アーカイブ:  « 2017年2月 | メイン | 2017年4月 »

2017年3月18日

仮想環境について

まだまだオンプレ健在だぜ!という企業は多いのが実情。
仮想マシンはオーバヘッドが大きい、仮想だけに見えないから怖くてよくわからん。

とかもうやめて仮想化しましょう。
一度は経験したい仮想化の別世界:SIベンダーが教えたくない実情が分かりやすい記事を提供しているので、参考にしてみてください。

2017年3月10日

Let's Encrypt でのSSL証明書更新に失敗する

このブログサイトでもお世話になっているLet's Encryptの話題。

Let's Encryptでいつもと同じように証明書の有効期間の更新を行おうとしたところ、成功したFQDNと失敗したFQDNがあった。
エラーメッセージにあるようなDNSレコードが間違っているような状態でもなく、おそらくcertbotのバージョンの非互換があるように思える。
※更新前に使用したcertbotのバージョンによっては、失敗している感じ?

$ sudo ./certbot-auto renew --pre-hook "systemctl stop httpd" --post-hook "systemctl start httpd"
Upgrading certbot-auto 0.9.3 to 0.12.0...
Replacing certbot-auto...
Creating virtual environment...
Installing Python packages...
Installation succeeded.
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/(成功したFQDN).conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Running pre-hook command: systemctl stop httpd
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for (成功したFQDN)
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0011_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0011_csr-certbot.pem

-------------------------------------------------------------------------------
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/(成功したFQDN)/fullchain.pem
-------------------------------------------------------------------------------

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/(失敗したFQDN)
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Pre-hook command already run, skipping: systemctl stop httpd
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for (失敗したFQDN)
Waiting for verification...
Cleaning up challenges
Attempting to renew cert from /etc/letsencrypt/renewal/(失敗したFQDN) produced an unexpected error: Failed authorization procedure. zaiteku.jp (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Could not connect to (失敗したFQDN). Skipping.

The following certs are not due for renewal yet:
/etc/letsencrypt/live/(成功したFQDN)/fullchain.pem (skipped)
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/(失敗したFQDN)/fullchain.pem (failure)
Running post-hook command: systemctl start httpd
3 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
- The following errors were reported by the server:

Domain: (失敗したFQDN)
Type: connection
Detail: Could not connect to (失敗したFQDN)

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.

下記方法によって更新したらうまくいった。ただ、Webサービスを一度停止させなければならない点が問題。

$ sudo systemctl stop httpd
$ sudo ./certbot-auto certonly --standalone -d (失敗したFQDN)
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for (失敗したFQDN)
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0013_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0013_csr-certbot.pem

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/(失敗したFQDN)/fullchain.pem.
Your cert will expire on 2017-06-09. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again. To non-interactively renew *all* of your certificates, run
"certbot-auto renew"
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

$ sudo systemctl start httpd