Let's encrypt!
Если официальный lestencrypt'овский клиент не хочет обновлять сертификат
и падает с невнятной диагностикой
Domain: host.domain
Type: unauthorized
Detail: Incorrect validation certificate for tls-sni-01 challenge. Requested c487b16848f81fd18948802e493f858e.
fa08f116e60cfe88bb05a96cb684c921.acme.invalid from :443. Received 2 certificate(s), first certificate had names ""
и в letsencrypt.log типа
2017-11-02 01:05:27,150:DEBUG:certbot.renewal:Traceback was:
Traceback (most recent call last):
File "/usr/lib/python3.6/site-packages/certbot/renewal.py", line 425, in handle_renewal_request
main.renew_cert(lineage_config, plugins, renewal_candidate)
File "/usr/lib/python3.6/site-packages/certbot/main.py", line 743, in renew_cert
_get_and_save_cert(le_client, config, lineage=lineage)
File "/usr/lib/python3.6/site-packages/certbot/main.py", line 80, in _get_and_save_cert
renewal.renew_cert(config, domains, le_client, lineage)
File "/usr/lib/python3.6/site-packages/certbot/renewal.py", line 297, in renew_cert
new_certr, new_chain, new_key, _ = le_client.obtain_certificate(domains)
File "/usr/lib/python3.6/site-packages/certbot/client.py", line 318, in obtain_certificate
self.config.allow_subset_of_names)
File "/usr/lib/python3.6/site-packages/certbot/auth_handler.py", line 81, in get_authorizations
self._respond(resp, best_effort)
File "/usr/lib/python3.6/site-packages/certbot/auth_handler.py", line 138, in _respond
self._poll_challenges(chall_update, best_effort)
File "/usr/lib/python3.6/site-packages/certbot/auth_handler.py", line 202, in _poll_challenges
raise errors.FailedChallenges(all_failed_achalls)
то, если у вас стоит SELinux, следует сделать (если у вас nginx, для apache аналогично):
# chcon --reference=/var/log/nginx/ssl_error.log /var/lib/letsencrypt/error.log
# chcon --reference=/var/log/nginx/ssl_access.log /var/lib/letsencrypt/access.log
А так - работает нормально.
и падает с невнятной диагностикой
Domain: host.domain
Type: unauthorized
Detail: Incorrect validation certificate for tls-sni-01 challenge. Requested c487b16848f81fd18948802e493f858e.
fa08f116e60cfe88bb05a96cb684c921.acme.invalid from :443. Received 2 certificate(s), first certificate had names ""
и в letsencrypt.log типа
2017-11-02 01:05:27,150:DEBUG:certbot.renewal:Traceback was:
Traceback (most recent call last):
File "/usr/lib/python3.6/site-packages/certbot/renewal.py", line 425, in handle_renewal_request
main.renew_cert(lineage_config, plugins, renewal_candidate)
File "/usr/lib/python3.6/site-packages/certbot/main.py", line 743, in renew_cert
_get_and_save_cert(le_client, config, lineage=lineage)
File "/usr/lib/python3.6/site-packages/certbot/main.py", line 80, in _get_and_save_cert
renewal.renew_cert(config, domains, le_client, lineage)
File "/usr/lib/python3.6/site-packages/certbot/renewal.py", line 297, in renew_cert
new_certr, new_chain, new_key, _ = le_client.obtain_certificate(domains)
File "/usr/lib/python3.6/site-packages/certbot/client.py", line 318, in obtain_certificate
self.config.allow_subset_of_names)
File "/usr/lib/python3.6/site-packages/certbot/auth_handler.py", line 81, in get_authorizations
self._respond(resp, best_effort)
File "/usr/lib/python3.6/site-packages/certbot/auth_handler.py", line 138, in _respond
self._poll_challenges(chall_update, best_effort)
File "/usr/lib/python3.6/site-packages/certbot/auth_handler.py", line 202, in _poll_challenges
raise errors.FailedChallenges(all_failed_achalls)
то, если у вас стоит SELinux, следует сделать (если у вас nginx, для apache аналогично):
# chcon --reference=/var/log/nginx/ssl_error.log /var/lib/letsencrypt/error.log
# chcon --reference=/var/log/nginx/ssl_access.log /var/lib/letsencrypt/access.log
А так - работает нормально.