Let’s Encrypt が急に更新できなくなった?!
ホームページのSSL証明書が急に切れてしまい、原因を調べているところ、Let’s Encrypt の SSL証明書更新処理が失敗していることが分かりました。 Let’s Encrypt の certbot で「an unexpected error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:765)」エラーが表示され更新処理をスキップしていていました。
本記事手は、上記の解決過程で参考した内容をまとめたものです。
問題内容
Let’s Encrypt の SSL証明書更新のコマンドを実行するとエラーになりました。OSは CentOS7系です。
[root@server ~]# httpd -M | grep "ssl_module"
ssl_module (shared)
[root@server ~]# yum list installed | grep "certbot" # Let’s Encryptがインストールされているか確認
Repodata is over 2 weeks old. Install yum-cron? Or run: yum makecache fast
certbot.noarch 0.26.1-2.el7 @epel
python2-certbot.noarch 0.26.1-2.el7 @epel
python2-certbot-apache.noarch 0.26.1-1.el7 @epel
[root@server ~]# /usr/bin/certbot renew # Let’s Encrypt SSL証明書を更新
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/test1.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Attempting to renew cert (test1.com) from /etc/letsencrypt/renewal/test1.com.conf produced an unexpected error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:765). Skipping.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/test2.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Attempting to renew cert (test2.com) from /etc/letsencrypt/renewal/test2.com.conf produced an unexpected error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:765). Skipping.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/test3.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Attempting to renew cert (test3.com) from /etc/letsencrypt/renewal/test3.com produced an unexpected error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:765). Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/test1.com/fullchain.pem (failure)
/etc/letsencrypt/live/test2.com/fullchain.pem (failure)
/etc/letsencrypt/live/test3.com/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/test1.com/fullchain.pem (failure)
/etc/letsencrypt/live/test2.com/fullchain.pem (failure)
/etc/letsencrypt/live/test3.com/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
3 renew failure(s), 0 parse failure(s)
[root@server ~]#
対策
Googlingの結果、 certbot のバージョンが低いことが判明、バージョンアップを行いました。
[root@server ~]# certbot --version
certbot 0.26.1
[root@server ~]#
[root@server ~]# yum update certbot
…
[root@server ~]# yum update python2-certbot*
…
[root@server ~]#
certbot を最新化したにも関わらずエラーは続きました。再度 Googling した結果、OpenSSL 1.0.2は Let’s Encrypt のルートCA期限切れになるようです。
[root@server ~]# yum install ca-certificates openssl
…
[root@server ~]#
これで、Let’s Encrypt の SSL証明書更新処理が動くようになりました!
[root@server ~]# /usr/bin/certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/test2.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Renewing an existing certificate for test2.com
Performing the following challenges:
http-01 challenge for test2.com
Waiting for verification...
Cleaning up challenges
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/test2.com/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/test1.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Renewing an existing certificate for test1.com
Performing the following challenges:
http-01 challenge for test1.com
Waiting for verification...
Cleaning up challenges
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/test1.com/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/test3.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Renewing an existing certificate for test3.com
Performing the following challenges:
http-01 challenge for test3.com
Waiting for verification...
Cleaning up challenges
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/test3.com/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all renewals succeeded:
/etc/letsencrypt/live/test2.com/fullchain.pem (success)
/etc/letsencrypt/live/test1.com/fullchain.pem (success)
/etc/letsencrypt/live/test3.com/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
[root@server ~]#