收到邮件说 Action required: Let's Encrypt certificate renewals。
根据指引,访问了 https://community.letsencrypt.org/t/how-to-stop-using-tls-sni-01-with-certbot/83210
登上服务器看下 certbot 的版本。发现低于 0.28,yum upgrade certbot 升级到 0.31.0。
根据文章的指导,输入
[root@vultr ~]# sudo sh -c "sed -i.bak -e 's/^\(pref_challs.*\)tls-sni-01\(.*\)/\1http-01\2/g' /etc/letsencrypt/renewal/*; rm -f /etc/letsencrypt/renewal/*.bak"
[root@vultr ~]# sudo certbot renew --dry-run看到了下面的:
Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/random.app/fullchain.pem (success)If the dry run succeeds, and your Certbot version is 0.28 or higher, you’re good to go! No further action should be required to deal with the end of TLS-SNI-01 support.
看来是 ok 了。
全部记录:
$ ssh root@45.76.149.238
root@45.76.149.238’s password:
Last failed login: Wed Mar 6 02:58:55 UTC 2019 from 139.199.100.110 on ssh:notty
There were 6029 failed login attempts since the last successful login.
Last login: Fri Jan 4 02:41:15 2019 from 124.207.212.130
-bash: warning: setlocale: LC_CTYPE: cannot change locale (UTF-8): No such file or directory
[root@vultr ~]# certbot --version
certbot 0.26.1
[root@vultr ~]# yum upgrade certbot
Failed to set locale, defaulting to C
Loaded plugins: fastestmirror
base | 3.6 kB 00:00:00
epel/x86_64/metalink | 8.1 kB 00:00:00
epel | 4.7 kB 00:00:00
extras | 3.4 kB 00:00:00
updates | 3.4 kB 00:00:00
(1/6): base/7/x86_64/group_gz | 166 kB 00:00:00
(2/6): epel/x86_64/updateinfo | 958 kB 00:00:00
(3/6): extras/7/x86_64/primary_db | 180 kB 00:00:00
(4/6): updates/7/x86_64/primary_db | 2.5 MB 00:00:00
(5/6): epel/x86_64/primary_db | 6.6 MB 00:00:00
(6/6): base/7/x86_64/primary_db | 6.0 MB 00:00:01
Determining fastest mirrors
* base: mirror.0x.sg
* epel: sg.fedora.ipserverone.com
* extras: centos.netonboard.com
* updates: mirror.0x.sg
Resolving Dependencies
--> Running transaction check
---> Package certbot.noarch 0:0.26.1-1.el7 will be updated
---> Package certbot.noarch 0:0.31.0-2.el7 will be an update
--> Processing Dependency: python2-certbot = 0.31.0-2.el7 for package: certbot-0.31.0-2.el7.noarch
--> Running transaction check
---> Package python2-certbot.noarch 0:0.26.1-1.el7 will be updated
---> Package python2-certbot.noarch 0:0.31.0-2.el7 will be an update
--> Processing Dependency: python2-acme >= 0.29.0 for package: python2-certbot-0.31.0-2.el7.noarch
--> Running transaction check
---> Package python2-acme.noarch 0:0.26.1-1.el7 will be updated
---> Package python2-acme.noarch 0:0.31.0-1.el7 will be an update
--> Finished Dependency Resolution
Dependencies Resolved
====================================================================================================================================================
Package Arch Version Repository Size
====================================================================================================================================================
Updating:
certbot noarch 0.31.0-2.el7 epel 37 k
Updating for dependencies:
python2-acme noarch 0.31.0-1.el7 epel 148 k
python2-certbot noarch 0.31.0-2.el7 epel 547 k
Transaction Summary
====================================================================================================================================================
Upgrade 1 Package (+2 Dependent packages)
Total download size: 733 k
Is this ok [y/d/N]: y
Downloading packages:
Delta RPMs disabled because /usr/bin/applydeltarpm not installed.
(1/3): certbot-0.31.0-2.el7.noarch.rpm | 37 kB 00:00:00
(2/3): python2-acme-0.31.0-1.el7.noarch.rpm | 148 kB 00:00:00
(3/3): python2-certbot-0.31.0-2.el7.noarch.rpm | 547 kB 00:00:00
----------------------------------------------------------------------------------------------------------------------------------------------------
Total 5.5 MB/s | 733 kB 00:00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Updating : python2-acme-0.31.0-1.el7.noarch 1/6
Updating : python2-certbot-0.31.0-2.el7.noarch 2/6
Updating : certbot-0.31.0-2.el7.noarch 3/6
ValueError: SELinux policy is not managed or store cannot be accessed.
Cleanup : certbot-0.26.1-1.el7.noarch 4/6
Cleanup : python2-certbot-0.26.1-1.el7.noarch 5/6
Cleanup : python2-acme-0.26.1-1.el7.noarch 6/6
Verifying : python2-certbot-0.31.0-2.el7.noarch 1/6
Verifying : certbot-0.31.0-2.el7.noarch 2/6
Verifying : python2-acme-0.31.0-1.el7.noarch 3/6
Verifying : python2-certbot-0.26.1-1.el7.noarch 4/6
Verifying : python2-acme-0.26.1-1.el7.noarch 5/6
Verifying : certbot-0.26.1-1.el7.noarch 6/6
Updated:
certbot.noarch 0:0.31.0-2.el7
Dependency Updated:
python2-acme.noarch 0:0.31.0-1.el7 python2-certbot.noarch 0:0.31.0-2.el7
Complete!
[root@vultr ~]# sudo sh -c "sed -i.bak -e 's/^\(pref_challs.*\)tls-sni-01\(.*\)/\1http-01\2/g' /etc/letsencrypt/renewal/*; rm -f /etc/letsencrypt/renewal/*.bak"
[root@vultr ~]# sudo certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/random.app.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator standalone, Installer None
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Running pre-hook command: sudo systemctl stop nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for random.app
Waiting for verification...
Cleaning up challenges
Resetting dropped connection: acme-staging-v02.api.letsencrypt.org
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/random.app/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)
Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/random.app/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Running post-hook command: sudo systemctl start nginx
[root@vultr ~]#