T.Ozakiの日記: Let's Encrypt(Cerbot)の証明書が更新できない… 2
いつのもメールチェックしていたらVPS管理用のメールボックスにLet's Encryptから「SSL証明書の期限がもうすぐ切れるからとっとと更新しやがれゴルァ!(意訳」というメールが。
…はて、更新チェック用スクリプトはcron.weeklyで毎週実行してるし、過去5回の自動更新はちゃんと機能していたのにな…と思いながら手動でコマンドを叩いてみる。
# certbot-auto renew
/opt/eff.org/certbot/venv/lib/python2.6/site-packages/cryptography/__init__.py:26: DeprecationWarning: Python 2.6 is no longer supported by the Python core team, please upgrade your Python. A future version of cryptography will drop support for Python 2.6
DeprecationWarning
Saving debug log to /var/log/letsencrypt/letsencrypt.log-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/◆◆◆◆◆.◆◆◆.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
/opt/eff.org/certbot/venv/lib/python2.6/site-packages/acme/jose/jwa.py:110: DeprecationWarning: signer and verifier have been deprecated. Please use sign and verify instead.
signer = key.signer(self.padding, self.hash)
Performing the following challenges:
http-01 challenge for ◆◆◆◆◆.◆◆◆
http-01 challenge for www.◆◆◆◆◆.◆◆◆
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (◆◆◆◆◆.◆◆◆) from /etc/letsencrypt/renewal/◆◆◆◆◆.◆◆◆.conf produced an unexpected error: Failed authorization procedure. www.◆◆◆◆◆.◆◆◆ (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://www.◆◆◆◆◆.◆◆◆/.well-known/acme-challenge/▲▲▲▲▲▲▲▲▲▲▲▲▲▲▲▲: Timeout. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/◆◆◆◆◆.◆◆◆/fullchain.pem (failure)-------------------------------------------------------------------------------
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/◆◆◆◆◆.◆◆◆/fullchain.pem (failure)
-------------------------------------------------------------------------------
1 renew failure(s), 0 parse failure(s)IMPORTANT NOTES:
- The following errors were reported by the server:Domain: www.◆◆◆◆◆.◆◆◆
Type: connection
Detail: Fetching
http://www.◆◆◆◆◆.◆◆◆/.well-known/acme-challenge/▲▲▲▲▲▲▲▲▲▲▲▲▲▲▲▲:
TimeoutTo fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
何故かTimeoutでコケている。
ドメインはA/AAAAレコード共にちゃんと設定されているし、digでもちゃんと引ける。
HTTP/HTTPSポートもちゃんと開いているし…。
何故だ?
port 80 とか port 443 とかアパッチ再起動とか… (スコア:1)
キーワードをてきとーに見繕って検索したら
https://community.letsencrypt.org/t/the-server-could-not-connect-to-th... [letsencrypt.org]
とか
https://community.letsencrypt.org/t/solved-the-server-could-not-connec... [letsencrypt.org]
みたいなngixの設定の思い違いというケースがあったりする。
もしCloudFlare使いだったらそいつをいったん止めろだとか(関係なさそうだけど)
https://community.letsencrypt.org/t/solved-ec2-and-lets-encrypt-could-... [letsencrypt.org]
lsof -i を確認してみろというのもおもしろそう。
これくらい目的の狭い検索だったらヒット結果にノイズが少ないといえるのだろうか?
https://www.google.com/search?source=hp&ei=SB8xWsv8G4aB8gX3tpeAAQ&... [google.com]
Re:port 80 とか port 443 とかアパッチ再起動とか… (スコア:1)
今日帰宅後(19時頃)手動で実行したところ成功しました。
特に設定は弄ったりしてないのですが…。
どこかでネットワーク的に詰まってたりしてたのですかね。
お騒がせしました。