Closed13
let's encryptの更新でエラーが出た時の対応
ダン@HyperForm自動更新の設定してたはずだけどエラーになってた。
登録してたcronはこれ
$ crontab -l
00 03 * * * vpsuser sudo certbot renew --post-hook "sudo systemctl restart nginx"
--dry-runつけて更新かけようとするとこうなる。
$ sudo certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/order.ssr-makasero.co.jp.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for hogehoge.com
Using the webroot path /var/www/html/order-ssr for all unmatched domains.
Waiting for verification...
Challenge failed for domain hogehoge.com
http-01 challenge for hogehoge.com
Cleaning up challenges
Attempting to renew cert (hogehoge.com) from /etc/letsencrypt/renewal/hogehoge.com.conf produced an unexpected error: Some challenges have failed.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/hogehoge.com/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/hogehoge.com/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: hogehoge.com
Type: unauthorized
Detail: Invalid response from
https://hogehoge.com/.well-known/acme-challenge/_UexvsTT2RW0PaONy6b3R_XiISpL7j6MYy53CG7tcnw
[153.127.54.205]: "<!DOCTYPE html>\n<html>\n<head>\n <title>The
page you were looking for doesn't exist (404)</title>\n <meta
name=\"viewport\" content"
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
--dry-runなしだとこう
$ sudo certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/hogehoge.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for hogehoge.com
Using the webroot path /var/www/html/order-ssr for all unmatched domains.
Waiting for verification...
Challenge failed for domain hogehoge.com
http-01 challenge for hogehoge.com
Cleaning up challenges
Attempting to renew cert (hogehoge.com) from /etc/letsencrypt/renewal/hogehoge.com.conf produced an unexpected error: Some challenges have failed.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/hogehoge.com/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/hogehoge.com/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: hogehoge.com
Type: unauthorized
Detail: Invalid response from
https://hogehoge.com/.well-known/acme-challenge/95fZdLWY5XRmEtm0kvIPbFhK64Y6VhSONpmvHffwkC0
[153.127.54.205]: "<!DOCTYPE html>\n<html>\n<head>\n <title>The
page you were looking for doesn't exist (404)</title>\n <meta
name=\"viewport\" content"
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
同じか。
ダン@HyperForm前はsudo certbot renewで普通に更新できてた気がするけどなんでだろ。
ダン@HyperFormnginxの80番ポートは開いてる
/etc/nginx/conf.d/default.conf
server {
listen 80;
これか?
ダン@HyperFormエラーメッセージ内にある
http://hogehoge.com/.well-known/acme-challenge/CIWSRnxxxxxxxxxxxxxxxxxxx
にアクセスすると、nginxの404画面が表示される。この辺に何かあるか?
ダン@HyperFormwebrootの設定がおかしいのか?
ダン@HyperForm解決したー
ダン@HyperFormssl更新の設定が書いてあるファイルの、webroot_pathの記述が間違ってた。
/etc/letsencrypt/renewal/hogehoge.com.conf
- webroot_path = /var/www/html/hogehoge/,
+ webroot_path = /var/www/html/hogehoge/current/public,
SSL更新時、webroot_pathに設定されている場所/.well-known/acme-challenge/95fZdLWYxxxxxxxxxxxxにあるファイルを要求して、レスポンスをチェックしてるっぽい。
記述が間違っていたから、404が返ってきて、更新に失敗してた感じだった。
ダン@HyperFormNginxで設定したドキュメントルートと、letsenctyptのwebrootが食い違っていったのが原因。そこを修正して解決した。
このスクラップは2021/02/19にクローズされました