Pebble Coding

ソフトウェアエンジニアによるIT技術、数学の備忘録

let's encryptの証明書更新が失敗するようなった

/usr/bin/certbot renew

このコマンドが以下のエラーで動きません。

Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/onsenlife.info.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for onsenlife.info
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (onsenlife.info) from /etc/letsencrypt/renewal/onsenlife.info.conf produced an unexpected error: Failed authorization procedure. onsenlife.info (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://onsenlife.info/.well-known/acme-challenge/joR0ytQwi9KVdcbw42Cy-iCe1C4Cj23pWnkt963AhF8 [2400:6180:0:d0::e97:5001]: "\r\n404 Not Found\r\n\r\n

404 Not Found

\r\n
". Skipping. All renewal attempts failed. The following certs could not be renewed: /etc/letsencrypt/live/onsenlife.info/fullchain.pem (failure) ------------------------------------------------------------------------------- All renewal attempts failed. The following certs could not be renewed: /etc/letsencrypt/live/onsenlife.info/fullchain.pem (failure) ------------------------------------------------------------------------------- 1 renew failure(s), 0 parse failure(s) IMPORTANT NOTES: - The following errors were reported by the server: Domain: onsenlife.info Type: unauthorized Detail: Invalid response from http://onsenlife.info/.well-known/acme-challenge/joR0ytQwi9KVdcbw42Cy-iCe1C4Cj23pWnkt963AhF8 [2400:6180:0:d0::e97:5001]: "\r\n404 Not Found\r\n\r\n

404 Not Found

\r\n
" To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address.

いろいろやってみるも変化なし。 結局、以下のコマンドで動いた。

sudo certbot renew --preferred-challenges http --webroot -w /usr/share/nginx/html
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/onsenlife.info.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer nginx
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for onsenlife.info
Using the webroot path /usr/share/nginx/html for all unmatched domains.
Waiting for verification...
Cleaning up challenges

-------------------------------------------------------------------------------
new certificate deployed with reload of nginx server; fullchain is
/etc/letsencrypt/live/onsenlife.info/fullchain.pem
-------------------------------------------------------------------------------
Plugins selected: Authenticator webroot, Installer nginx

-------------------------------------------------------------------------------

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/onsenlife.info/fullchain.pem (success)
-------------------------------------------------------------------------------

nginxを再起動し、SSL証明書の有効期限を確認する。

service nginx restart

comodo.jp