Let’s Encryptで証明書更新をするために「certbot renew --dry-run」をしたらエラーなってしまったので、その時の対処法です。証明書の取得は以下のコマンドで実行しています。
# certbot certonly --webroot -w /var/www/html/example -d example.com -d www.example.com
ドキュメントルートは「/var/www/html/example」で、証明書は「example.com」および「www.example.com」に対して取得するという意味です。
# certbot renew --dry-run
をした結果、以下のようなメッセージ(ログ)が表示されました。
# certbot renew --dry-run Saving debug log to /var/log/letsencrypt/letsencrypt.log - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Processing /etc/letsencrypt/renewal/example.com.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Cert not due for renewal, but simulating renewal for dry run Plugins selected: Authenticator webroot, Installer None Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org Renewing an existing certificate Performing the following challenges: http-01 challenge for example.com http-01 challenge for www.example.com Cleaning up challenges Attempting to renew cert (example.com) from /etc/letsencrypt/renewal/example.com.conf produced an unexpected error: Missing command line flag or config entry for this setting: Select the webroot for www.example.com: Choices: ['Enter a new webroot', '/var/www/html/example'] (You can set this with the --webroot-path flag). Skipping. All renewal attempts failed. The following certs could not be renewed: /etc/letsencrypt/live/example.com/fullchain.pem (failure) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ** DRY RUN: simulating 'certbot renew' close to cert expiry ** (The test certificates below have not been saved.) All renewal attempts failed. The following certs could not be renewed: /etc/letsencrypt/live/example.com/fullchain.pem (failure) ** DRY RUN: simulating 'certbot renew' close to cert expiry ** (The test certificates above have not been saved.) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1 renew failure(s), 0 parse failure(s) IMPORTANT NOTES: - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal.
[広告]
「/etc/letsencrypt/renewal/example.com.conf」を見ているようなので、中身を確認してみる。
# cat example.com.conf # renew_before_expiry = 30 days version = 0.31.0 archive_dir = /etc/letsencrypt/archive/example.com cert = /etc/letsencrypt/live/example.com/cert.pem privkey = /etc/letsencrypt/live/example.com/privkey.pem chain = /etc/letsencrypt/live/example.com/chain.pem fullchain = /etc/letsencrypt/live/example.com/fullchain.pem # Options used in the renewal process [renewalparams] authenticator = webroot account = ... webroot_path = /var/www/html/example, server = https://acme-v02.api.letsencrypt.org/directory [[webroot_map]] example.com = /var/www/html/example
最後の行にある[webroot_map]がexample.comしかないようなので、www.example.comを追加してみる。
[[webroot_map]]
example.com = /var/www/html/example
↓
[[webroot_map]]
www.example.com = /var/www/html/example
example.com = /var/www/html/example
再度、「certbot renew --dry-run」を実行。
# certbot renew --dry-run Saving debug log to /var/log/letsencrypt/letsencrypt.log - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Processing /etc/letsencrypt/renewal/example.com.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Cert not due for renewal, but simulating renewal for dry run Plugins selected: Authenticator webroot, Installer None Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org Renewing an existing certificate Performing the following challenges: http-01 challenge for www.example.com http-01 challenge for example.com Waiting for verification... Cleaning up challenges Resetting dropped connection: acme-staging-v02.api.letsencrypt.org - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - new certificate deployed without reload, fullchain is /etc/letsencrypt/live/example.com/fullchain.pem - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ** DRY RUN: simulating 'certbot renew' close to cert expiry ** (The test certificates below have not been saved.) Congratulations, all renewals succeeded. The following certs have been renewed: /etc/letsencrypt/live/example.com/fullchain.pem (success) ** DRY RUN: simulating 'certbot renew' close to cert expiry ** (The test certificates above have not been saved.) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
うまくいったようです。
「certbot renew --dry-runでエラーとなったときの対処法」への1件のフィードバック