はじめに
ある日、ブラウザから自作サイトにアクセスすると、証明書の有効期限が切れていました。
そこで、更新をしようとしたのですが、docker(docker compose)で動かしているletsencriptの更新が上手くいかずハマったので改めてdocker × letsencript × nginxを整理しました。
あがいている記録もあるので、結論から見てしまう方がいいかもしれないです。
あがき
The requested nginx plugin does not appear to be installed
とりあえず、まずはrenewしてみると「The requested nginx plugin does not appear to be installed」。
$ sudo docker exec -it certbot-container certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/appare99-system.net.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Failed to renew certificate appare99-system.net with error: The requested nginx plugin does not appear to be installed
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All simulated renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/appare99-system.net/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.で、このエラーを解消しようともがいて時間をかけてしまった。
このエラー出たらやり直すのが良いと思います。僕もやり直したし。
No renewals were attempted.
で、やり直そうとして、証明書を用意しようとしました。
しかし、以下のようにうまくいきません。
$ sudo docker compose run --rm certbot certonly --webroot -w /dist -d appare99-system.net
[sudo] password for ubuntu:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
No renewals were attempted.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -dockerに入って試すと以下のようになります。
$ sudo docker compose exec certbot /bin/ash
/opt/certbot #
/opt/certbot # certbot certonly --webroot -w /dist -d appare99-system.net
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for appare99-system.net
Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: appare99-system.net
Type: connection
Detail: 160.16.229.13: Fetching http://appare99-system.net/.well-known/acme-challenge/u29Xty2UizRaFmw_0ivq08tjiF5qlPcTr1kgbCH_3AU: Connection refused
Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.
Some challenges have failed.✅問題点:ローカルでもcertbotが動いていた。
まさかの、dockerとは別に、docker導入前のcertbotがローカルの方で動いていました。
$ sudo systemctl status certbot
○ certbot.service - Certbot
Loaded: loaded (/lib/systemd/system/certbot.service; static)
Active: inactive (dead) since Tue 2024-12-24 19:06:58 JST; 4h 0min ago
TriggeredBy: ● certbot.timer
Docs: file:///usr/share/doc/python-certbot-doc/html/index.html
https://certbot.eff.org/docs
Process: 2962655 ExecStart=/usr/bin/certbot -q renew (code=exited, status=0/SUCCESS)
Main PID: 2962655 (code=exited, status=0/SUCCESS)
CPU: 684ms
Dec 24 19:06:57 tk2-256-37759 systemd[1]: Starting Certbot...
Dec 24 19:06:58 tk2-256-37759 systemd[1]: certbot.service: Deactivated successfully.
Dec 24 19:06:58 tk2-256-37759 systemd[1]: Finished Certbot.ローカルの方はアンインストールした。
$ sudo apt remove --purge certbotでも、まだ「No renewals were attempted.」になります。
以下のエラーも発生するようになり、
$ sudo docker compose exec certbot /bin/ash
/opt/certbot #
/opt/certbot # certbot certonly --webroot -w /dist -d appare99-system.net
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for appare99-system.net
Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: appare99-system.net
Type: connection
Detail: 160.16.229.13: Fetching http://appare99-system.net/.well-known/acme-challenge/vGwsqocD1vhcvsExWoemlVj5om-Rw2hem1NtHvXRgqA: Connection refused
Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details./.well-known/acme-challenge/ ディレクトリを作成し、default.confに設定を追加(以下を参考)
certbot renewでLet’s Encrypt の更新エラーが出たので対応しました - Qiita
こんにちは。ENDoDoです。いつもアプリサイドの話がメインなので、今回はサーバサイドで起こった話を少し描きたいと思います。背景個人アプリのAPI取得元サーバーを2ヶ月ほど前にconohaに移…
qiita.com
でもまだ「No renewals were attempted.」
$ sudo docker compose run --rm certbot certonly --webroot -w /dist -d appare99-system.net
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
No renewals were attempted.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -コンテナに入って実行しても上手くいかない。
$ sudo docker compose exec certbot /bin/ash
/opt/certbot #
/opt/certbot # certbot certonly --webroot -w /dist -d appare99-system.net
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for appare99-system.net
An unexpected error occurred:
Service busy; retry later.「–webroot-path /dist」を指定してもダメ
$ sudo docker compose run --rm certbot certonly --webroot --webroot-path /dist --dry-run -d appare99-system.net
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
No renewals were attempted.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -ということを繰り返していって、
改めて、docker-compose.ymlファイルを見直してみる事に。
整理(結論)
docker-compose.ymlファイルは以下のように構成されています。(ここがもともとなぜか変に設定されていました。。。)
nginx:
container_name: nginx-container
build:
context: ./nginx_prod
dockerfile: ./Dockerfile
ports:
- "80:80"
- "443:443"
environment:
TZ: "Asia/Tokyo"
# 20日おきにnginxを再読み込みする
command: "/bin/sh -c 'while :; do sleep 20d & wait $${!}; nginx -s reload; done & nginx -g \"daemon off;\"'"
volumes:
- /etc/letsencrypt:/etc/letsencrypt
- ./nginx_prod/dist:/dist
- ./nginx_prod/conf.d:/etc/nginx/conf.d
- ./nginx_prod/log:/var/log/nginx
- ./nginx_prod/conf/nginx.conf:/etc/nginx/nginx.conf
restart: always
certbot:
image: certbot/certbot:latest
# 10日おきに証明書を更新する(期限切れまで30日以上あれば更新しない)
entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 10d & wait $${!}; done;'"
restart: always
volumes:
- /etc/letsencrypt:/etc/letsencrypt #こちらに取得したssl証明書が配置されます。nginxコンテナでも同じくマウントして共有します。
- ./nginx_prod/dist:/dist
command: ["--version"]で、/nginx/conf/conf.d配下に置かれるssh_server.confは以下
server {
server_name appare99-system.net;
listen 80;
listen [::]:80;
# 証明書更新のために:80/.well-knownにアクセスしたいので、ここだけリダイレクトはしない
location ^~ /.well-known {
root /dist/;
}
# 全てのリクエストをSSLサイトにリダイレクト
location / {
return 301 https://$host$request_uri;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
}
server {
server_name appare99-system.net;
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /etc/letsencrypt/live/appare99-system.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/appare99-system.net/privkey.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_protocols TLSv1.3 TLSv1.2;
ssl_prefer_server_ciphers off;
add_header Strict-Transport-Security "max-age=2592000" always;
location / {
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_pass http://frontend:443/;
}
location = /ads.txt {
root /dist;
}
}上記のファイルの設定にしたら以下のようにうまくいきました。
$ sudo docker compose exec certbot /bin/ash
/opt/certbot #
/opt/certbot #
/opt/certbot #
/opt/certbot # certbot certonly --webroot -w /dist -d appare99-system.net
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for appare99-system.net
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/appare99-system.net/fullchain.pem
Key is saved at: /etc/letsencrypt/live/appare99-system.net/privkey.pem
This certificate expires on 2025-03-25.
These files will be updated when the certificate renews.
NEXT STEPS:
- The certificate will need to be renewed before it expires. Certbot can automatically renew the certificate in the background, but you may need to take steps to enable that functionality. See https://certbot.org/renewal-setup for instructions.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
* Donating to EFF: https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
/opt/certbot # exit
