lets encrypt で https 化していたサイトがあと1ヶ月で切れますよメールがきて、どうやら自動更新に失敗していると気がつく。
/root/letsencrypt/letsencrypt-auto certonly --webroot --webroot-path /home/onsenlife/public -d onsenlife.info --renew-by-default Saving debug log to /var/log/letsencrypt/letsencrypt.log Renewing an existing certificate Performing the following challenges: http-01 challenge for onsenlife.info Using the webroot path /home/onsenlife/public for all unmatched domains. Waiting for verification... Cleaning up challenges Failed authorization procedure. onsenlife.info (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://onsenlife.info/.well-known/acme-challenge/5nYAmxnZX5Vzx9mzgQG6qmKaZmnTi7YHnTRmDHfwH3c: "<html> <head><title>404 Not Found</title></head> <body bgcolor="white"> <center><h1>404 Not Found</h1></center> <hr><center>" IMPORTANT NOTES: - The following errors were reported by the server: Domain: onsenlife.info Type: unauthorized Detail: Invalid response from http://onsenlife.info/.well-known/acme-challenge/5nYAmxnZX5Vzx9mzgQG6qmKaZmnTi7YHnTRmDHfwH3c: "<html> <head><title>404 Not Found</title></head> <body bgcolor="white"> <center><h1>404 Not Found</h1></center> <hr><center>" To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address.
どうやら、今はcertbotをインストールしてやるのがいいらしい。
このサイトの指示に従えばオッケーだ。 nginxとcentos7を選択して出てきたコマンドを打ってみる。
# yum -y install yum-utils # yum -y install epel-release # sudo certbot --nginx Saving debug log to /var/log/letsencrypt/letsencrypt.log Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org Which names would you like to activate HTTPS for? ------------------------------------------------------------------------------- 1: onsenlife.info ------------------------------------------------------------------------------- Select the appropriate numbers separated by commas and/or spaces, or leave input blank to select all options shown (Enter 'c' to cancel):1 Cert is due for renewal, auto-renewing... Renewing an existing certificate Performing the following challenges: tls-sni-01 challenge for onsenlife.info Waiting for verification... Cleaning up challenges Deployed Certificate to VirtualHost /etc/nginx/conf.d/onsenlife.conf for set(['onsenlife.info']) Please choose whether HTTPS access is required or optional. ------------------------------------------------------------------------------- 1: Easy - Allow both HTTP and HTTPS access to these sites 2: Secure - Make all requests redirect to secure HTTPS access ------------------------------------------------------------------------------- Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2 The appropriate server block is already redirecting traffic. To enable redirect anyway, uncomment the redirect lines in /etc/nginx/conf.d/onsenlife.conf. ------------------------------------------------------------------------------- Your existing certificate has been successfully renewed, and the new certificate has been installed. The new certificate covers the following domains: https://onsenlife.info You should test your configuration at: https://www.ssllabs.com/ssltest/analyze.html?d=onsenlife.info ------------------------------------------------------------------------------- IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/onsenlife.info/fullchain.pem. Your cert will expire on 2017-10-09. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
cronには
certbot renew
を書けばよいとある。 1日に2回くらい実行するとよいと書いてあるので毎日5:00に実行するようにしてみた。
# crontab -l 00 05 * * * /usr/bin/certbot renew
