Let’s Encryptの更新が失敗していた

cronで設定していたLet’s Encryptの更新が失敗していた時に対応した事をまとめました。

この手の記事はたくさんありますが、対応策がいろいろあり、結局どれだ！となったので記録として残しておきます。

まずは現状の確認

$ sudo certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: foo.com
    Domains: foo.com
    Expiry Date: 2021-04-04 23:00:23+00:00 (VALID: 10 days)
    Certificate Path: /etc/letsencrypt/live/foo.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/foo.com/privkey.pem

あと10日で期限が切れます。

手動で更新してみます。（–dry-run）

$ sudo certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/foo.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Attempting to renew cert (foo.com) from /etc/letsencrypt/renewal/foo.com.conf produced an unexpected error: urn:ietf:params:acme:error:malformed :: The request message was malformed :: Method not allowed. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/foo.com/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/foo.com/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Running post-hook command: systemctl reload httpd
1 renew failure(s), 0 parse failure(s)

具体的なエラーがわからず、、、
unexpected error: urn:ietf:params:acme:error:malformed :: The request message was malformed :: Method not allowed. Skipping.

設定の確認

/etc/letsencrypt/renewal/サーバーのドメイン名.conf

# renew_before_expiry = 30 days
version = 0.27.1
archive_dir = /etc/letsencrypt/archive/foo.com
cert = /etc/letsencrypt/live/foo.com/cert.pem
privkey = /etc/letsencrypt/live/foo.com/privkey.pem
chain = /etc/letsencrypt/live/foo.com/chain.pem
fullchain = /etc/letsencrypt/live/foo.com/fullchain.pem

# Options used in the renewal process
[renewalparams]
authenticator = apache
installer = apache
account = xxxx
server = https://acme-v02.api.letsencrypt.org/directory
post_hook = systemctl reload httpd

Let’s Encrypt の更新エラー – プログラマーのメモ書き
上記の記事を参照すると、設定にwebroot_pathという項目があるようだが、見当たらない。
なので、明示的にwebroot_pathを指定して更新してみる

# sudo certbot renew --webroot-path /var/www/foo.com/
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/foo.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for foo.com
Waiting for verification...
Cleaning up challenges

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/foo.com/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/foo.com/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Running post-hook command: systemctl reload httpd

成功しました。

再度設定を確認してみると、最後に以下が追記されていました。

webroot_path = /var/www/foo.com,
[[webroot_map]]

今まではcronでちゃんと更新されていたのに、急にエラーとなったのはなぜだろう、、、

certbotクライアントのバージョンを上げればいいのかな、、？

Problem with renew certificates – The request message was malformed :: Method not allowed – Help – Let’s Encrypt Community Support

Attempting to renew cert from /etc/letsencrypt/renewal/domain.conf produced an unexpected error: urn:ietf:params:acme:error:malformed :: The request message was malformed :: Method not allowed. Skipping – Help – Let’s Encrypt Community Support

参考

Let’s Encrypt の更新エラー – プログラマーのメモ書き

Let’s Encrypt で webroot 利用時に更新(renew)がこけた時の対処方法 – Qiita

let’s encryptで自動更新に失敗したときの原因と対策 | Dream Tale