let’s encrypt で証明書更新エラー
コンテンツ
let’s encrypt で証明書更新エラーが発生した際、下記のメールがThe Let’s Encrypt Team から送信されます。
Hello,
Your certificate (or certificates) for the names listed below will expire in 19 days (on 13 Dec 20 09:37 +0000). Please make sure to renew your certificate before then, or visitors to your website will encounter errors.
We recommend renewing certificates automatically when they have a third of their
total lifetime left. For Let's Encrypt's current 90-day certificates, that means
renewing 30 days before expiration. See
https://letsencrypt.org/docs/integration-guide/ for details.
example.com
For any questions or support, please visit https://community.letsencrypt.org/. Unfortunately, we can't provide support by email.
For details about when we send these emails, please visit https://letsencrypt.org/docs/expiration-emails/. In particular, note that this reminder email is still sent if you've obtained a slightly different certificate by adding or removing names. If you've replaced this certificate with a newer one that covers more or fewer names than the list above, you may be able to ignore this message.
If you are receiving this email in error, unsubscribe at http://mandrillapp.com/track/unsub.php?u=xxxxxxxxx
Regards,
The Let's Encrypt Team
手動でcertbotコマンドを実行しエラーを確認
手動でcertbotコマンドを実行し、エラー内容を確認します。
[root@ip-10-166-12-250 ~]# certbot-auto certonly --webroot -w /var/www/vhosts/example/public_html -d example.com --email example@example.com --debug --no-bootstrap
Upgrading certbot-auto 1.8.0 to 1.9.0...
Replacing certbot-auto...
Creating virtual environment...
Installing Python packages...
Installation succeeded.
Traceback (most recent call last):
File "/opt/eff.org/certbot/venv/bin/letsencrypt", line 7, in <module>
from certbot.main import main
File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/certbot/main.py", line 2, in <module>
from certbot._internal import main as internal_main
File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/certbot/_internal/main.py", line 10, in <module>
import josepy as jose
File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/josepy/__init__.py", line 44, in <module>
from josepy.interfaces import JSONDeSerializable
File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/josepy/interfaces.py", line 7, in <module>
from josepy import errors, util
File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/josepy/util.py", line 7, in <module>
import OpenSSL
File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/OpenSSL/__init__.py", line 8, in <module>
from OpenSSL import crypto, SSL
File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/OpenSSL/crypto.py", line 12, in <module>
from cryptography import x509
ImportError: No module named cryptography
cryptographyモジュールがないとのエラーです。
certbot エラー の修正方法
期限がすぎるとブラウザからアクセスした際に証明書エラーで閲覧できなくなるので、証明書を手動で更新します。
環境変数[PYTHON_INSTALL_LAYOUT]を確認
環境変数PYTHON_INSTALL_LAYOUTを確認します。
[root@ip-10-10-xxx-xx ~]# env | grep PYTHON_INSTALL_LAYOUT
PYTHON_INSTALL_LAYOUT=amzn
環境変数[PYTHON_INSTALL_LAYOUT]をunset
環境変数PYTHON_INSTALL_LAYOUTをunsetします。
[root@ip-10-10-xxx-xx ~]# unset PYTHON_INSTALL_LAYOUT
certbotディレクトリを削除(一応コピーして退避)
certbotを削除します。念の為既存のcertbotをコピーしておきます。
[root@ip-10-10-xxx-xx ~]# cp -rf /opt/eff.org/certbot /opt/eff.org/certbot.bak2
[root@ip-10-10-xxx-xx ~]# rm -rf /opt/eff.org/certbot
ファイルが存在するディレクトリは -rf オプションでコピー、削除ができます。
再度SSL証明書を更新
再度certbot-autoコマンドでSSL証明書を更新します。
[root@ip-10-10-xxx-xx ~]# certbot-auto certonly --webroot -w /var/www/vhosts/sample.com/public_html -d sample.com --email sample@sample.com --debug --no-bootstrap
下記のようなメッセージが出力されれば、更新成功です。
[root@ip-10-10-xxx-xx ~]# certbot-auto certonly --webroot -w /var/www/vhosts/sample.com/public_html -d sample.com --email sample@sample.com --debug --no-bootstrap
Creating virtual environment...
Installing Python packages...
Installation succeeded.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for sample.com
Using the webroot path /var/www/vhosts/sample.com/public_html for all unmatched domains.
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/sample.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/sample.com/privkey.pem
Your cert will expire on 2018-10-13. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again. To non-interactively renew *all* of your certificates, run
"certbot-auto renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
You have new mail in /var/spool/mail/root
期限切れSSL証明書を更新後も、ブラウザでエラーが発生する場合
期限切れSSL証明書を更新しても、ブラウザでエラーが発生する場合は apache または nginx を再起動します。
apache
#service httpd restart
nginx
#systemctl restart nginx
