先日クライアントのSSLの自動更新がこけていたので、調べてみたらOSのルート証明書が古いことが原因だった。
簡単なことですが意外と忘れがちなので、メモとして記します。
ログ確認
|
1 2 3 4 5 6 7 8 9 10 |
# cat /tmp/certbot.log Processing /etc/letsencrypt/renewal/XXX.com.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Cert is due for renewal, auto-renewing... Plugins selected: Authenticator apache, Installer apache Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org Attempting to renew cert (XXX.com) from /etc/letsencrypt/renewal/XXX.com.conf produced an unexpected error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:765). Skipping. SSL 検証エラー |
centosだとca-certificates パッケージ
|
1 2 3 4 5 6 |
# yum update ca-certificates 更新: ca-certificates.noarch 0:2021.2.50-72.el7_9 依存性を更新しました: p11-kit.x86_64 0:0.23.5-3.el7 p11-kit-trust.x86_64 0:0.23.5-3.el7 |
再度更新
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
# certbot renew Processing /etc/letsencrypt/renewal/XXX.com.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Cert is due for renewal, auto-renewing... Plugins selected: Authenticator apache, Installer apache Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org Renewing an existing certificate for XXX.com Performing the following challenges: http-01 challenge for XXX.com Waiting for verification... Cleaning up challenges - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - new certificate deployed with reload of apache server; fullchain is /etc/letsencrypt/live/XXX.com/fullchain.pem |
確認
|
1 2 3 4 5 |
$ curl -s -I -v https://XXX.com * Server certificate: * subject: CN=XXX.com * start date: 11月 17 06:58:17 2021 GMT * expire date: 2月 15 06:58:16 2022 GMT |
無事完了
