Let’s Encrypt からあと7日の知らせが届く

2025.01.24

Let’s Encrypt のメンテナンス 2

2024/12/25

Hello,

Your certificate (or certificates) for the names listed below will expire in 7 days (on 2025-01-01). Please make sure to renew your certificate before then, or visitors to your web site will encounter errors.

We recommend renewing certificates automatically when they have a third of their total lifetime left. For Let’s Encrypt’s current 90-day certificates, that means renewing 30 days before expiration. See https://letsencrypt.org/docs/integration-guide/ for details.

.

.

.

ログを調べてみる。

[root@localhost ~]# cd /var/log/letsencrypt

[root@localhost letsencrypt]# cat letsencrypt.log |grep error

      “error“: {

        “type”: “urn:ietf:params:acme:error:unauthorized”,

2024-12-27 17:59:24,128:DEBUG:certbot._internal.error_handler:Encountered exception:

    raise errors.AuthorizationError(‘Some challenges have failed.’)

certbot.errors.AuthorizationError: Some challenges have failed.

2024-12-27 17:59:24,128:DEBUG:certbot._internal.error_handler:Calling registered functions

2024-12-27 17:59:24,129:ERROR:certbot._internal.renewal:Failed to renew certificate example.com with error: Some challenges have failed.

    raise errors.AuthorizationError(‘Some challenges have failed.’)

certbot.errors.AuthorizationError: Some challenges have failed.

certbot.errors.Error: 1 renew failure(s), 0 parse failure(s)

[root@localhost letsencrypt]# 

エラーの内容がわからない。

lessしてerrorを検索

    276 {

    277   “identifier”: {

    278     “type”: “dns”,

    279     “value”: “example.com”

    280   },

    281   “status”: “invalid”,

    282   “expires”: “2025-01-04T00:10:58Z”,

    283   “challenges”: [

    284     {

    285       “type”: “http-01”,

    286       “url”: “https://acme-v02.api.letsencrypt.org/acme/chall/1979858067

    286 /451562388705/WDLLcA”,

    287       “status”: “invalid”,

    288       “validated”: “2024-12-28T00:10:58Z”,

    289       “error“: {

    290         “type”: “urn:ietf:params:acme:error:unauthorized”,

    291         “detail”: “59.199.19.9: Invalid response from https://example.com/.well-known/acme-challenge/TkpmJ9HaHF8-1xN2jmCPec72nORYMVc0oylpOPx7ltQ   : 404”,

    292         “status”: 403

    293       },

    294       “token”: “TkpmJ9HaHF8-1xN2jmCPec72nORYMVc0oylpOPx7ltQ”,

    295       “validationRecord”: [

    296         {

    297           “url”: “http://example.com/.well-known/acme-challenge/TkpmJ9HaHF8-1xN2jmCPec72nORYMVc0oylpOPx7ltQ”,

    298           “hostname”: “example.com”,

    299           “port”: “80”,

    300           “addressesResolved”: [

    301             “59.199.19.9”

    302           ],

    303           “addressUsed”: “59.199.19.9”

    304         },

    305         {

    306           “url”: “https://example.com/.well-known/acme-challenge/TkpmJ9HaHF8-1xN2jmCPec72nORYMVc0oylpOPx7ltQ”,

    307           “hostname”: “example.com”,

    308           “port”: “443”,

    309           “addressesResolved”: [

    310             “59.199.19.9”

    311           ],

    312           “addressUsed”: “59.199.19.9”

    313         }

    314       ]

    315     }

    316   ]

    317 }

    318 2024-12-28 09:11:03,034:DEBUG:acme.client:Storing nonce: GJdccAF69YKOk-jqYWedJ-3aFL4HKhnjkxd_dyB0YSdQ7hiPNCc

    319 2024-12-28 09:11:03,034:INFO:certbot._internal.auth_handler:Challenge failed for domain example.com

    320 2024-12-28 09:11:03,034:INFO:certbot._internal.auth_handler:http-01 challenge for example.com

    321 2024-12-28 09:11:03,034:DEBUG:certbot._internal.display.obj:Notifying user: 

    322 Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:

    323   Domain: example.com

    324   Type:   unauthorized

    325   Detail: 59.199.19.9: Invalid response from https://example.com/.well-known/acme-challenge/TkpmJ9HaHF8-1xN2jmCPec72nORYMVc0oylpOPx7ltQ: 404

    326 

    327 Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided –webroot-path/-w and that files created there can be downloaded from the internet.

    328 

 

Invalid response from https://example.com/.well-known/acme-challenge/

なぜhttpsになっているのだろう。

httpアクセスをhtttpsに強制変換するのにRewriteルールを使っている。

.well-known以下へのアクセスはRewriteの対象外にしていたつもりだったが、対象外になっていなかった

(別サーバーで対象外にしたのでこちらも対処済みと勘違い)

Rewrite定義変更

[root@localhost webapps]# cd /etc/httpd/conf.d

[root@localhost conf.d]# vi vhost.conf

[root@localhost conf.d]# cat vhost.conf

<VirtualHost *:80>

   ServerName example.com

   ServerAlias www.example.com

   DocumentRoot /opt/tomcat/webapps/

#   DocumentRoot /var/www/html/example.com

RewriteEngine on

RewriteRule ^.well-known/acme-challenge/ – [L]

RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge/

RewriteCond %{HTTPS} off

RewriteCond %{SERVER_NAME} ^www.example.com

RewriteRule ^(.*)$ http://example.com%{REQUEST_URI} [R=301,L]

RewriteCond %{HTTPS} off

RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

ErrorLog logs/example-error_log

CustomLog logs/example-access_log combined

   ProxyPass / ajp://localhost:8009/

   ProxyPassReverse / ajp://localhost:8009/

</VirtualHost>

[root@localhost conf.d]# 

[root@localhost conf.d]# 

テストも行った

/.well-known/acme-challenge/ディレクトリーを作り、テストファイルを置き、webで表示できるかどうかのテスト

[root@localhost letsencrypt]# cd /opt/tomcat/webapps

[root@localhost webapps]# mkdir .well-known

[root@localhost webapps]# cd .well-known

[root@localhost .well-known]# mkdir acme-challenge

[root@localhost .well-known]# cd acme-challenge

[root@localhost acme-challenge]# echo test-acme-challenge > test

[root@localhost acme-challenge]# cat test

test-acme-challenge

[root@localhost acme-challenge]# ll

合計 4

-rw-r–r– 1 root root 20 12月 28 14:10 test

[root@localhost acme-challenge]# cd ..

[root@localhost .well-known]# ls -ld acme-challenge

drwxr-xr-x 2 root root 4096 12月 28 14:10 acme-challenge

[root@localhost .well-known]# cd ..

[root@localhost webapps]# ls -ld .well-known

drwxr-xr-x 3 root root 4096 12月 28 14:08 .well-known

[root@localhost webapps]# cd ..

[root@localhost tomcat]# ls -ld webapps

drwxr-x— 10 tomcat tomcat 4096 12月 28 14:08 webapps

[root@localhost tomcat]# ls -ld –context /opt/tomcat/webapps

drwxr-x— 10 tomcat tomcat ? 4096 12月 28 14:08 /opt/tomcat/webapps

[root@localhost tomcat]# chcon system_u:object_r:httpd_sys_content_t:s0 /opt/tomcat/webapps/ -R

[root@localhost tomcat]# ls -ld –context /opt/tomcat/webapps/

drwxr-x—. 10 tomcat tomcat system_u:object_r:httpd_sys_content_t:s0 4096 12月 28 14:08 /opt/tomcat/webapps/

[root@localhost tomcat]# chmod o+x /opt/tomcat/webapps

[root@localhost tomcat]# systemctl restart httpd

[root@localhost tomcat]# 

http://example.com/.well-known/acme-challenge/test
example.com

にアクセス

testファイルの内容 test-acme-challenge が表示されOKだが、httpsになっている。rewriteの対象外になっていない。

この状態でrenewがどうなるか?

やはりエラーが出でいる

    224 {

    225   “identifier”: {

    226     “type”: “dns”,

    227     “value”: “example.com”

    228   },

    229   “status”: “invalid”,

    230   “expires”: “2025-01-04T13:11:01Z”,

    231   “challenges”: [

    232     {

    233       “type”: “http-01”,

    234       “url”: “https://acme-v02.api.letsencrypt.org/acme/chall/1979858067/451838204785/QccK-A”,

    235       “status”: “invalid”,

    236       “validated”: “2024-12-28T13:11:02Z”,

    237       “error“: {

    238         “type”: “urn:ietf:params:acme:error:unauthorized”,

    239         “detail”: “59.199.19.9: Invalid response from http://example.com/.well-known/acme-challenge/6TjpMhLf1tWBrV4B5vynpUfb7w_jajN4znHCbeWE12M: 404”,

    240         “status”: 403

    241       },

403 forbidden

になっている?

testファイルは表示されたのに?

タイトルとURLをコピーしました