証明書の設定までは上手く行きましたが自動更新がシミュレーション段階でエラーになってしまいます。
環境
ubuntu 18.04.2
apache 2.4.29
やりたいこと
aaa.example
www.aaa.example
www.bbb.example
上記3ドメインにLet's Encryptの自動更新のクーロンをセットしたい
※aaa.example、www.aaa.example、www.bbb.exampleともに最終的にはccc.exampleにリダイレクトさせる
実行した手順
-
httpからhttpsへのリダイレクトを停止し、httpでレスポンスさせておく
-
証明書の取得
$ sudo certbot certonly --webroot -w /var/www/html/ -d aaa.example
$ sudo certbot certonly --webroot -w /var/www/html/ -d www.aaa.example
$ sudo certbot certonly --webroot -w /var/www/html/ -d www.bbb.example
※下記コマンドがエラーになったため取得と設定を別々に作業することにした
※$ sudo certbot --apache -d aaa.example -d www.aaa.example -d www.bbb.example
- 証明書の反映
$ sudo vi aaa.example-ssl.conf
$ sudo vi www.aaa.example-ssl.conf
$ sudo vi www.bbb.example-ssl.conf
それぞれのファイルの証明書の部分を変更
SSLCertificateFile /etc/letsencrypt/live/[サーバーのドメイン]/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/[サーバーのドメイン]/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/[サーバーのドメイン]/chain.pem
-
httpからhttpsへのリダイレクトを有効にする
-
それぞれのドメインのhttpsを有効にする
$ sudo a2ensite aaa.example-ssl.conf
$ sudo a2ensite www.aaa.example-ssl.conf
$ sudo a2ensite www.bbb.example-ssl.conf
・設定反映
$ sudo apachectl configtest
$ sudo /etc/init.d/apache2 reload
-
httpからhttpsへリダイレクトしていることを確認
-
証明書が正しく反映されていることを確認
aaa.example-ssl.conf
www.aaa.example-ssl.conf
www.bbb.example-ssl.conf
ともに特定のURLはccc.exampleにリダイレクトしない除外設定を仕込んで確認
- 証明書自動更新のシミュレーション
$ sudo certbot renew --dry-run
- エラーが発生
dry runの実行結果
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Processing /etc/letsencrypt/renewal/aaa.example.conf
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for aaa.example
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (aaa.example) from /etc/letsencrypt/renewal/aaa.example.conf produced an unexpected error: Failed authorization procedure. aaa.example (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://ccc.example/ [xxx.xxx.xx.xxx]: "[ccc.exampleのindex.htmlの応答]". Skipping.
Processing /etc/letsencrypt/renewal/www.bbb.example.conf
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.bbb.example
Cleaning up challenges
Attempting to renew cert (www.bbb.example) from /etc/letsencrypt/renewal/www.bbb.example.conf produced an unexpected error: Missing command line flag or config entry for this setting:
Input the webroot for www.bbb.example:. Skipping.
Processing /etc/letsencrypt/renewal/www.aaa.example.conf
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.aaa.example
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (www.aaa.co.example) from /etc/letsencrypt/renewal/www.aaa.example.conf produced an unexpected error: Failed authorization procedure. www.aaa.example (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://ccc.example/ [xx.xxx.xxx.xxx]: "[ccc.exampleのindex.htmlの応答]". Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/aaa.example/fullchain.pem (failure)
/etc/letsencrypt/live/www.bbb.example/fullchain.pem (failure)
/etc/letsencrypt/live/www.aaa.example/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/aaa.example/fullchain.pem (failure)
/etc/letsencrypt/live/www.bbb.example/fullchain.pem (failure)
/etc/letsencrypt/live/www.aaa.example/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)
3 renew failure(s), 0 parse failure(s)
IMPORTANT NOTES:
-
The following errors were reported by the server:
Domain: aaa.example
Type: unauthorized
Detail: Invalid response from https://ccc.example/
[xxx.xxx.xxx.xxx]: "[ccc.exampleのindex.htmlの応答]"To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. -
The following errors were reported by the server:
Domain: www.aaa.example
Type: unauthorized
Detail: Invalid response from https://ccc.example/
[xxx.xxx.xxx.xxx]: "[ccc.exampleのindex.htmlの応答]"To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. -
Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
対策したこと
aaa.example.conf
www.aaa.example.conf
www.bbb.example.conf
上記に対してサーバの認証で使用する(と思われる)pathをドキュメントルートに作成し、リダイレクトから除外してhttpで反応するようにした
除外PATH /var/www/html/.well-known/acme-challenge/
→結果は変わらず
原因と思われること
証明書の取得でサーバ認証PATHに /var/www/html/ を指定したこと
リダイレクトの設定
aaa.example.conf
RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge/$
RewriteRule ^(.*)$ https://aaa.example$1 [R=301,L]
www.aaa.example.conf
RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge/$
RewriteRule ^(.*)$ https://www.aaa.example$1 [R=301,L]
www.bbb.example.conf
RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge/$
RewriteRule ^(.*)$ https://www.bbb.example$1 [R=301,L]
aaa.example-ssl.conf
RewriteCond %{REQUEST_URI} !^/check/$ ※証明書確認のための除外
RewriteRule ^(.*)$ https://ccc.example$1 [R=301,L]
www.aaa.example-ssl.conf
RewriteCond %{REQUEST_URI} !^/check/$ ※証明書確認のための除外
RewriteRule ^(.*)$ https://ccc.example$1 [R=301,L]
www.bbb.example-ssl.conf
RewriteCond %{REQUEST_URI} !^/check/$ ※証明書確認のための除外
RewriteRule ^(.*)$ https://ccc.example$1 [R=301,L]
apacheの設定
apache2.conf
DefaultRuntimeDir ${APACHE_RUN_DIR}
PidFile ${APACHE_PID_FILE}
Timeout 300
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 5
User ${APACHE_RUN_USER}
Group ${APACHE_RUN_GROUP}
HostnameLookups Off
ErrorLog ${APACHE_LOG_DIR}/error.log
LogLevel warn
IncludeOptional mods-enabled/.load
IncludeOptional mods-enabled/.conf
Include ports.conf
<Directory />
Options FollowSymLinks
AllowOverride None
Require all denied
</Directory>
<Directory /usr/share>
AllowOverride None
Require all granted
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
AccessFileName .htaccess
<FilesMatch "^.ht">
Require all denied
</FilesMatch>
LogFormat "%v:%p %h %l %u %t "%r" %>s %O "%{Referer}i" "%{User-Agent}i"" vhost_combined
LogFormat "%h %l %u %t "%r" %>s %O "%{Referer}i" "%{User-Agent}i"" combined
LogFormat "%h %l %u %t "%r" %>s %O" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent
IncludeOptional conf-enabled/.conf
IncludeOptional sites-enabled/.conf