Let’s Encryptからこんなタイトルのメールが飛んできた。
全文はこんな感じ。
ACTION REQUIRED: Renew these Let's Encrypt certificates by March 4
We recently discovered a bug in the Let's Encrypt certificate authority code,
described here:
https://community.letsencrypt.org/t/2020-02-29-caa-rechecking-bug/114591
Unfortunately, this means we need to revoke the certificates that were affected
by this bug, which includes one or more of your certificates. To avoid
disruption, you'll need to renew and replace your affected certificate(s) by
Wednesday, March 4, 2020. We sincerely apologize for the issue.
If you're not able to renew your certificate by March 4, the date we are
required to revoke these certificates, visitors to your site will see security
warnings until you do renew the certificate. Your ACME client documentation
should explain how to renew.
If you are using Certbot, the command to renew is:
certbot renew --force-renewal
うーん。まったく何言っているか分からん。
https://gigazine.net/news/20200304-letsencrypt-caa-rechecking-bug/
多分これなんだろうと思う。
試しに失効されるのも動作確認として面白いと思ったけど、ヘタレなので素直に更新。
# /usr/bin/certbot renew --force-renewal
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/blog.be-dama.com-0001.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Plugins selected: Authenticator standalone, Installer None
Running pre-hook command: /etc/letsencrypt/renewal-hooks/pre/nginx_stop.sh
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for blog.be-dama.com
Waiting for verification...
Cleaning up challenges
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/www.be-dama.com-0001/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/blog.be-dama.com-0001/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Running post-hook command: /etc/letsencrypt/renewal-hooks/post/nginx_start.sh
とりあえず更新されたらしい。日本時間3月5日12時に失効されるらしいので、明日の夕方くらいに覚えていたら確認しようと思う。
更新時のhooks(pre,post)スクリプトの検証もしたかったのでちょうど良かった。
名前から推測できるが、letsencryptの更新前と後に特定のスクリプトを実行したい時は、
前: /etc/letsencrypt/renewal-hooks/pre/
後: /etc/letsencrypt/renewal-hooks/post/
に、スクリプトを置いて上げれば良い。
自分は、どっかのタイミングで、authenticatorをwebrootからstandaloneに変えてしまったらしい。更新時にWEBサーバーが止まっている必要がある(80番ポートの競合の関係)のでそのスクリプトを入れた。
日本語が含まれない投稿は無視されますのでご注意ください。(スパム対策)