Let’s Encrypt が急に更新できなくなった?!

環境構築

ホームページのSSL証明書が急に切れてしまい、原因を調べているところ、Let’s Encrypt の SSL証明書更新処理が失敗していることが分かりました。 Let’s Encrypt の certbot で「an unexpected error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:765)」エラーが表示され更新処理をスキップしていていました。
本記事手は、上記の解決過程で参考した内容をまとめたものです。

問題内容

Let’s Encrypt の SSL証明書更新のコマンドを実行するとエラーになりました。OSは CentOS7系です。

[root@server ~]# httpd -M | grep "ssl_module"
 ssl_module (shared)
[root@server ~]# yum list installed | grep "certbot" # Let’s Encryptがインストールされているか確認
Repodata is over 2 weeks old. Install yum-cron? Or run: yum makecache fast
certbot.noarch                        0.26.1-2.el7                   @epel
python2-certbot.noarch                0.26.1-2.el7                   @epel
python2-certbot-apache.noarch         0.26.1-1.el7                   @epel
[root@server ~]# /usr/bin/certbot renew # Let’s Encrypt SSL証明書を更新
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/test1.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Attempting to renew cert (test1.com) from /etc/letsencrypt/renewal/test1.com.conf produced an unexpected error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:765). Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/test2.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Attempting to renew cert (test2.com) from /etc/letsencrypt/renewal/test2.com.conf produced an unexpected error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:765). Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/test3.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Attempting to renew cert (test3.com) from /etc/letsencrypt/renewal/test3.com produced an unexpected error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:765). Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/test1.com/fullchain.pem (failure)
  /etc/letsencrypt/live/test2.com/fullchain.pem (failure)
  /etc/letsencrypt/live/test3.com/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/test1.com/fullchain.pem (failure)
  /etc/letsencrypt/live/test2.com/fullchain.pem (failure)
  /etc/letsencrypt/live/test3.com/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
3 renew failure(s), 0 parse failure(s)
[root@server ~]#

対策

Googlingの結果、 certbot のバージョンが低いことが判明、バージョンアップを行いました。

[root@server ~]# certbot --version
certbot 0.26.1
[root@server ~]# 
[root@server ~]# yum update certbot
…
[root@server ~]# yum update python2-certbot*
…
[root@server ~]# 

certbot を最新化したにも関わらずエラーは続きました。再度 Googling した結果、OpenSSL 1.0.2は Let’s Encrypt のルートCA期限切れになるようです。

[root@server ~]# yum install ca-certificates openssl
…
[root@server ~]# 

これで、Let’s Encrypt の SSL証明書更新処理が動くようになりました!

[root@server ~]# /usr/bin/certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/test2.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Renewing an existing certificate for test2.com
Performing the following challenges:
http-01 challenge for test2.com
Waiting for verification...
Cleaning up challenges

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/test2.com/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/test1.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Renewing an existing certificate for test1.com
Performing the following challenges:
http-01 challenge for test1.com
Waiting for verification...
Cleaning up challenges

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/test1.com/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/test3.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Renewing an existing certificate for test3.com
Performing the following challenges:
http-01 challenge for test3.com
Waiting for verification...
Cleaning up challenges

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/test3.com/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all renewals succeeded:
  /etc/letsencrypt/live/test2.com/fullchain.pem (success)
  /etc/letsencrypt/live/test1.com/fullchain.pem (success)
  /etc/letsencrypt/live/test3.com/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
[root@server ~]#

参考記事

関連記事

コメント

この記事へのコメントはありません。

カテゴリー

お問い合わせはコチラ!