既存のletsencrypt証明書のチャレンジをtls-sni-01からwebrootに変更する方法は？

Question

有効期限が切れる証明書を更新しようとしています。次のように、certbotのApacheプラグインを使用しました：Sudo certbot --Apache -d support.example.com。

ただし、今更新しようとすると、tls-sni-01チャレンジを使用するため、認証に失敗します。

Processing /etc/letsencrypt/renewal/support.example.com.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Cert is due for renewal, auto-renewing... Plugins selected: Authenticator Apache, Installer Apache Renewing an existing certificate Performing the following challenges: tls-sni-01 challenge for support.example.com Waiting for verification... Cleaning up challenges Attempting to renew cert (support.example.com) from /etc/letsencrypt/renewal/support.example.com.conf produced an unexpected error: Failed authorization procedure. support.example.com (tls-sni-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 1ab20abd9ac656e814998274e38cd6e1.cfffa3659f04d5bb0c041a9fef293f9d.acme.invalid from <EXTERNAL IP-ADDRESS:443>. Received 2 certificate(s), first certificate had names "*.example.com". Skipping. All renewal attempts failed. The following certs could not be renewed: /etc/letsencrypt/live/support.example.com/fullchain.pem (failure)

そして

 - The following errors were reported by the server: Domain: support.example.com Type: unauthorized Detail: Incorrect validation certificate for tls-sni-01 challenge. Requested 1ab20abd9ac656e814998274e38cd6e1.cfffa3659f04d5bb0c041a9fef293f9d.acme.invalid from <EXTERNAL IP-ADDRESS:443. Received 2 certificate(s), first certificate had names "*.example.com" To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address.

support.example.com.confからの出力は次のとおりです

# renew_before_expiry = 30 days version = 0.22.2 archive_dir = /etc/letsencrypt/archive/support.example.com cert = /etc/letsencrypt/live/support.example.com/cert.pem privkey = /etc/letsencrypt/live/support.example.com/privkey.pem chain = /etc/letsencrypt/live/support.example.com/chain.pem fullchain = /etc/letsencrypt/live/support.example.com/fullchain.pem # Options used in the renewal process [renewalparams] authenticator = Apache installer = Apache account = <ACCOUNT NUMBER>

私が理解しているように、certbotはDNSチャレンジで更新しようとしていますが、webrootを使用して（Apacheプラグインを使用）、成功しません。

Certbotでwebrootチャレンジを正しく使用するにはどうすればよいですか？

更新：

certbot renew --dry-runを実行すると、正しいhttp-01チャレンジが使用されます

Processing /etc/letsencrypt/renewal/support.example.com.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Cert is due for renewal, auto-renewing... Plugins selected: Authenticator Apache, Installer Apache Renewing an existing certificate Performing the following challenges: http-01 challenge for support.example.com Waiting for verification... Cleaning up challenges - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - new certificate deployed with reload of Apache server; fullchain is /etc/letsencrypt/live/support.example.com/fullchain.pem

これはどのように可能ですか？

アップデート2：

正しいwebrootチャレンジを使用するために、更新confを暗号化するように変更しました。

# renew_before_expiry = 30 days version = 0.22.2 archive_dir = /etc/letsencrypt/archive/support.example.com cert = /etc/letsencrypt/live/support.example.com/cert.pem privkey = /etc/letsencrypt/live/support.example.com/privkey.pem chain = /etc/letsencrypt/live/support.example.com/chain.pem fullchain = /etc/letsencrypt/live/support.example.com/fullchain.pem [renewalparams] post_hook = service Apache2 start installer = Apache account = a57eab015444b60984498d853e6c3531 authenticator = webroot pre_hook = service Apache2 stop [[webroot_map]] support.example.com = /var/www/support/

しかし、更新を実行すると、次のエラーが表示されます。

Cert is due for renewal, auto-renewing... Plugins selected: Authenticator webroot, Installer Apache Running pre-hook command: service Apache2 stop Renewing an existing certificate Performing the following challenges: http-01 challenge for support.example.com Waiting for verification... Cleaning up challenges Attempting to renew cert (support.example.com) from /etc/letsencrypt/renewal/support.example.com.conf produced an unexpected error: Failed authorization procedure. support.example.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://support.example.com/.well-known/acme-challenge/VDmwSn8yXRbV2dFGe6dvsWelJBthNE33aoynDZ9i3qE: Connection refused. Skipping. All renewal attempts failed. The following certs could not be renewed: /etc/letsencrypt/live/support.example.com/fullchain.pem (failure)

私はhttp://support.example.com/.well-known/acme-challengeに外部から連絡できるので、これは私の意見では問題になりません。

wouter205 · Accepted Answer

さて、何度もひっかいた後、私はそれを理解しました。更新のconfで、Apacheを停止するように述べました...したがって、私のサイトはダウンしており、暗号化できなかったため、エラーが発生しました。

（何らかの方法で機能しないtls-sni-01を使用するApacheプラグインの代わりに）webrootメソッドを使用して証明書を更新するために使用できる正しい設定の下。

# renew_before_expiry = 30 days version = 0.26.1 archive_dir = /etc/letsencrypt/archive/support.example.com cert = /etc/letsencrypt/live/support.example.com/cert.pem privkey = /etc/letsencrypt/live/support.example.com/privkey.pem chain = /etc/letsencrypt/live/support.example.com/chain.pem fullchain = /etc/letsencrypt/live/support.example.com/fullchain.pem [renewalparams] installer = Apache account = a57eab015444b60984498d853e6c3531 authenticator = webroot server = https://acme-v02.api.letsencrypt.org/directory [[webroot_map]] support.example.com = /var/www/support/

編集：

完了のために、ここに./well-known/acme-challengeロケーションへのアクセスを許可し、この1つのロケーションを除くすべてのトラフィックをhttpsにリダイレクトする仮想ホスト構成もあります。

<VirtualHost *:80> ServerName support.example.com DocumentRoot /var/www/support/ <Location /> Options Indexes FollowSymLinks AllowOverride All Require all granted Satisfy Any </Location> <Location /.well-known/acme-challenge/> DirectoryIndex index.html DirectoryIndex enabled Require all granted </Location> RedirectMatch 301 ^(?!/\.well-known/acme-challenge/).* https://suppor.example.com$0 </VirtualHost>