• 作成:

certbot renewが今は使っていない削除したサブドメインのせいで成功しないのは誤ってSubjectに追加してしまっていたからでした

Let's Encryptから「そろそろ証明書の期限が切れるよ」というメールが来たので, 更新しようとした所, 更新ができない.

以下のようなエラーが出ました.

2017-12-29T23:24:36 ncaq@sonoda/pts/0(0) ~
% sudo certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/www.ncaq.net.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator standalone, Installer None
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for www.ncaq.net
tls-sni-01 challenge for cdn.ncaq.net
tls-sni-01 challenge for tpf.ncaq.net
tls-sni-01 challenge for tt-rss.ncaq.net
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (www.ncaq.net) from /etc/letsencrypt/renewal/www.ncaq.net.conf produced an unexpected error: Failed authorization procedure. tpf.ncaq.net (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: NXDOMAIN looking up A for tpf.ncaq.net. Skipping.

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/cdn.ncaq.net.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator standalone, Installer None
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for cdn.ncaq.net
tls-sni-01 challenge for tpf.ncaq.net
tls-sni-01 challenge for tt-rss.ncaq.net
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (cdn.ncaq.net) from /etc/letsencrypt/renewal/cdn.ncaq.net.conf produced an unexpected error: Failed authorization procedure. tpf.ncaq.net (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: NXDOMAIN looking up A for tpf.ncaq.net. Skipping.

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/ncaq.net.conf
-------------------------------------------------------------------------------
Cert not yet due for renewal

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/tt-rss.ncaq.net.conf
-------------------------------------------------------------------------------
Cert not yet due for renewal

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/try-pandoc-with-file.ncaq.net.conf
-------------------------------------------------------------------------------
Cert not yet due for renewal
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/www.ncaq.net/fullchain.pem (failure)
  /etc/letsencrypt/live/cdn.ncaq.net/fullchain.pem (failure)

-------------------------------------------------------------------------------

The following certs are not due for renewal yet:
  /etc/letsencrypt/live/ncaq.net/fullchain.pem (skipped)
  /etc/letsencrypt/live/tt-rss.ncaq.net/fullchain.pem (skipped)
  /etc/letsencrypt/live/try-pandoc-with-file.ncaq.net/fullchain.pem (skipped)
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/www.ncaq.net/fullchain.pem (failure)
  /etc/letsencrypt/live/cdn.ncaq.net/fullchain.pem (failure)
-------------------------------------------------------------------------------
2 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: tpf.ncaq.net
   Type:   connection
   Detail: DNS problem: NXDOMAIN looking up A for tpf.ncaq.net

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.
 - The following errors were reported by the server:

   Domain: tpf.ncaq.net
   Type:   connection
   Detail: DNS problem: NXDOMAIN looking up A for tpf.ncaq.net

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

このドメインのAレコードがないよというエラーが出ている, tpf.ncaq.netは, 昔使っていたサブドメインです. tpfって何の略かさっぱりわからなかったため, try-pandoc-with-file.ncaq.netに名前を変えて, 今は使っていません.

このドメインの証明書を削除する過程で, 削除方法がよくわからなかったため, let's encryptの設定ディレクトリを削除してしまったのが失敗のもとのようですね.

しかし, 何故これのアクセスに成功しないとwww.ncaq.netなどが失敗してしまうのかが全くわかりません. それぞれ独立しているため関係ないのでは?

とりあえず証明書の更新を行わないと間に合わないなと思ってtpf.ncaq.netのAレコードを復旧させて更新しました.

その後探ってたら

2017-12-29T23:53:31 root@sonoda/pts/0(1) /etc/letsencrypt
# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Found the following certs:
  Certificate Name: www.ncaq.net
    Domains: www.ncaq.net cdn.ncaq.net tpf.ncaq.net tt-rss.ncaq.net
    Expiry Date: 2018-03-29 13:44:57+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/www.ncaq.net/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/www.ncaq.net/privkey.pem
  Certificate Name: cdn.ncaq.net
    Domains: cdn.ncaq.net tpf.ncaq.net tt-rss.ncaq.net
    Expiry Date: 2018-03-29 13:45:08+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/cdn.ncaq.net/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/cdn.ncaq.net/privkey.pem
  Certificate Name: ncaq.net
    Domains: ncaq.net
    Expiry Date: 2018-03-10 13:25:48+00:00 (VALID: 70 days)
    Certificate Path: /etc/letsencrypt/live/ncaq.net/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/ncaq.net/privkey.pem
  Certificate Name: tt-rss.ncaq.net
    Domains: tt-rss.ncaq.net
    Expiry Date: 2018-03-10 13:25:54+00:00 (VALID: 70 days)
    Certificate Path: /etc/letsencrypt/live/tt-rss.ncaq.net/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/tt-rss.ncaq.net/privkey.pem
  Certificate Name: try-pandoc-with-file.ncaq.net
    Domains: try-pandoc-with-file.ncaq.net
    Expiry Date: 2018-02-07 23:30:16+00:00 (VALID: 40 days)
    Certificate Path: /etc/letsencrypt/live/try-pandoc-with-file.ncaq.net/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/try-pandoc-with-file.ncaq.net/privkey.pem
-------------------------------------------------------------------------------

というわけのわからない結果が帰ってきました.

なるほどね, 新追加されたAlt Name機能でtpf.ncaq.netを追加してしまっていたのですね.

ドメインを追加する時に複数同時に追加しようとカンマ区切りで追加していたのですが, 誤ってSubjectを追加してしまっていたようでした.

私個人の証明書なので問題ありませんでしたが, 業務で行ってたら条件次第では恐ろしいことになっていた可能性がありますね.

本当は現在の証明書からSubjectを取り除く操作をするのが正しいのでしょうが, 私は面倒くさがりなので一度全削除して設定し直すのを選びました. 1つ1つ再登録しました. ネットワークドメインのことで, そんなに登録件数も多くなかったので手作業で再登録してしまいましたが, 本当はどうやって再登録するのが正しかったんでしょうか?

-dで分ける形式は証明書ファイルが1つになってしまいます.

xargsを使って登録ジョブを回すのが最適解だったりするんでしょうか.

ググっても証明書を分けつつ複数のドメインを登録する方法はわかりませんでした.