またまた、Let’s Encrypt の話題です。今回は証明書更新を試してみました。
以下のコマンドを実行するだけ。
certbot renew早速、ターゲットのサーバーで実行したところ、
certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log
-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/example.com.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for example.com
Cleaning up challenges
Attempting to renew cert from /etc/letsencrypt/renewal/example.com.conf produced an unexpected error: Could not bind TCP port 443 because it is already in use by another process on this system (such as a web server). Please stop the program in question and then try again.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/example.com/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)エラーがでるんですけど・・・
しかも。なんか見たことがあるよ?
とりあえず、ログと「example.com.conf」を確認したところ、作成時に Standalone プラグインを使っていたのが原因。(オプション指定なしの場合、証明書取得時のプラグインを使って更新しようとするため)
総合ポータルを確認して、WEB サーバーの停止 or 起動のオプションを追加して再実行。(もしくは、Webroot プラグインを使用する)
certbot renew --pre-hook "systemctl stop httpd" --post-hook "systemctl start httpd"
Saving debug log to /var/log/letsencrypt/letsencrypt.log
-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/example.com.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Running pre-hook command: systemctl stop httpd
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for example.com
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0001_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0001_csr-certbot.pem
-------------------------------------------------------------------------------
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/example.com/fullchain.pem
-------------------------------------------------------------------------------
Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/example.com/fullchain.pem (success)
Running post-hook command: systemctl start httpd今度は正常に完了しました。
最後に実行したコマンドを cron で定期実行すれば OK
