Let's Encrypt 인증서 갱신하기

Let's Encrypt 인증서 갱신하기

인증서를 처음 설치 한 후 대략 3개월이 다가온 것 같다.

잊고 있다가 이메일로 인증서 만료 메일이 와서 깜놀!!! (스팸함쪽으로 와서 스팸함도 잘 보세요;;)

그래!! 귀찮지만 할건 해야지, 갱신하자~~~~~

1. 만료일 확인하기

certbot-auto 파일이 있는 곳으로 이동 해 아래 명령어를 실행합니다.

# cd /usr/local/src/certbot/
# ./certbot-auto certificates

위명령어를 실행하면 아래처럼 정보를 보여줍니다. (3개월만에 했더니 certbot-auto가 업데이트 됐네요.)

Upgrading certbot-auto 0.27.1 to 0.29.1...
Replacing certbot-auto...
Creating virtual environment...
Installing Python packages...
Installation succeeded.
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: playontistorydomain1.com
    Domains: playontistorydomain1.com www.playontistorydomain1.com
    Expiry Date: 2018-12-26 08:39:49+00:00 (VALID: 5 days)
    Certificate Path: fullchain.pem 경로
    Private Key Path: privkey.pem 경로
  Certificate Name: playontistorydomain1.co.kr
    Domains: playontistorydomain1.co.kr www.playontistorydomain1.co.kr
    Expiry Date: 2019-01-29 00:08:48+00:00 (VALID: 38 days)
    Certificate Path: fullchain.pem 경로
    Private Key Path: privkey.pem 경로
  Certificate Name: playontistorydomain2.co.kr
    Domains: playontistorydomain2.co.kr www.playontistorydomain2.co.kr
    Expiry Date: 2018-12-26 00:39:20+00:00 (VALID: 5 days)
    Certificate Path: fullchain.pem 경로
    Private Key Path: privkey.pem 경로
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

만료일 날짜도 나오고 남은 날짜도 표시 해 주네요.

2. 갱신 전 테스트 해 보기

인증서를 갱신하는 명령어는 certbot-auto renew 입니다만 --dry-run 옵션을 추가 해 오류가 있나 테스트 해 볼 수 있습니다.

# ./certbot-auto renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/playontistorydomain1.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for playontistorydomain1.com
http-01 challenge for www.playontistorydomain1.com
Waiting for verification...
Cleaning up challenges

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/playontistorydomain1.com/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/playontistorydomain1.co.kr.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for playontistorydomain1.co.kr
http-01 challenge for www.playontistorydomain1.co.kr
Waiting for verification...
Cleaning up challenges

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/playontistorydomain1.co.kr/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/playontistorydomain2.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',)
Attempting to renew cert (playontistorydomain2.com) from /etc/letsencrypt/renewal/playontistorydomain2.com.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',). Skipping.
The following certs could not be renewed:
  /etc/letsencrypt/live/playontistorydomain2.com/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

The following certs were successfully renewed:
  /etc/letsencrypt/live/playontistorydomain1.com/fullchain.pem (success)
  /etc/letsencrypt/live/playontistorydomain1.co.kr/fullchain.pem (success)

The following certs could not be renewed:
  /etc/letsencrypt/live/playontistorydomain2.com/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
#

뭐야 왜 하나 실패하지??? 🤔

실패한 도메인은 인증서 처음 설치 할때 이것저것 테스트 하면서 하다가 설치한 인증서네요.

쟤만 webroot 가 아닌 manual 로 했었는데..

뭔지 모르겠으니깐 그냥 다시 새로 인증서를 발급 받았습니다(...)

3. 인증서 갱신하기

이제 레알 갱신을 해 보죠.

# ./certbot-auto renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/playontistorydomain1.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for playontistorydomain1.com
http-01 challenge for www.playontistorydomain1.com
Waiting for verification...
Cleaning up challenges

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/playontistorydomain1.com/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/playontistorydomain1.co.kr.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/playontistorydomain2.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

The following certs are not due for renewal yet:
  /etc/letsencrypt/live/playontistorydomain1.co.kr/fullchain.pem expires on 2019-01-29 (skipped)
  /etc/letsencrypt/live/playontistorydomain2.com/fullchain.pem expires on 2019-03-21 (skipped)
Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/playontistorydomain1.com/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

유료 인증서는 1년 단위 갱신이지만 Let's Encrypt 인증서는 3개월 입니다.

1번에서 남은 기간이 5일과 38일이 있었죠? 5일 남은 인증서는 잘 갱신이 됐고 38일 남은 인증서와 에러나서 강제로 새로 발급 받은 인증서(...)는 갱신되지 않았습니다.

갱신은 1개월 전부터 가능합니다.

4. 인증서 갱신 확인

아파치 재시작 후 확인 해 보면 인증서 만료 날짜가 잘 갱신 되었습니다.

이제 저걸 crontab 에 1개월마다 돌아가게 등록시키면 룰루랄라 자동 갱신~~~~~~~~ 😏