Pebble Coding

プログラマーの作業メモ

lets encryptでエラーが出ていたので修正

lets encrypt で https 化していたサイトがあと1ヶ月で切れますよメールがきて、どうやら自動更新に失敗していると気がつく。

/root/letsencrypt/letsencrypt-auto certonly --webroot --webroot-path /home/onsenlife/public -d onsenlife.info --renew-by-default
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for onsenlife.info
Using the webroot path /home/onsenlife/public for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. onsenlife.info (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://onsenlife.info/.well-known/acme-challenge/5nYAmxnZX5Vzx9mzgQG6qmKaZmnTi7YHnTRmDHfwH3c: "<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>"

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: onsenlife.info
   Type:   unauthorized
   Detail: Invalid response from
   http://onsenlife.info/.well-known/acme-challenge/5nYAmxnZX5Vzx9mzgQG6qmKaZmnTi7YHnTRmDHfwH3c:
   "<html>
   <head><title>404 Not Found</title></head>
   <body bgcolor="white">
   <center><h1>404 Not Found</h1></center>
   <hr><center>"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

どうやら、今はcertbotをインストールしてやるのがいいらしい。

certbot.eff.org

このサイトの指示に従えばオッケーだ。 nginxとcentos7を選択して出てきたコマンドを打ってみる。

# yum -y install yum-utils
# yum -y install epel-release
# sudo certbot --nginx

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org

Which names would you like to activate HTTPS for?
-------------------------------------------------------------------------------
1: onsenlife.info
-------------------------------------------------------------------------------
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):1
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for onsenlife.info
Waiting for verification...
Cleaning up challenges
Deployed Certificate to VirtualHost /etc/nginx/conf.d/onsenlife.conf for set(['onsenlife.info'])

Please choose whether HTTPS access is required or optional.
-------------------------------------------------------------------------------
1: Easy - Allow both HTTP and HTTPS access to these sites
2: Secure - Make all requests redirect to secure HTTPS access
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
The appropriate server block is already redirecting traffic. To enable redirect anyway, uncomment the redirect lines in /etc/nginx/conf.d/onsenlife.conf.

-------------------------------------------------------------------------------
Your existing certificate has been successfully renewed, and the new certificate
has been installed.

The new certificate covers the following domains: https://onsenlife.info

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=onsenlife.info
-------------------------------------------------------------------------------

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/onsenlife.info/fullchain.pem. Your cert will
   expire on 2017-10-09. To obtain a new or tweaked version of this
   certificate in the future, simply run certbot again with the
   "certonly" option. To non-interactively renew *all* of your
   certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

cronには

certbot renew

を書けばよいとある。 1日に2回くらい実行するとよいと書いてあるので毎日5:00に実行するようにしてみた。

# crontab -l
00 05 * * * certbot renew