-military.comSuccessfully received certificate.Certificate is saved at: /etc/letsencrypt/live/ice-military.com/fullchain.pemKey is saved at: /etc/letsencrypt/live/ice-military.com/privkey.pemThis certificate expires on 2022-02-28.These files will be updated when the certificate renews.Certbot has set up a scheduled task to automatically renew this certificate in the background.Deploying certificateSuccessfully deployed certificate for ice-military.com to /etc/nginx/conf.d/wordpress_ssl.confSuccessfully deployed certificate for www.ice-military.com to /etc/nginx/conf.d/wordpress_ssl.confYour existing certificate has been successfully renewed, and the new certificate has been installed.- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -If you like Certbot, please consider supporting our work by:* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate* Donating to EFF: https://eff.org/donate-le- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Test automatic renewal(自動更新をテストする)
12345678910111213141516# certbot renew --dry-runSaving debug log to /var/log/letsencrypt/letsencrypt.log- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Processing /etc/letsencrypt/renewal/ice-military.com-0001.conf- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Simulating renewal of an existing certificate for ice-military.com- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Processing /etc/letsencrypt/renewal/ice-military.com.conf- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Simulating renewal of an existing certificate for ice-military.com and www.ice-military.com- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Congratulations, all simulated renewals succeeded:/etc/letsencrypt/live/ice-military.com-0001/fullchain.pem (success)/etc/letsencrypt/live/ice-military.com/fullchain.pem (success)- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
今回はこの手順により無事に証明書を更新する事ができました。
コメント