【Let’s Encrypt】certbot renew の cron が失敗していたので手動で対処した記録

はじめに

certbot renew を cron 設定した記録のメモ – oki2a24 で設定した Let’s Encrypt の certbot による SSL/TLS 証明書の更新がうまく行っていないようです＞＜。

それをとりあえずなんとか解決しましたので、ノートいたします。

証明書の更新がなされているかどうか簡単にチェックできる最初のポイント

ブラウザで (Google Chrome) で確認しました。

本ページ最初の画像です。

最初に証明書を発行したときから日付が変わっておりませんので、ダメみたいですね＞＜。

失敗していたログ

# # cron が動いているかを確認
# tail -200 /var/log/cron | grep certbot
Sep  3 12:00:01 150-95-200-203 CROND[22421]: (root) CMD (python -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew)
#
#
#
# # 証明書の更新がうまく行っているかを確認
# cat /var/log/letsencrypt/letsencrypt.log
2018-09-03 12:36:58,369:DEBUG:certbot.main:certbot version: 0.24.0
2018-09-03 12:36:58,369:DEBUG:certbot.main:Arguments: []
2018-09-03 12:36:58,369:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2018-09-03 12:36:58,404:DEBUG:certbot.log:Root logging level set at 20
2018-09-03 12:36:58,404:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2018-09-03 12:36:58,426:DEBUG:certbot.plugins.selection:Requested authenticator <certbot.cli._Default object at 0x7f2bf2102750> and installer <certbot.cli._Default object at 0x7f2bf2102750>
2018-09-03 12:36:58,439:DEBUG:certbot.storage:Should renew, less than 30 days before certificate expiry 2018-09-20 03:34:30 UTC.
2018-09-03 12:36:58,440:INFO:certbot.renewal:Cert is due for renewal, auto-renewing...
2018-09-03 12:36:58,442:DEBUG:certbot.plugins.selection:Requested authenticator nginx and installer nginx
2018-09-03 12:36:58,444:DEBUG:certbot.plugins.disco:No installation (PluginEntryPoint#nginx): 
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/certbot/plugins/disco.py", line 126, in prepare
    self._initialized.prepare()
  File "/usr/lib/python2.7/site-packages/certbot_nginx/configurator.py", line 135, in prepare
    raise errors.NoInstallationError
NoInstallationError
2018-09-03 12:36:58,450:DEBUG:certbot.plugins.selection:No candidate plugin
2018-09-03 12:36:58,450:DEBUG:certbot.plugins.selection:No candidate plugin
2018-09-03 12:36:58,450:DEBUG:certbot.plugins.selection:Selected authenticator None and installer None
2018-09-03 12:36:58,450:INFO:certbot.main:Could not choose appropriate plugin: The nginx plugin is not working; there may be problems with your existing configuration.
The error was: NoInstallationError()
2018-09-03 12:36:58,450:WARNING:certbot.renewal:Attempting to renew cert (oki2a24.com) from /etc/letsencrypt/renewal/oki2a24.com.conf produced an unexpected error: The nginx plugin is not working; there may be problems with your existing configuration.
The error was: NoInstallationError(). Skipping.
2018-09-03 12:36:58,457:DEBUG:certbot.renewal:Traceback was:
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/certbot/renewal.py", line 422, in handle_renewal_request
    main.renew_cert(lineage_config, plugins, renewal_candidate)
  File "/usr/lib/python2.7/site-packages/certbot/main.py", line 1144, in renew_cert
    installer, auth = plug_sel.choose_configurator_plugins(config, plugins, "certonly")
  File "/usr/lib/python2.7/site-packages/certbot/plugins/selection.py", line 207, in choose_configurator_plugins
    diagnose_configurator_problem("authenticator", req_auth, plugins)
  File "/usr/lib/python2.7/site-packages/certbot/plugins/selection.py", line 303, in diagnose_configurator_problem
    raise errors.PluginSelectionError(msg)
PluginSelectionError: The nginx plugin is not working; there may be problems with your existing configuration.
The error was: NoInstallationError()

2018-09-03 12:36:58,457:ERROR:certbot.renewal:All renewal attempts failed. The following certs could not be renewed:
2018-09-03 12:36:58,457:ERROR:certbot.renewal:  /etc/letsencrypt/live/oki2a24.com/fullchain.pem (failure)
2018-09-03 12:36:58,458:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 9, in <module>
    load_entry_point('certbot==0.24.0', 'console_scripts', 'certbot')()
  File "/usr/lib/python2.7/site-packages/certbot/main.py", line 1315, in main
    return config.func(config, plugins)
  File "/usr/lib/python2.7/site-packages/certbot/main.py", line 1228, in renew
    renewal.handle_renewal_request(config)
  File "/usr/lib/python2.7/site-packages/certbot/renewal.py", line 443, in handle_renewal_request
    len(renew_failures), len(parse_failures)))
Error: 1 renew failure(s), 0 parse failure(s)
#
#
#
# # 証明書が実際に新しくなっているかを確認
# ll /etc/letsencrypt/live/oki2a24.com/
total 4
lrwxrwxrwx 1 root root  35 Jun 22 13:34 cert.pem -> ../../archive/oki2a24.com/cert1.pem
lrwxrwxrwx 1 root root  36 Jun 22 13:34 chain.pem -> ../../archive/oki2a24.com/chain1.pem
lrwxrwxrwx 1 root root  40 Jun 22 13:34 fullchain.pem -> ../../archive/oki2a24.com/fullchain1.pem
lrwxrwxrwx 1 root root  38 Jun 22 13:34 privkey.pem -> ../../archive/oki2a24.com/privkey1.pem
-rw-r--r-- 1 root root 682 Jun 22 13:34 README
# ll /etc/letsencrypt/archive/oki2a24.com/
total 16
-rw-r--r-- 1 root root 2143 Jun 22 13:34 cert1.pem
-rw-r--r-- 1 root root 1647 Jun 22 13:34 chain1.pem
-rw-r--r-- 1 root root 3790 Jun 22 13:34 fullchain1.pem
-rw-r--r-- 1 root root 1704 Jun 22 13:34 privkey1.pem
# 

対処

1. certbot certonly
2. Nginx Web Server plugin を使用しているので、1
3. ドメインは、oki2a24.com と入力
4. systemctl restart nginx <- 2018年9月20日期限を切らせてしまってから対処したものを追加
5. SSL有効期限チェッカー | COMODO JAPAN やブラウザの証明書確認で確認

# certbot certonly
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?
-------------------------------------------------------------------------------
1: Nginx Web Server plugin - Alpha (nginx)
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)
-------------------------------------------------------------------------------
Select the appropriate number [1-3] then [enter] (press 'c' to cancel): 1 
Plugins selected: Authenticator nginx, Installer None
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Please enter in your domain name(s) (comma and/or space separated)  (Enter 'c'
to cancel): oki2a24.com
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for oki2a24.com
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/oki2a24.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/oki2a24.com/privkey.pem
   Your cert will expire on 2018-12-02. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le
#

うまく行ったかどうかを確認

1 ではなく、２ の証明書に向いており、実際に作成されたので、成功でしょう！

# ll /etc/letsencrypt/live/oki2a24.com/
total 4
lrwxrwxrwx 1 root root  35 Sep  3 22:08 cert.pem -> ../../archive/oki2a24.com/cert2.pem
lrwxrwxrwx 1 root root  36 Sep  3 22:08 chain.pem -> ../../archive/oki2a24.com/chain2.pem
lrwxrwxrwx 1 root root  40 Sep  3 22:08 fullchain.pem -> ../../archive/oki2a24.com/fullchain2.pem
lrwxrwxrwx 1 root root  38 Sep  3 22:08 privkey.pem -> ../../archive/oki2a24.com/privkey2.pem
-rw-r--r-- 1 root root 682 Jun 22 13:34 README
[root@150-95-200-203 ~]# ll /etc/letsencrypt/archive/oki2a24.com/
total 32
-rw-r--r-- 1 root root 2143 Jun 22 13:34 cert1.pem
-rw-r--r-- 1 root root 2143 Sep  3 22:08 cert2.pem
-rw-r--r-- 1 root root 1647 Jun 22 13:34 chain1.pem
-rw-r--r-- 1 root root 1647 Sep  3 22:08 chain2.pem
-rw-r--r-- 1 root root 3790 Jun 22 13:34 fullchain1.pem
-rw-r--r-- 1 root root 3790 Sep  3 22:08 fullchain2.pem
-rw-r--r-- 1 root root 1704 Jun 22 13:34 privkey1.pem
-rw-r--r-- 1 root root 1704 Sep  3 22:08 privkey2.pem
#
#
#
# # 証明書ファイルで直接確認
# openssl x509 -noout -dates -in /etc/letsencrypt/live/oki2a24.com/cert.pem 
notBefore=Sep  3 12:08:54 2018 GMT
notAfter=Dec  2 12:08:54 2018 GMT
# 実際に動いている情報で確認
# openssl s_client -connect localhost:443 -servername oki2a24.com </dev/null 2>/dev/null |awk '/-----BEGIN CERTIFICATE-----/ , /-----END CERTIFICATE-----/ {print $0;}' |openssl x509 -noout -dates
notBefore=Jun 22 03:34:30 2018 GMT
notAfter=Sep 20 03:34:30 2018 GMT
#

2018年9月20日追加した作業分の結果↓

# systemctl restart nginx
#

ターミナル作業としてははっきりとログには現れません。実際に更新されたことを、チェック用サービス等を使って確認いたしました。 Ngnx 再起動直後に、更新されたことを確認できました。

おわりに、反省点

いまだに cron が失敗した原因はわかっていません。Nginx Web Server plugin – Alpha (nginx) が Alpaha 段階だから、、、と決めつけることもできますけれども、きっと自分の設定の何かが悪いのでしょう。

今回、certbot certonly コマンドで更新しましたけれども、次は cron に設定した certbot renew でどうなるのかを見てみたいです。これで失敗すれば、失敗体験からなにかわかるかも知れません。

最後に、参考になりましたページです、ありがとうございます！

• 証明書を更新したときの確認ポイントが参考になりました！
  • Let’sEncryptの取得&自動更新設定してみた(CentOS7.1&Apache2.4.6) – Qiita
• 証明書の更新方法が助かりました！
  • letsencryptの更新がうまくできない場合 – Qiita

以上です。