web-dev-qa-db-fra.com

Comment changer le défi de tls-sni-01 à webroot pour un certificat letsencrypt existant?

J'essaie de renouveler mon certificat qui doit expirer. J'ai utilisé le plugin Apache pour certbot comme ceci: Sudo certbot --Apache -d support.example.com.

Cependant, lorsque j'essaie de le renouveler maintenant, il utilise tls-sni-01 challlenge et ne parvient donc pas à s'authentifier:

Processing /etc/letsencrypt/renewal/support.example.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator Apache, Installer Apache
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for support.example.com
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (support.example.com) from /etc/letsencrypt/renewal/support.example.com.conf produced an unexpected error: Failed authorization procedure. support.example.com (tls-sni-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 1ab20abd9ac656e814998274e38cd6e1.cfffa3659f04d5bb0c041a9fef293f9d.acme.invalid from <EXTERNAL IP-ADDRESS:443>. Received 2 certificate(s), first certificate had names "*.example.com". Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/support.example.com/fullchain.pem (failure)

Et

 - The following errors were reported by the server:

   Domain: support.example.com
   Type:   unauthorized
   Detail: Incorrect validation certificate for tls-sni-01 challenge.
   Requested
   1ab20abd9ac656e814998274e38cd6e1.cfffa3659f04d5bb0c041a9fef293f9d.acme.invalid
   from <EXTERNAL IP-ADDRESS:443. Received 2 certificate(s), first
   certificate had names "*.example.com"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

Voici le résultat de support.example.com.conf

# renew_before_expiry = 30 days
version = 0.22.2
archive_dir = /etc/letsencrypt/archive/support.example.com
cert = /etc/letsencrypt/live/support.example.com/cert.pem
privkey = /etc/letsencrypt/live/support.example.com/privkey.pem
chain = /etc/letsencrypt/live/support.example.com/chain.pem
fullchain = /etc/letsencrypt/live/support.example.com/fullchain.pem

# Options used in the renewal process
[renewalparams]
authenticator = Apache
installer = Apache
account = <ACCOUNT NUMBER>

Si je comprends bien, certbot essaie de renouveler avec DNS-challenge alors que j’utilisais webroot (via le plugin Apache) pour qu’il échoue.

Comment faire en sorte que certbot utilise correctement webroot challenge?

mettre à jour:

Quand j'exécute certbot renew --dry-run il utilise le bon challenge http-01

Processing /etc/letsencrypt/renewal/support.example.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator Apache, Installer Apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for support.example.com
Waiting for verification...
Cleaning up challenges

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of Apache server; fullchain is
/etc/letsencrypt/live/support.example.com/fullchain.pem

Comment est-ce possible?

mise à jour 2:

J'ai changé ma configuration de cryptage de renouvellement afin de pouvoir utiliser le défi Webroot correct.

# renew_before_expiry = 30 days
version = 0.22.2
archive_dir = /etc/letsencrypt/archive/support.example.com
cert = /etc/letsencrypt/live/support.example.com/cert.pem
privkey = /etc/letsencrypt/live/support.example.com/privkey.pem
chain = /etc/letsencrypt/live/support.example.com/chain.pem
fullchain = /etc/letsencrypt/live/support.example.com/fullchain.pem

[renewalparams]
post_hook = service Apache2 start
installer = Apache
account = a57eab015444b60984498d853e6c3531
authenticator = webroot
pre_hook = service Apache2 stop
[[webroot_map]]
support.example.com = /var/www/support/

Mais en effectuant le renouvellement maintenant, j'obtiens l'erreur suivante:

Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer Apache
Running pre-hook command: service Apache2 stop
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for support.example.com
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (support.example.com) from /etc/letsencrypt/renewal/support.example.com.conf produced an unexpected error: Failed authorization procedure. support.example.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://support.example.com/.well-known/acme-challenge/VDmwSn8yXRbV2dFGe6dvsWelJBthNE33aoynDZ9i3qE: Connection refused. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/support.example.com/fullchain.pem (failure)

Je peux atteindre http://support.example.com/.well-known/acme-challenge de l'extérieur, ce qui ne pourrait donc pas être le problème à mon avis.

httpsapache2lets-encrypt
2
wouter205

D'accord, après de nombreux casse-tête, j'ai compris. Dans ma conférence de renouvellement, j'ai dit d'arrêter Apache ... ainsi mon site était en panne et cryptons nous n'avons pas pu nous connecter d'où l'erreur.

Sous les paramètres appropriés, je peux utiliser pour renouveler mon certificat à l'aide de la méthode webroot (au lieu du plugin Apache utilisant tls-sni-01 qui, d'une manière ou d'une autre, ne fonctionne pas).

# renew_before_expiry = 30 days
version = 0.26.1
archive_dir = /etc/letsencrypt/archive/support.example.com
cert = /etc/letsencrypt/live/support.example.com/cert.pem
privkey = /etc/letsencrypt/live/support.example.com/privkey.pem
chain = /etc/letsencrypt/live/support.example.com/chain.pem
fullchain = /etc/letsencrypt/live/support.example.com/fullchain.pem


[renewalparams]
installer = Apache
account = a57eab015444b60984498d853e6c3531
authenticator = webroot
server = https://acme-v02.api.letsencrypt.org/directory
[[webroot_map]]
support.example.com = /var/www/support/

modifier:

Par souci d’achèvement, voici également ma configuration virtualhost pour permettre l’accès à l’emplacement ./well-known/acme-challenge et rediriger tout le trafic vers https, à l’exception de cet emplacement.

<VirtualHost *:80>
        ServerName support.example.com
        DocumentRoot /var/www/support/

<Location />
   Options Indexes FollowSymLinks
    AllowOverride All
    Require all granted
    Satisfy Any

 </Location>

        <Location /.well-known/acme-challenge/>
        DirectoryIndex index.html
        DirectoryIndex enabled
        Require all granted
        </Location>

RedirectMatch 301 ^(?!/\.well-known/acme-challenge/).* https://suppor.example.com$0
</VirtualHost>
2
wouter205