Kudos
Collect
Twiiter
Facebook
Share
Develop somethings, meditation, reading and thinking...

Cerbot 갱신 에러

Last updated over 3 years ago
1 0 0 0

Certbot 으로 SSL 을 갱신하려는데 이전과 같은 방법으로 명령을 실행하자 실패를 반복하는 문제가 생겼다. 전에는 분명히 같은 방법으로 갱신을 했는데…? 하고 찾아보니 비슷한 현상이 꽤 있는지, 여러 사람들이 포럼에서 질문과 답변을 하고 있었다.

증상

실행한 명령은 다음과 같다.

$ sudo certbot renew --dry-run
[sudo] password for someuser: 
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/some.domain.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for some.domain.com
Waiting for verification...
Challenge failed for domain some.domain.com
http-01 challenge for some.domain.com
Cleaning up challenges
Attempting to renew cert (some.domain.com) from /etc/letsencrypt/renewal/some.domain.com.conf produced an unexpected error: Some 
challenges have failed.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/some.domain.com/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/some.domain.com/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: some.domain.com
   Type:   unauthorized
   Detail: Invalid response from
   https://some.domain.com/.well-known/acme-challenge/7777777777777777777777777777777777_77777777
   [XXXX:XXXX:XXXX::XXXX:XXXX]: "<html>n<head><title>404 Not
   Found</title></head>n<body>n<center><h1>404 Not
   Found</h1></center>n<hr><center>nginx/X.XX.X</center"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

결과에 IPv6 가 보여 DNS 레코드에 AAAA 가 설정이 되어 있으면 IPv6 를 선호한다는 이야기가 있어 DNS 및 서버 설정을 확인했지만 문제는 없었다.

결국, 웹서버로 사용하는 Nginx 의 설정 파일을 Certbot 이 잘 가져오지 못하여 webroot 를 확인하지 못하는 것 같은 느낌이 들어 webroot 를 지정하여 명령을 실행하자 갱신이 잘 된다.

$ sudo certbot renew -a webroot -w /somepath/some.domain.com/public_path --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/some.domain.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for some.domain.com
Using the webroot path /somepath/some.domain.com/public_path for all unmatched domains.
Waiting for verification...
Cleaning up challenges

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of nginx server; fullchain is
/etc/letsencrypt/live/some.domain.com/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/some.domain.com/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

해결방법

webroot 를 수동으로 지정한다.

# Error: sudo certbot renew --dry-run
$ sudo certbot renew -a webroot -w /somepath/some.domain.com/public_path --dry-run

Hi, my name is Richard. I’m a developer wants to make the world better with logic power. Mainly I use Linux, Nginx, MySQL, PHP and JavaScript . I want to share my knowledge with someone that it was also based from some great persons via LYNMP. 👨‍💻

Essedrop - Make your file online instantly
 

Responses

Leave a response to @richard

Please sign in to comment.
Markdown is also available in comment.