Letsencrypt の renewal (不可思議な振る舞い)
January 22, 2020 – 9:51 amLetsecncryptのSSL証明書の更新作業を行った。
昨日、”Lets Encrypt certificate expiration notice for domai “:.yamasnet.com”(and 1 more)”とタイトルされたe-mailによりSSL証明書の更新が促され、これを受けての更新作業を実施。
最終的には、更新作業は成功裡に行うことができ、証明書の有効期間は3ヶ月後の2020年3月21日までと変更された。一安心。
更新にあたっては、前回の更新時(2019年11月12日)に使用したコマンドを用いたが、失敗。そこで、前々回の更新時に想定したが前回更新時には使えなかった単純なコマンド(「certbot renew」)を使用したところ問題なく更新できた。
不可思議ではあるが、更新が正常に行えたことで深追いはせず、今回のログだけを以下保存しておいた。
更新作業失敗時:
# certbot renew -q -a certbot-plugin-gandi:dns --certbot-plugin-gandi:dns-credentials /etc/letsencrypt/gandi/gandi.ini --server https://acme-v02.api.letsencrypt.org/directory Unable to find or delete the DNS TXT record: Can't find the DNS record _acme-challenge/TXT in the zone Attempting to renew cert (yamasnet.com) from /etc/letsencrypt/renewal/yamasnet.com.conf produced an unexpected error: Failed authorization procedure. yamasnet.com (dns-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect TXT record"********************************************" found at _acme-challenge.yamasnet.com. Skipping. All renewal attempts failed. The following certs could not be renewed: /etc/letsencrypt/live/yamasnet.com/fullchain.pem (failure) 1 renew failure(s), 0 parse failure(s)
更新作業成功時:
# certbot renew Saving debug log to /var/log/letsencrypt/letsencrypt.log - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Processing /etc/letsencrypt/renewal/yamasnet.com.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Cert is due for renewal, auto-renewing... Plugins selected: Authenticator certbot-plugin-gandi:dns, Installer None Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org Renewing an existing certificate Performing the following challenges: dns-01 challenge for yamasnet.com Starting new HTTPS connection (1): dns.api.gandi.net Starting new HTTPS connection (1): dns.api.gandi.net Starting new HTTPS connection (1): dns.api.gandi.net Waiting 10 seconds for DNS changes to propagate Waiting for verification... Cleaning up challenges Starting new HTTPS connection (1): dns.api.gandi.net Starting new HTTPS connection (1): dns.api.gandi.net - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - new certificate deployed without reload, fullchain is /etc/letsencrypt/live/yamasnet.com/fullchain.pem - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Congratulations, all renewals succeeded. The following certs have been renewed: /etc/letsencrypt/live/yamasnet.com/fullchain.pem (success) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
証明書更新後、httpdを再起動し更新内容を反映:
# systemctl restart httpd