先日作った自己証明書の有効期限が切れたので、自動更新にチャレンジ
#certbot certonly --server https://pt2.locals:20443/ --manual --preferred-challenges http -d pt2.locals --register-unsafely-without-email An unexpected error occurred: requests.exceptions.SSLError: HTTPSConnectionPool(host='pt2.locals', port=20443): Max retries exceeded with url: / (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1006)')))
ダメっぽい。
2024-11-14 20:49:06,330:DEBUG:acme.client:Sending GET request to https://pt2.locals:20443/.
2024-11-14 20:49:06,332:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): pt2.locals:20443
2024-11-14 20:49:06,336:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
File "/usr/local/lib/python3.11/site-packages/urllib3/connectionpool.py", line 716,
return ssl_context.wrap_socket(sock, server_hostname=server_hostname)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/ssl.py", line 517, in wrap_socket
return self.sslsocket_class._create(
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/ssl.py", line 1104, in _create
self.do_handshake()
File "/usr/local/lib/python3.11/ssl.py", line 1382, in do_handshake
self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1006)
どうも/etc/ssl/certs/、/usr/local/etc/ssl/certsに入れたstepcaのルート証明書が見てもらえないらしい。
root@pt2:~/certbotstepca # certctl list | grep Small d6d670e2.0 Smallstep Root CA
環境変数で何とかなるらしいのでやってみる。
root@pt2:~/certbotstepca # setenv SSL_CERT_FILE /etc/ssl/certs/d6d670e2.0 root@pt2:~/certbotstepca # setenv REQUESTS_CA_BUNDLE /etc/ssl/certs/d6d670e2.0 root@pt2:~/certbotstepca # sh ./run.sh Saving debug log to /var/log/letsencrypt/letsencrypt.log An unexpected error occurred: acme.errors.ClientError: <Response [404]> Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
URLが違うらしいOrz...
#certbot certonly --server https://pt2.locals:20443/acme/acme/directory --manual --preferred-challenges http -d pt2.locals --register-unsafely-without-email Saving debug log to /var/log/letsencrypt/letsencrypt.log Account registered. Requesting a certificate for pt2.locals - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Create a file containing just this data: LL8USincT7gkGKq1GAGTm2CK5XdA0KBa.HNrhuZ9ih8ahbKIUu_zpRvmQguSp2VCoHR4LOcmu5QA And make it available on your web server at this URL: http://pt2.locals/.well-known/acme-challenge/LL8USincT7gkGKq1GAGTm2CK5XdA0KBa - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Press Enter to Continue
おお。なんかファイルを置けと指示されるのでサーバーにaliasを作ってファイルを置いて、アクセスできるようにしておく
echo "LL8USincT7gkGKq1GAGTm2CK5XdA0KBa.HNrhuZ9ih8ahbKIUu_zpRvmQguSp2VCoHR4LOcmu5QA" > /usr/~/.well-known/acme-challenge/LL8USincT7gkGKq1GAGTm2CK5XdA0KBa
ENTER
Successfully received certificate. Certificate is saved at: /usr/local/etc/letsencrypt/live/pt2.locals/fullchain.pem Key is saved at: /usr/local/etc/letsencrypt/live/pt2.locals/privkey.pem This certificate expires on 2025-02-13. These files will be updated when the certificate renews. NEXT STEPS: - This certificate will not be renewed automatically. Autorenewal of --manual certificates requires the use of an authentication hook script (--manual-auth-hook) but one was not provided. To renew this certificate, repeat this same certbot command before the certificate's expiry date. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - If you like Certbot, please consider supporting our work by: * Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate * Donating to EFF: https://eff.org/donate-le - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
できたので早速証明書を切り替えるとpt2でアクセスしたときにエラーが・・・ ついついpt2と入力してしまうのでどちらも証明書を作っておく
# certbot certonly --server https://pt2.locals:20443/acme/acme/directory --manual --manual-auth-hook /root/certbotstepca/acme-auth.sh --preferred-challenges http -d pt2.locals -d pt2 --register-unsafely-without-email
acme-auth.sh
#!/bin/sh mkdir -p /usr/local/www/nginx-dist/.well-known/acme-challenge/ echo "$CERTBOT_VALIDATION" > /usr/local/www/nginx-dist/.well-known/acme-challenge/$CERTBOT_TOKEN
自動更新用のシェルも作ってcronに入れておく
export SSL_CERT_FILE=/etc/ssl/certs/d6d670e2.0 export REQUESTS_CA_BUNDLE=/etc/ssl/certs/d6d670e2.0 certbot renew --server https://pt2.locals:20443/acme/acme/directory --manual --manual-auth-hook /root/certbotstepca/acme-auth.sh --preferred-challenges http >> /var/log/letsencrypt/renew.log 2>&1
エラーは以前はgoogle先生に尋ねていたが、最近はChatGPT先生にしか聞いてないな・・・・
