Задать вопрос
Steel_Balls
@Steel_Balls
0KLRiyDQv9C40LTQvtGALiDQmNC00Lgg0L3QsNGF0YPQuQ==

Certbot не обновляет SSL-сертификаты Let's Encrypt, почему?

Вчера у моего сайта протух SSL-сертификат, а Certbot не хочет его автоматически обновлять
root@765456:~# sudo certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Revocation status for /etc/letsencrypt/live/my_site.com/cert.pem is unknown

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: my_site.com
    Domains: my_site.com www.my_site.com
    Expiry Date: 2024-10-05 13:31:24+00:00 (INVALID: EXPIRED)
    Certificate Path: /etc/letsencrypt/live/my_site.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/my_site.com/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
root@765456:~#

Пробую обновить через sudo certbot renew - вылетает по таймауту, Let's Encrypt не может достучаться до сайта, по-видимому, но сам сайт работает, проверял.
root@765456:~# sudo certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/my_site.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for my_site.com
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (my_site.com) from /etc/letsencrypt/renewal/my_site.com.conf produced an unexpected error: Failed authorization procedure. my_site.com (http-01): urn:ietf:params:acme:error:dns :: During secondary validation: DNS problem: query timed out looking up CAA for my_site.com. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/my_site.com/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/my_site.com/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: my_site.com
   Type:   None
   Detail: During secondary validation: DNS problem: query timed out
   looking up CAA for my_site.com
root@765456:~#

Порты 80, 443 на сервере открыты
root@765456:~# sudo ufw status
Status: active
To                         Action      From
--                         ------      ----
80/tcp                     ALLOW       Anywhere
22/tcp                     ALLOW       Anywhere
443/tcp                    ALLOW       Anywhere
80/tcp (v6)                ALLOW       Anywhere (v6)
22/tcp (v6)                ALLOW       Anywhere (v6)
443/tcp (v6)               ALLOW       Anywhere (v6)


Проверяю доступность DNS:
root@765456:~# dig ns my_site.com +short
ns2.simplecloud.club.
ns1.simplecloud.club.
root@765456:~#

root@765456:~# dig caa my_site.com +trace

; <<>> DiG 9.10.3-P4-Ubuntu <<>> caa my_site.com +trace
;; global options: +cmd
;; Received 28 bytes from 8.8.8.8#53(8.8.8.8) in 20 ms
root@765456:~#

Всё отвечает быстро и выглядит доступным
root@765456:~# dig my_site.com

; <<>> DiG 9.10.3-P4-Ubuntu <<>> my_site.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49218
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;my_site.com.                  IN      A

;; ANSWER SECTION:
my_site.com.           60      IN      A       222.333.444.555

;; Query time: 52 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sun Oct 06 11:56:51 UTC 2024
;; MSG SIZE  rcvd: 57

root@148505:~# dig caa my_site.com

; <<>> DiG 9.10.3-P4-Ubuntu <<>> caa my_site.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22341
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;my_site.com.                  IN      CAA

;; AUTHORITY SECTION:
my_site.com.           60      IN      SOA     ns1.simplecloud.ru. user.mail.ru. 1636476001 600 60 86400 60

;; Query time: 88 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sun Oct 06 11:56:52 UTC 2024
;; MSG SIZE  rcvd: 112
root@765456:~#


Кто сталкивался с подобным? В чём может быть проблема? Куда копать?

UPD: у меня есть предположение, что Nginx редиректит все запросы с 80 порта на 443 и поэтому директория .well-known/acme-challengeнедоступна извне

Nginx /etc/nginx/sites-available/default:
server {

        # SSL configuration
        #
        listen 443 ssl;# default_server;
        listen [::]:443 ssl;# default_server;

        server_name my_site.com www.my_site.com;

        ssl_certificate /etc/letsencrypt/live/my_site.com/fullchain.pem; # managed by Certbot
        ssl_certificate_key /etc/letsencrypt/live/my_site.com/privkey.pem; # managed by Certbot
        ssl_trusted_certificate    /etc/letsencrypt/live/my_site.com/chain.pem;

        ssl_session_cache shared:SSL:10m;
        add_header Strict-Transport-Security "max-age=63072000" always;

        ssl_session_cache shared:SSL:10m;
        ssl_protocols TLSv1.2;

        ssl_session_timeout 1d;
        ssl_session_tickets off;

        ssl_stapling on;
        ssl_stapling_verify on;

        add_header IP $remote_addr;
        add_header Host $host;

        location ~ uploadx|add_user$
                #add_header X-Upstream $upstream_addr always;
                add_header X-Upstream $request_id always;
                proxy_pass http://backend;
        }

        location ~ put_job|get_job {
                add_header X-Upstream $request_id always;
                proxy_pass http://backend_a;
        }

        location ~ \.well-known {
                default_type "text/plain";
                try_files $uri $uri/ =404;
        }


        location / {
                proxy_http_version 1.0;
#               proxy_set_header   Connection "";
#               proxy_set_header HOST $host;
                proxy_set_header X-Forwarded-Proto $scheme;
                proxy_buffering off;

                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header Host $http_host;
                proxy_set_header X-NginX-Proxy true;
                proxy_set_header Referer $http_referer;
                proxy_set_header X-Request-Id $request_id;

                proxy_pass http://static_server;
        }

    if ($scheme != "https") {
        return 301 https://$host$request_uri;
    } # managed by Certbot
}


upstream backend {
        server 222.333.444.555;
}

upstream static_server {
        server 777.777.222.333;
}

upstream backend_a {
        server 222.333.888.999;
}

server {
    if ($host = www.my_site.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    if ($host = my_site.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


        listen 80 default_server;
        listen [::]:80 default_server;

        server_name my_site.com www.my_site.com;
    return 404; # managed by Certbot
}
  • Вопрос задан
  • 852 просмотра
Подписаться 4 Простой 19 комментариев
Пригласить эксперта
Ответы на вопрос 1
@ipa
у меня была чем-то похожая проблема, при этом был cname на имя кинетика.
после того как убрал cname, и сделал a-запись на ip, сертификат обновился
Ответ написан
Комментировать
Ваш ответ на вопрос

Войдите, чтобы написать ответ

Похожие вопросы