Let’s EncryptのSSL/TLS証明書発行処理でエラー
TOP › Forums › バグ報告と提案(Requests and Feedback) › Let’s EncryptのSSL/TLS証明書発行処理でエラー
Let’s EncryptのSSL/TLS証明書発行処理でエラー
- This topic has 2 replies, 2 voices, and was last updated 8 hours, 48 minutes ago by kurisu.
-
AuthorPosts
-
-
2024年10月30日 at 10:51 #1450
お世話になっております。
カゴヤのVPSでWordPressをLet’s EncryptのSSL/TLS証明書を発行する形でプロビジョニングすると
Let’s EncryptのSSL証明書は発行されますがエラーとなりプロビジョニングに失敗します。また、Let’s EncryptのSSL/TLS証明書を発行しない形でのWordPressのプロビジョニングは成功しますが、
kusanagi sslでLet’s EncryptのSSL/TLS証明書発行を行うと同様のエラーが発生します。kusanagi sslのエラー結果を以下に記載させて頂きます。
※一部パスワード、サブドメイン、Eメール等は変更しております。
# dnf upgrade -y # kusanagi init --passwd "****" --nophrase --dbrootpass "****" --nginx127 --php81 --mariadb10.5 # kusanagi update cert # reboot # kusanagi provision --wp --fqdn v1-2-3-4.vir.kagoya.net --noemail --dbname kusanagi_db --dbuser kusanagi_db --dbpass "****" --adminemail sample@example.com kusanagi_html [root@v1-2-3-4 ~]# kusanagi ssl --email sample@example.com kusanagi_html Saving debug log to /var/log/letsencrypt/letsencrypt.log Account registered. Requesting a certificate for v1-2-3-4.vir.kagoya.net Successfully received certificate. Certificate is saved at: /etc/letsencrypt/live/v1-2-3-4.vir.kagoya.net/fullchain.pem Key is saved at: /etc/letsencrypt/live/v1-2-3-4.vir.kagoya.net/privkey.pem This certificate expires on 2025-01-28. These files will be updated when the certificate renews. Certbot has set up a scheduled task to automatically renew this certificate in the background. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - If you like Certbot, please consider supporting our work by: * Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate * Donating to EFF: https://eff.org/donate-le - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Failed to get Let's Encrypt SSL certificate files. kusanagi ssl: error: command returned 1 kusanagi ssl: error: ssl failed [root@v1-2-3-4 ~]# echo $? 1
「Failed to get Let’s Encrypt SSL certificate files.」のエラー出力している処理を確認してみると、
${KUSANAGI_DRYRUN}が未指定(–dryrunを指定していない場合?)の時にエラーとしているようです。# /opt/kusanagi/lib64/python3.9/site-packages/kusanagi/dispatchers/scripts/functions.sh function k_ssl_email() { local OPTION="-m ${KUSANAGI_SSL_EMAIL} --agree-tos" if [[ -n "${KUSANAGI_SSL_EMAIL}" ]]; then k_is_root_domain "${KUSANAGI_FQDN}" "${OPT_FORCE_WWW}" local IS_ROOT_DOMAIN=$? if (( IS_ROOT_DOMAIN == 0 )); then _ certbot certonly --text --noninteractive --webroot -w "${KUSANAGI_DIR}/DocumentRoot" -d "${KUSANAGI_FQDN}" -d "www.${KUSANAGI_FQDN}" ${OPTION} elif (( IS_ROOT_DOMAIN == 1 )); then local APEX="${KUSANAGI_FQDN/#www\./}" _ certbot certonly --text --noninteractive --webroot -w "${KUSANAGI_DIR}/DocumentRoot" -d "${KUSANAGI_FQDN}" -d "${APEX}" ${OPTION} else _ certbot certonly --text --noninteractive --webroot -w "${KUSANAGI_DIR}/DocumentRoot" -d "${KUSANAGI_FQDN}" ${OPTION} fi local FULLCHAINPATH=$(ls -1t /etc/letsencrypt/live/"${KUSANAGI_FQDN}"*/fullchain.pem 2>/dev/null | head -1) local LETSENCRYPTDIR=${FULLCHAINPATH%/*} if [[ -z "${KUSANAGI_DRYRUN}" ]]; then echo "Failed to get Let's Encrypt SSL certificate files." >&2 return 1 fi …
該当の条件式をコメントアウトすると処理が成功するようになりました。
※本来はDryRunではない、かつcertbotの処理が失敗した場合にエラーとする必要があるのではないかと考えています。[root@v1-2-3-4 ~]# diff -u /opt/kusanagi/lib64/python3.9/site-packages/kusanagi/dispatchers/scripts/functions.sh_org /opt/kusanagi/lib64/python3.9/site-packages/kusanagi/dispatchers/scri pts/functions.sh --- /opt/kusanagi/lib64/python3.9/site-packages/kusanagi/dispatchers/scripts/functions.sh_org 2024-10-21 15:11:38.000000000 +0900 +++ /opt/kusanagi/lib64/python3.9/site-packages/kusanagi/dispatchers/scripts/functions.sh 2024-10-29 16:57:56.813172908 +0900 @@ -2751,10 +2751,10 @@ local FULLCHAINPATH=$(ls -1t /etc/letsencrypt/live/"${KUSANAGI_FQDN}"*/fullchain.pem 2>/dev/null | head -1) local LETSENCRYPTDIR=${FULLCHAINPATH%/*} - if [[ -z "${KUSANAGI_DRYRUN}" ]]; then - echo "Failed to get Let's Encrypt SSL certificate files." >&2 - return 1 - fi +#### if [[ -z "${KUSANAGI_DRYRUN}" ]]; then +#### echo "Failed to get Let's Encrypt SSL certificate files." >&2 +#### return 1 +#### fi _ sed -i \ -e "s|^\(\s*ssl_certificate\s\+\)\S\+;|\\1${LETSENCRYPTDIR}/fullchain.pem;|" \ … [root@v1-2-3-4 ~]# kusanagi ssl --email sample@example.com kusanagi_html Saving debug log to /var/log/letsencrypt/letsencrypt.log Certificate not yet due for renewal - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Certificate not yet due for renewal; no action taken. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ssl email completed. Auto renewal of certificate enabled. ssl auto completed. restart completed. ssl completed. [root@v1-2-3-4 ~]# echo $? 0
kusanagi statusの結果は以下の通りです。
[root@v133-18-243-58 ~]# kusanagi status KUSANAGI Version 9.6.4-1.el9 kagoya CentOS Stream 9 *** (active) nginx : nginx127 *** * nginx127.service - The NGINX HTTP and reverse proxy server Loaded: loaded (/usr/lib/systemd/system/nginx127.service; enabled; preset: disabled) Active: active (running) since Wed 2024-10-30 10:07:51 JST; 17min ago *** (inactive) httpd : httpd24 *** * httpd.service - The Apache HTTP Server Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; preset: disabled) Active: inactive (dead) *** (active) php : php81 *** * php-fpm.service - The PHP FastCGI Process Manager Loaded: loaded (/usr/lib/systemd/system/php-fpm.service; enabled; preset: disabled) Active: active (running) since Wed 2024-10-30 10:07:51 JST; 17min ago *** (active) mariadb : mariadb10.5 *** * mariadb.service - MariaDB 10.5.26 database server Loaded: loaded (/usr/lib/systemd/system/mariadb.service; enabled; preset: disabled) Active: active (running) since Wed 2024-10-30 10:07:52 JST; 17min ago *** (inactive) psql : *** *** (inactive) pgpool-II : *** *** python *** Python 3.9.20 *** Cache status *** *** WAF *** off *** SELinux *** off (permanent) status completed.
2024年10月頃より本エラーは発生するようになりました。
お手数ですが、一度ご確認頂けると幸いです。- This topic was modified 9 hours, 34 minutes ago by kurisu.
-
2024年10月30日 at 11:25 #1452
kurisuさん
ご指摘ありがとうございます。ご迷惑おかけして申し訳ありません。
不具合を確認できましたので、早急に修正をリリースします。 -
2024年10月30日 at 11:39 #1453
hideishiさん
ご返信ありがとうございます。
迅速な対応感謝いたします。
-
-
AuthorPosts
- You must be logged in to reply to this topic.