certbot 更新 letsencrypt SSL 失敗

certbot renew 出現下面的錯誤
Cert is due for renewal, auto-renewing…
Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError(‘An authentication script must be provided with –manual-auth-hook when using the manual plugin non-interactively.’)
Attempting to renew cert (def.com-0001) from /etc/letsencrypt/renewal/def.com-0001.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError(‘An authentication script must be provided with –manual-auth-hook when using the manual plugin non-interactively.’). Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/abc.com-0003/fullchain.pem (failure)
/etc/letsencrypt/live/def.com-0001/fullchain.pem (failure)

網路上查了一下,需要手動認證來解決這個問題
指令如下

/usr/bin/certbot certonly –preferred-challenges dns-01 –manual -d ‘abc.com,*.abc.com’

遇到下面訊息,按下Y
Are you OK with your IP being logged?
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
(Y)es/(N)o: Y

之後會要求在DNS中新增一筆txt記錄
_acme-challenge.abc.com

待生效之後,就可以完成認證,訊息如下
我是用cloudflare的DNS,生效大約三分鐘左右

IMPORTANT NOTES:
– Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/def.com-0003/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/def.com-0003/privkey.pem
Your cert will expire on 2022-07-09. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
“certbot renew”
– If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

生效之後 nginx / apache 要reload一次,讓新的憑證重新載入
下面是我更新完之後的截圖
SSL 憑證更新完成

在最後,可以用下面這個網站查詢馮證的相關歷史記錄
https://crt.sh/

20220709 又遇到無法「自動」更新SSL憑證的情況
只好再用certbot手動驗證的動作
如果每次都是失敗,這樣其實沒有比較方便。

發佈留言

發佈留言必須填寫的電子郵件地址不會公開。