Let’s EncryptのSSL/TLS証明書発行処理でエラー

TOP Forums バグ報告と提案(Requests and Feedback) Let’s EncryptのSSL/TLS証明書発行処理でエラー

Let’s EncryptのSSL/TLS証明書発行処理でエラー

Viewing 2 reply threads
  • Author
    Posts
    • #1450
      kurisu
      Participant

        お世話になっております。

        カゴヤのVPSでWordPressをLet’s EncryptのSSL/TLS証明書を発行する形でプロビジョニングすると
        Let’s EncryptのSSL証明書は発行されますがエラーとなりプロビジョニングに失敗します。

        また、Let’s EncryptのSSL/TLS証明書を発行しない形でのWordPressのプロビジョニングは成功しますが、
        kusanagi sslでLet’s EncryptのSSL/TLS証明書発行を行うと同様のエラーが発生します。

        kusanagi sslのエラー結果を以下に記載させて頂きます。

        ※一部パスワード、サブドメイン、Eメール等は変更しております。

        
        # dnf upgrade -y
        # kusanagi init --passwd "****" --nophrase --dbrootpass "****" --nginx127 --php81 --mariadb10.5
        # kusanagi update cert
        # reboot
        # kusanagi provision --wp --fqdn v1-2-3-4.vir.kagoya.net --noemail --dbname kusanagi_db --dbuser kusanagi_db --dbpass "****" --adminemail sample@example.com kusanagi_html
        
        [root@v1-2-3-4 ~]# kusanagi ssl --email sample@example.com kusanagi_html
        Saving debug log to /var/log/letsencrypt/letsencrypt.log
        Account registered.
        Requesting a certificate for v1-2-3-4.vir.kagoya.net
        
        Successfully received certificate.
        Certificate is saved at: /etc/letsencrypt/live/v1-2-3-4.vir.kagoya.net/fullchain.pem
        Key is saved at:         /etc/letsencrypt/live/v1-2-3-4.vir.kagoya.net/privkey.pem
        This certificate expires on 2025-01-28.
        These files will be updated when the certificate renews.
        Certbot has set up a scheduled task to automatically renew this certificate in the background.
        
        - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
        If you like Certbot, please consider supporting our work by:
         * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
         * Donating to EFF:                    https://eff.org/donate-le
        - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
        Failed to get Let's Encrypt SSL certificate files.
        kusanagi ssl: error: command returned 1
        kusanagi ssl: error: ssl failed
        [root@v1-2-3-4 ~]# echo $?
        1
        

        「Failed to get Let’s Encrypt SSL certificate files.」のエラー出力している処理を確認してみると、
        ${KUSANAGI_DRYRUN}が未指定(–dryrunを指定していない場合?)の時にエラーとしているようです。

        
        # /opt/kusanagi/lib64/python3.9/site-packages/kusanagi/dispatchers/scripts/functions.sh
         
        function k_ssl_email() {
                local OPTION="-m ${KUSANAGI_SSL_EMAIL} --agree-tos"
         
                if [[ -n "${KUSANAGI_SSL_EMAIL}" ]]; then
                        k_is_root_domain "${KUSANAGI_FQDN}" "${OPT_FORCE_WWW}"
                        local IS_ROOT_DOMAIN=$?
                        if (( IS_ROOT_DOMAIN == 0 )); then
                                _ certbot certonly --text --noninteractive --webroot -w "${KUSANAGI_DIR}/DocumentRoot" -d "${KUSANAGI_FQDN}" -d "www.${KUSANAGI_FQDN}" ${OPTION}
                        elif (( IS_ROOT_DOMAIN == 1 )); then
                                local APEX="${KUSANAGI_FQDN/#www\./}"
                                _ certbot certonly --text --noninteractive --webroot -w "${KUSANAGI_DIR}/DocumentRoot" -d "${KUSANAGI_FQDN}" -d "${APEX}" ${OPTION}
                        else
                                _ certbot certonly --text --noninteractive --webroot -w "${KUSANAGI_DIR}/DocumentRoot" -d "${KUSANAGI_FQDN}" ${OPTION}
                        fi
         
                        local FULLCHAINPATH=$(ls -1t /etc/letsencrypt/live/"${KUSANAGI_FQDN}"*/fullchain.pem 2>/dev/null | head -1)
                        local LETSENCRYPTDIR=${FULLCHAINPATH%/*}
                        if [[ -z "${KUSANAGI_DRYRUN}" ]]; then
                                echo "Failed to get Let's Encrypt SSL certificate files." >&2
                                return 1
                        fi
        …
        

        該当の条件式をコメントアウトすると処理が成功するようになりました。
        ※本来はDryRunではない、かつcertbotの処理が失敗した場合にエラーとする必要があるのではないかと考えています。

        
        [root@v1-2-3-4 ~]# diff -u /opt/kusanagi/lib64/python3.9/site-packages/kusanagi/dispatchers/scripts/functions.sh_org /opt/kusanagi/lib64/python3.9/site-packages/kusanagi/dispatchers/scri
        pts/functions.sh
        --- /opt/kusanagi/lib64/python3.9/site-packages/kusanagi/dispatchers/scripts/functions.sh_org   2024-10-21 15:11:38.000000000 +0900
        +++ /opt/kusanagi/lib64/python3.9/site-packages/kusanagi/dispatchers/scripts/functions.sh       2024-10-29 16:57:56.813172908 +0900
        @@ -2751,10 +2751,10 @@
         
                        local FULLCHAINPATH=$(ls -1t /etc/letsencrypt/live/"${KUSANAGI_FQDN}"*/fullchain.pem 2>/dev/null | head -1)
                        local LETSENCRYPTDIR=${FULLCHAINPATH%/*}
        -               if [[ -z "${KUSANAGI_DRYRUN}" ]]; then
        -                       echo "Failed to get Let's Encrypt SSL certificate files." >&2
        -                       return 1
        -               fi
        +####           if [[ -z "${KUSANAGI_DRYRUN}" ]]; then
        +####                   echo "Failed to get Let's Encrypt SSL certificate files." >&2
        +####                   return 1
        +####           fi
         
                        _ sed -i \
                                -e "s|^\(\s*ssl_certificate\s\+\)\S\+;|\\1${LETSENCRYPTDIR}/fullchain.pem;|" \
        …
        [root@v1-2-3-4 ~]# kusanagi ssl --email sample@example.com kusanagi_html
        Saving debug log to /var/log/letsencrypt/letsencrypt.log
        Certificate not yet due for renewal
        
        - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
        Certificate not yet due for renewal; no action taken.
        - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
        ssl email completed.
        Auto renewal of certificate enabled.
        ssl auto completed.
        restart completed.
        ssl completed.
        [root@v1-2-3-4 ~]# echo $?
        0
        

        kusanagi statusの結果は以下の通りです。

        
        [root@v133-18-243-58 ~]# kusanagi status
        KUSANAGI Version 9.6.4-1.el9
        kagoya
        CentOS Stream 9
        
        *** (active) nginx : nginx127 ***
        * nginx127.service - The NGINX HTTP and reverse proxy server
             Loaded: loaded (/usr/lib/systemd/system/nginx127.service; enabled; preset: disabled)
             Active: active (running) since Wed 2024-10-30 10:07:51 JST; 17min ago
        
        *** (inactive) httpd : httpd24 ***
        * httpd.service - The Apache HTTP Server
             Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; preset: disabled)
             Active: inactive (dead)
        
        *** (active) php : php81 ***
        * php-fpm.service - The PHP FastCGI Process Manager
             Loaded: loaded (/usr/lib/systemd/system/php-fpm.service; enabled; preset: disabled)
             Active: active (running) since Wed 2024-10-30 10:07:51 JST; 17min ago
        
        *** (active) mariadb : mariadb10.5 ***
        * mariadb.service - MariaDB 10.5.26 database server
             Loaded: loaded (/usr/lib/systemd/system/mariadb.service; enabled; preset: disabled)
             Active: active (running) since Wed 2024-10-30 10:07:52 JST; 17min ago
        
        *** (inactive) psql :  ***
        
        *** (inactive) pgpool-II :  ***
        
        *** python ***
        Python 3.9.20
        
        *** Cache status ***
        
        *** WAF ***
        off
        
        *** SELinux ***
        off (permanent)
        
        status completed.
        

        2024年10月頃より本エラーは発生するようになりました。
        お手数ですが、一度ご確認頂けると幸いです。

        • This topic was modified 11 hours, 34 minutes ago by kurisu.
      • #1452
        hideishi
        Participant

          kurisuさん

          ご指摘ありがとうございます。ご迷惑おかけして申し訳ありません。
          不具合を確認できましたので、早急に修正をリリースします。

        • #1453
          kurisu
          Participant

            hideishiさん

            ご返信ありがとうございます。
            迅速な対応感謝いたします。

        Viewing 2 reply threads
        • You must be logged in to reply to this topic.

        Next article

        フォーラムについて