Вчера у моего сайта протух SSL-сертификат, а Certbot не хочет его автоматически обновлять
root@765456:~# sudo certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Revocation status for /etc/letsencrypt/live/my_site.com/cert.pem is unknown
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
Certificate Name: my_site.com
Domains: my_site.com www.my_site.com
Expiry Date: 2024-10-05 13:31:24+00:00 (INVALID: EXPIRED)
Certificate Path: /etc/letsencrypt/live/my_site.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/my_site.com/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
root@765456:~#
Пробую обновить через
sudo certbot renew - вылетает по таймауту, Let's Encrypt не может достучаться до сайта, по-видимому, но сам сайт работает, проверял.
root@765456:~# sudo certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/my_site.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for my_site.com
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (my_site.com) from /etc/letsencrypt/renewal/my_site.com.conf produced an unexpected error: Failed authorization procedure. my_site.com (http-01): urn:ietf:params:acme:error:dns :: During secondary validation: DNS problem: query timed out looking up CAA for my_site.com. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/my_site.com/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/my_site.com/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: my_site.com
Type: None
Detail: During secondary validation: DNS problem: query timed out
looking up CAA for my_site.com
root@765456:~#
Порты 80, 443 на сервере открыты
root@765456:~# sudo ufw status
Status: active
To Action From
-- ------ ----
80/tcp ALLOW Anywhere
22/tcp ALLOW Anywhere
443/tcp ALLOW Anywhere
80/tcp (v6) ALLOW Anywhere (v6)
22/tcp (v6) ALLOW Anywhere (v6)
443/tcp (v6) ALLOW Anywhere (v6)
Проверяю доступность DNS:
root@765456:~# dig ns my_site.com +short
ns2.simplecloud.club.
ns1.simplecloud.club.
root@765456:~#
root@765456:~# dig caa my_site.com +trace
; <<>> DiG 9.10.3-P4-Ubuntu <<>> caa my_site.com +trace
;; global options: +cmd
;; Received 28 bytes from 8.8.8.8#53(8.8.8.8) in 20 ms
root@765456:~#
Всё отвечает быстро и выглядит доступным
root@765456:~# dig my_site.com
; <<>> DiG 9.10.3-P4-Ubuntu <<>> my_site.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49218
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;my_site.com. IN A
;; ANSWER SECTION:
my_site.com. 60 IN A 222.333.444.555
;; Query time: 52 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sun Oct 06 11:56:51 UTC 2024
;; MSG SIZE rcvd: 57
root@148505:~# dig caa my_site.com
; <<>> DiG 9.10.3-P4-Ubuntu <<>> caa my_site.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22341
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;my_site.com. IN CAA
;; AUTHORITY SECTION:
my_site.com. 60 IN SOA ns1.simplecloud.ru. user.mail.ru. 1636476001 600 60 86400 60
;; Query time: 88 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sun Oct 06 11:56:52 UTC 2024
;; MSG SIZE rcvd: 112
root@765456:~#
Кто сталкивался с подобным? В чём может быть проблема? Куда копать?
P.S. у меня есть предположение, что Nginx редиректит все запросы с 80 порта на 443 и поэтому директория
.well-known/acme-challenge
недоступна извне