【certbot】let’s encrypt で証明書更新エラーが発生した際の対応方法

let’s encrypt で証明書更新エラー

let’s encrypt で証明書更新エラーが発生した際、下記のメールがThe Let’s Encrypt Team から送信されます。

Hello,

Your certificate (or certificates) for the names listed below will expire in 19 days (on 13 Dec 20 09:37 +0000). Please make sure to renew your certificate before then, or visitors to your website will encounter errors.

We recommend renewing certificates automatically when they have a third of their
total lifetime left. For Let's Encrypt's current 90-day certificates, that means
renewing 30 days before expiration. See
https://letsencrypt.org/docs/integration-guide/ for details.

example.com

For any questions or support, please visit https://community.letsencrypt.org/. Unfortunately, we can't provide support by email.

For details about when we send these emails, please visit https://letsencrypt.org/docs/expiration-emails/. In particular, note that this reminder email is still sent if you've obtained a slightly different certificate by adding or removing names. If you've replaced this certificate with a newer one that covers more or fewer names than the list above, you may be able to ignore this message.

If you are receiving this email in error, unsubscribe at http://mandrillapp.com/track/unsub.php?u=xxxxxxxxx

Regards,
The Let's Encrypt Team

手動でcertbotコマンドを実行しエラーを確認

手動でcertbotコマンドを実行し、エラー内容を確認します。

[root@ip-10-166-12-250 ~]# certbot-auto certonly --webroot -w /var/www/vhosts/example/public_html -d example.com --email  example@example.com --debug  --no-bootstrap
Upgrading certbot-auto 1.8.0 to 1.9.0...
Replacing certbot-auto...
Creating virtual environment...
Installing Python packages...
Installation succeeded.
Traceback (most recent call last):
  File "/opt/eff.org/certbot/venv/bin/letsencrypt", line 7, in <module>
    from certbot.main import main
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/certbot/main.py", line 2, in <module>
    from certbot._internal import main as internal_main
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/certbot/_internal/main.py", line 10, in <module>
    import josepy as jose
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/josepy/__init__.py", line 44, in <module>
    from josepy.interfaces import JSONDeSerializable
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/josepy/interfaces.py", line 7, in <module>
    from josepy import errors, util
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/josepy/util.py", line 7, in <module>
    import OpenSSL
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/OpenSSL/__init__.py", line 8, in <module>
    from OpenSSL import crypto, SSL
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/OpenSSL/crypto.py", line 12, in <module>
    from cryptography import x509
ImportError: No module named cryptography

cryptographyモジュールがないとのエラーです。

certbot エラー の修正方法

期限がすぎるとブラウザからアクセスした際に証明書エラーで閲覧できなくなるので、証明書を手動で更新します。

環境変数[PYTHON_INSTALL_LAYOUT]を確認

環境変数PYTHON_INSTALL_LAYOUTを確認します。

[root@ip-10-10-xxx-xx ~]# env | grep PYTHON_INSTALL_LAYOUT
PYTHON_INSTALL_LAYOUT=amzn

環境変数[PYTHON_INSTALL_LAYOUT]をunset

環境変数PYTHON_INSTALL_LAYOUTをunsetします。

[root@ip-10-10-xxx-xx ~]# unset PYTHON_INSTALL_LAYOUT

certbotディレクトリを削除(一応コピーして退避)

certbotを削除します。念の為既存のcertbotをコピーしておきます。

[root@ip-10-10-xxx-xx ~]# cp -rf /opt/eff.org/certbot /opt/eff.org/certbot.bak2
[root@ip-10-10-xxx-xx ~]# rm -rf /opt/eff.org/certbot

ファイルが存在するディレクトリは -rf オプションでコピー、削除ができます。

再度SSL証明書を更新

再度certbot-autoコマンドでSSL証明書を更新します。

[root@ip-10-10-xxx-xx ~]# certbot-auto certonly --webroot -w /var/www/vhosts/sample.com/public_html -d sample.com --email sample@sample.com --debug --no-bootstrap

下記のようなメッセージが出力されれば、更新成功です。

[root@ip-10-10-xxx-xx ~]# certbot-auto certonly --webroot -w /var/www/vhosts/sample.com/public_html -d sample.com --email sample@sample.com --debug --no-bootstrap
Creating virtual environment...
Installing Python packages...
Installation succeeded.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for sample.com
Using the webroot path /var/www/vhosts/sample.com/public_html for all unmatched domains.
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/sample.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/sample.com/privkey.pem
Your cert will expire on 2018-10-13. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again. To non-interactively renew *all* of your certificates, run
"certbot-auto renew"
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

You have new mail in /var/spool/mail/root

期限切れSSL証明書を更新後も、ブラウザでエラーが発生する場合

期限切れSSL証明書を更新しても、ブラウザでエラーが発生する場合は apache または nginx を再起動します。

apache

#service httpd restart

nginx

#systemctl restart nginx

コメントを残す

メールアドレスが公開されることはありません。 * が付いている欄は必須項目です

CAPTCHA