Cerbot 갱신 에러
Certbot 으로 SSL 을 갱신하려는데 이전과 같은 방법으로 명령을 실행하자 실패를 반복하는 문제가 생겼다. 전에는 분명히 같은 방법으로 갱신을 했는데…? 하고 찾아보니 비슷한 현상이 꽤 있는지, 여러 사람들이 포럼에서 질문과 답변을 하고 있었다.
증상
실행한 명령은 다음과 같다.
$ sudo certbot renew --dry-run
[sudo] password for someuser:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/some.domain.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for some.domain.com
Waiting for verification...
Challenge failed for domain some.domain.com
http-01 challenge for some.domain.com
Cleaning up challenges
Attempting to renew cert (some.domain.com) from /etc/letsencrypt/renewal/some.domain.com.conf produced an unexpected error: Some
challenges have failed.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/some.domain.com/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/some.domain.com/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: some.domain.com
Type: unauthorized
Detail: Invalid response from
https://some.domain.com/.well-known/acme-challenge/7777777777777777777777777777777777_77777777
[XXXX:XXXX:XXXX::XXXX:XXXX]: "<html>n<head><title>404 Not
Found</title></head>n<body>n<center><h1>404 Not
Found</h1></center>n<hr><center>nginx/X.XX.X</center"
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
결과에 IPv6 가 보여 DNS 레코드에 AAAA 가 설정이 되어 있으면 IPv6 를 선호한다는 이야기가 있어 DNS 및 서버 설정을 확인했지만 문제는 없었다.
결국, 웹서버로 사용하는 Nginx 의 설정 파일을 Certbot 이 잘 가져오지 못하여 webroot 를 확인하지 못하는 것 같은 느낌이 들어 webroot 를 지정하여 명령을 실행하자 갱신이 잘 된다.
$ sudo certbot renew -a webroot -w /somepath/some.domain.com/public_path --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/some.domain.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for some.domain.com
Using the webroot path /somepath/some.domain.com/public_path for all unmatched domains.
Waiting for verification...
Cleaning up challenges
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of nginx server; fullchain is
/etc/letsencrypt/live/some.domain.com/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)
Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/some.domain.com/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
해결방법
webroot 를 수동으로 지정한다.
# Error: sudo certbot renew --dry-run
$ sudo certbot renew -a webroot -w /somepath/some.domain.com/public_path --dry-run
독자 의견
저자 @richard 에게 의견 남기기: