AWS EC2 LetEncrypt 更新

今天碰到過期然後憑證錯誤

弄了一陣才搞定,memo一下先

這是瘋狂噴出的錯誤訊息

1
2
3
4
5
Cert is due for renewal, auto-renewing...
Could not choose appropriate plugin: The requested nginx plugin does not appear to be installed
Attempting to renew cert (api.xxx.com.tw) from /etc/letsencrypt/renewal/api.xxx.com.tw.conf produced an unexpected error: The requested nginx plugin does not appear to be installed. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/api.xxx.com.tw/fullchain.pem (failure)

用了一堆certbot renew , letsencrypt renew之類都無效

估狗了fullchain.pem (failure)解法也無效

想說我明明裝過了certbot O_O

然後下指令也找不到certbot,一陣亂弄後…

解法

最後是這樣解的XD

1
sudo certbot certonly

webroot

1
2
3
4
5
6
How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2

這裡輸入Domain Name

1
2
3
Plugins selected: Authenticator webroot, Installer None
Please enter in your domain name(s) (comma and/or space separated)  (Enter 'c'
to cancel): api.xxx.com.tw

這邊輸入可以讀到的www目錄
例如/usr/share/nginx/html/api/public

1
2
3
4
5
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for api.xxx.com.tw
Input the webroot for api.xxx.com.tw: (Enter 'c' to cancel):

然後跳出這個就更新成功了

1
2
3
4
5
6
7
8
9
10
11
12
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/api.xxx.com.tw/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/api.xxx.com.tw/privkey.pem
   Your cert will expire on 2019-01-30. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"

安裝Certbot

1
2
3
 curl -O https://dl.eff.org/certbot-auto
$ chmod +x certbot-auto 
$ sudo mv certbot-auto /usr/local/bin/certbot-auto

有時候選nginx安裝死都不過的話就用這行吧…

1
certbot-auto certonly --webroot -w /usr/share/nginx/html/api/public -d 網址 --email 信箱 -n --agree-tos --debug

檢視現有憑證

1
certbot-auto certificates

本來以為certbot會很聰明的自動幫更新結果…

並不會

更新時碰到奇怪error

缺少啥套件之類的解法

1
2
3
rm -rf /opt/eff.org/*
pip install -U certbot
certbot renew --debug

初次安裝完會在nginx裡面多手動設一個conf檔專門for SSL更新用

Security Group 也要開好443 port

Reference

RHEL / CentOS 安裝 Certbot 取得及更新 Let’s Encrypt 憑證

Let’s Encrypt 免費 Wildcard 萬用字元憑證 SSL/TLS for CentOS 7