SSL(let’s encrypt) 証明書の更新
February 11, 2018 – 5:22 pm昨年11月に、let’s encryptを用いて、我がブログサイトをSSL対応にした。ここで導入したSSL証明書の有効期間3カ月が過ぎようとしてるので更新作業をした。
以下、更新作業に係る手順と更新時のLOG を記録しておく。
SSL/TLSサーバ証明書更新のコマンドは以下:
certbot renew
(なお、コマンド実行後、念のため、 httpdを再起動しておいた)
上記コマンドの実行にかかわる取り扱い説明書は次のように記載されている(以下、関連部転載):
上記コマンドを実行すると、過去に取得した証明書のうち、有効期限の残りが30日未満の証明書が更新されます。
なお、これまでに5つのサブディレクトリ(mobile, memorandum, info, test, mail)に対して証明書を発行しているが、このうちhttpdの設定ファイル(vhost.conf)上でSSLの手続きを行っているのは3つ(mobile, memorandum, test)に対してのみ。また、サブディレクトリ test へのアクセスするのに(ダイジェスト)認証を必要とする設定にしている。
更新時のログを以下に示す(一部加筆修正あり):
# certbot renew Saving debug log to /var/log/letsencrypt/letsencrypt.log [サブディレクトリ mobile に対する証明書更新] ------------------------------------------------------------------------------- Processing /etc/letsencrypt/renewal/mobile.yamasnet.com.conf ------------------------------------------------------------------------------- Cert is due for renewal, auto-renewing... Plugins selected: Authenticator webroot, Installer None Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org Renewing an existing certificate Performing the following challenges: http-01 challenge for mobile.yamasnet.com Waiting for verification... Cleaning up challenges ------------------------------------------------------------------------------- new certificate deployed without reload, fullchain is /etc/letsencrypt/live/mobile.yamasnet.com/fullchain.pem ------------------------------------------------------------------------------- [サブディレクトリ info に対する証明書更新] ------------------------------------------------------------------------------- Processing /etc/letsencrypt/renewal/info.yamasnet.com.conf ------------------------------------------------------------------------------- expected /etc/letsencrypt/live/info.yamasnet.com/cert.pem to be a symlink Renewal configuration file /etc/letsencrypt/renewal/info.yamasnet.com.conf is broken. Skipping. [サブディレクトリ test に対する証明書更新] ------------------------------------------------------------------------------- Processing /etc/letsencrypt/renewal/test.yamasnet.com.conf ------------------------------------------------------------------------------- Cert is due for renewal, auto-renewing... Plugins selected: Authenticator webroot, Installer None Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org Renewing an existing certificate Performing the following challenges: http-01 challenge for test.yamasnet.com Waiting for verification... Cleaning up challenges Attempting to renew cert (test.yamasnet.com) from /etc/letsencrypt/renewal/test.yamasnet.com.conf produced an unexpected error: Failed authorization procedure. test.yamasnet.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://test.yamasnet.com/.well-known/acme-challenge/qjOQSh-ARgJ7prquXCQTDsH6Ru7zhklDyOWPfeusqRE: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head>> <title>401 Unauthorized</title> </head><body>> <h1>Unauthorized</". Skipping. [サブディレクトリ memorandum に対する証明書更新] ------------------------------------------------------------------------------- Processing /etc/letsencrypt/renewal/memorandum.yamasnet.com.conf ------------------------------------------------------------------------------- Cert is due for renewal, auto-renewing... Plugins selected: Authenticator webroot, Installer None Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org Renewing an existing certificate Performing the following challenges: http-01 challenge for memorandum.yamasnet.com Waiting for verification... Cleaning up challenges ------------------------------------------------------------------------------- new certificate deployed without reload, fullchain is /etc/letsencrypt/live/memorandum.yamasnet.com/fullchain.pem ------------------------------------------------------------------------------- [サブディレクトリ mail に対する証明書更新] ------------------------------------------------------------------------------- Processing /etc/letsencrypt/renewal/mail.yamasnet.com.conf ------------------------------------------------------------------------------- Cert not yet due for renewal The following certs could not be renewed: /etc/letsencrypt/live/test.yamasnet.com/fullchain.pem (failure) ------------------------------------------------------------------------------- The following certs are not due for renewal yet: /etc/letsencrypt/live/mail.yamasnet.com/fullchain.pem (skipped) The following certs were successfully renewed: /etc/letsencrypt/live/mobile.yamasnet.com/fullchain.pem (success) /etc/letsencrypt/live/memorandum.yamasnet.com/fullchain.pem (success) The following certs could not be renewed: /etc/letsencrypt/live/test.yamasnet.com/fullchain.pem (failure) Additionally, the following renewal configuration files were invalid: /etc/letsencrypt/renewal/info.yamasnet.com.conf (parsefail) ------------------------------------------------------------------------------- 1 renew failure(s), 1 parse failure(s) IMPORTANT NOTES: - The following errors were reported by the server: Domain: test.yamasnet.com Type: unauthorized Detail: Invalid response from http://test.yamasnet.com/.well-known/acme-challenge/qjOQSh-ARgJxxxxxxxxxxxxxxeusqRE: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>401 Unauthorized</title> </head><body> <h1>Unauthorized</" To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address.
サブディレクトリ test に対する httpd 設定ファイル(vhost.conf)についてダイジェスト認証対応部を一時的に除去し、同じコマンドを実行したときのログを以下に示す(上と同様に一部加筆修正あり):
# certbot renew Saving debug log to /var/log/letsencrypt/letsencrypt.log [サブディレクトリmobileに対する更新 (直前に更新したばかりで変更なし)] ------------------------------------------------------------------------------- Processing /etc/letsencrypt/renewal/mobile.yamasnet.com.conf ------------------------------------------------------------------------------- Cert not yet due for renewal [サブディレクトリ info に対する更新 (直前の更新作業時同様にスキップ)] ------------------------------------------------------------------------------- Processing /etc/letsencrypt/renewal/info.yamasnet.com.conf ------------------------------------------------------------------------------- expected /etc/letsencrypt/live/info.yamasnet.com/cert.pem to be a symlink Renewal configuration file /etc/letsencrypt/renewal/info.yamasnet.com.conf is broken. Skipping. [サブディレクトリ test に対する更新 (digest認証部をはずして更新成功)] ------------------------------------------------------------------------------- Processing /etc/letsencrypt/renewal/test.yamasnet.com.conf ------------------------------------------------------------------------------- Cert is due for renewal, auto-renewing... Plugins selected: Authenticator webroot, Installer None Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org Renewing an existing certificate Performing the following challenges: http-01 challenge for test.yamasnet.com Waiting for verification... Cleaning up challenges ------------------------------------------------------------------------------- new certificate deployed without reload, fullchain is /etc/letsencrypt/live/test.yamasnet.com/fullchain.pem ------------------------------------------------------------------------------- [サブディレクトリ memorandum に対する更新 (直前に更新したばかりで変更なし)] ------------------------------------------------------------------------------- Processing /etc/letsencrypt/renewal/memorandum.yamasnet.com.conf ------------------------------------------------------------------------------- Cert not yet due for renewal [サブディレクトリ mail に対する更新] ------------------------------------------------------------------------------- Processing /etc/letsencrypt/renewal/mail.yamasnet.com.conf ------------------------------------------------------------------------------- Cert not yet due for renewal ------------------------------------------------------------------------------- The following certs are not due for renewal yet: /etc/letsencrypt/live/mobile.yamasnet.com/fullchain.pem (skipped) /etc/letsencrypt/live/memorandum.yamasnet.com/fullchain.pem (skipped) /etc/letsencrypt/live/mail.yamasnet.com/fullchain.pem (skipped) Congratulations, all renewals succeeded. The following certs have been renewed: /etc/letsencrypt/live/test.yamasnet.com/fullchain.pem (success) Additionally, the following renewal configuration files were invalid: /etc/letsencrypt/renewal/info.yamasnet.com.conf (parsefail) ------------------------------------------------------------------------------- 0 renew failure(s), 1 parse failure(s)
証明書の変更を確認:
Google Chrome上でhttps://memorandum.yamasnet.com を開き、更新終了後に証明書が変更されていることを確認。
証明書のスナップショットを右図に掲げる。
更新作業により、有効期間が今日(2018/2/11)から3か月後の2018/5/11になっていることを確認。