Let’s Encryptの更新が失敗していた
cronで設定していたLet’s Encryptの更新が失敗していた時に対応した事をまとめました。
この手の記事はたくさんありますが、対応策がいろいろあり、結局どれだ!となったので記録として残しておきます。
まずは現状の確認
$ sudo certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
Certificate Name: foo.com
Domains: foo.com
Expiry Date: 2021-04-04 23:00:23+00:00 (VALID: 10 days)
Certificate Path: /etc/letsencrypt/live/foo.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/foo.com/privkey.pem
あと10日で期限が切れます。
手動で更新してみます。(–dry-run)
$ sudo certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/foo.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Attempting to renew cert (foo.com) from /etc/letsencrypt/renewal/foo.com.conf produced an unexpected error: urn:ietf:params:acme:error:malformed :: The request message was malformed :: Method not allowed. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/foo.com/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/foo.com/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Running post-hook command: systemctl reload httpd
1 renew failure(s), 0 parse failure(s)
具体的なエラーがわからず、、、
unexpected error: urn:ietf:params:acme:error:malformed :: The request message was malformed :: Method not allowed. Skipping.
設定の確認
/etc/letsencrypt/renewal/サーバーのドメイン名.conf
# renew_before_expiry = 30 days
version = 0.27.1
archive_dir = /etc/letsencrypt/archive/foo.com
cert = /etc/letsencrypt/live/foo.com/cert.pem
privkey = /etc/letsencrypt/live/foo.com/privkey.pem
chain = /etc/letsencrypt/live/foo.com/chain.pem
fullchain = /etc/letsencrypt/live/foo.com/fullchain.pem
# Options used in the renewal process
[renewalparams]
authenticator = apache
installer = apache
account = xxxx
server = https://acme-v02.api.letsencrypt.org/directory
post_hook = systemctl reload httpd
Let’s Encrypt の更新エラー – プログラマーのメモ書き
上記の記事を参照すると、設定にwebroot_pathという項目があるようだが、見当たらない。
なので、明示的にwebroot_pathを指定して更新してみる
# sudo certbot renew --webroot-path /var/www/foo.com/
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/foo.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for foo.com
Waiting for verification...
Cleaning up challenges
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/foo.com/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/foo.com/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Running post-hook command: systemctl reload httpd
成功しました。
再度設定を確認してみると、最後に以下が追記されていました。
webroot_path = /var/www/foo.com,
[[webroot_map]]
今まではcronでちゃんと更新されていたのに、急にエラーとなったのはなぜだろう、、、
certbotクライアントのバージョンを上げればいいのかな、、?
Problem with renew certificates – The request message was malformed :: Method not allowed – Help – Let’s Encrypt Community Support
Attempting to renew cert from /etc/letsencrypt/renewal/domain.conf produced an unexpected error: urn:ietf:params:acme:error:malformed :: The request message was malformed :: Method not allowed. Skipping – Help – Let’s Encrypt Community Support
参考
Let’s Encrypt の更新エラー – プログラマーのメモ書き
Let’s Encrypt で webroot 利用時に更新(renew)がこけた時の対処方法 – Qiita
let’s encryptで自動更新に失敗したときの原因と対策 | Dream Tale