Accortomi che il rinnovo automatico del certifcato inserito in crontab era fallito, ho lanciato manualmente il comando:
ottenendo questo risultato
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – Processing /etc/letsencrypt/renewal/poriburano.it.conf – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – Renewing an existing certificate for poriburano.it and www.poriburano.it
Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems: Domain: poriburano.it Type: connection Detail: Fetching http://poriburano.it/.well-known/acme-challenge/2GHB5vcCYq-SvqCvEQDVsCbTMXgxQmc89dEkifQRL24: Error getting validation data
Domain: www.poriburano.it Type: connection Detail: Fetching http://www.poriburano.it/.well-known/acme-challenge/EoHZ1PqO1TJxbXxpgbxszd5Jv3ogy_lzEflSkvOruDQ: Error getting validation data
Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.
Failed to renew certificate poriburano.it with error: Some challenges have failed.
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – All renewals failed. The following certificates could not be renewed: /etc/letsencrypt/live/poriburano.it/fullchain.pem (failure) – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – 1 renew failure(s), 0 parse failure(s) Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details. root@srv01.poriburano.web:# certbot renew -v Saving debug log to /var/log/letsencrypt/letsencrypt.log
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – Processing /etc/letsencrypt/renewal/poriburano.it.conf – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – Certificate is due for renewal, auto-renewing… Plugins selected: Authenticator nginx, Installer nginx Renewing an existing certificate for poriburano.it and www.poriburano.it Performing the following challenges: http-01 challenge for poriburano.it http-01 challenge for www.poriburano.it Waiting for verification… Challenge failed for domain poriburano.it Challenge failed for domain www.poriburano.it http-01 challenge for poriburano.it http-01 challenge for www.poriburano.it
Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems: Domain: poriburano.it Type: connection Detail: Fetching http://poriburano.it/.well-known/acme-challenge/w5cg5aj1iK_SzvfWaZhoxIydfx3T34l-g–o2G5_SWs: Error getting validation data
Domain: www.poriburano.it Type: connection Detail: Fetching http://www.poriburano.it/.well-known/acme-challenge/5juxR0kdXrVVXgafbehZhFH056TDC63g19DBC8ngYKQ: Error getting validation data
Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.
Cleaning up challenges Failed to renew certificate poriburano.it with error: Some challenges have failed.
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – All renewals failed. The following certificates could not be renewed: /etc/letsencrypt/live/poriburano.it/fullchain.pem (failure) – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – 1 renew failure(s), 0 parse failure(s) Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
Siccome letsencrypt eroga il certificato scansionando il DNS per la risoluzione del dominio, mi sono concentrato su quest’ultimo;
ho iniziato a fare una serie di test, dapprima sul protocollo IPv4 col comando
[php]curl -X GET -I -4 poriburano.it/.well-known/acme-challenge/xx[/php]
ottenendo:
poi sul protocollo IPv6 col comando:
[php]curl -X GET -I -6 poriburano.it/.well-known/acme-challenge/xx[/php]
ottenendo:
A seguito di queste verifiche, ho cancellato nella mia gestione del DNS il record AAAA con indirizzo IPv6, perchè non obbligatorio e rilanciato il comando:
ottenendo il medesimo errore di cui sopra.
A questo punto, leggendo meglio l’errore, ho dedotto che
[php]certbot[/php]
, non riuscisse a leggere la configurazione di
[php]Nginx[/php]
.
Certamente, non riusciva a scorrere ed interpretare il file di configurazione, dovuto a delle restrizioni
Ho interrogato il firewall, ottenendo che il servizio http era bloccato [Ho voluto disabilitare l’ascolto sulla porta 80 per motivi di sicurezza e lasciare solo la 443].
Ho aggiunto il servizio HTTP alle regole del firewall col comando:
[php]sudo firewall-cmd –zone=public –add-service=http[/php]
e rilanciato ancora una volta il comando:
[php]#certbot renew[/php]
ottenendo questa volta, il rinnovo del certificato:
[php]#certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
Processing /etc/letsencrypt/renewal/poriburano.it.conf
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
Renewing an existing certificate for poriburano.it and www.poriburano.it
Reloading nginx server after certificate renewal
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
Congratulations, all renewals succeeded:
/etc/letsencrypt/live/poriburano.it/fullchain.pem (success)
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
[/php]
Per rendere effettive le modifiche al mio firewall, ho eseguito i comandi:
[php]
sudo firewall-cmd –zone=public –add-service=http –permanent
sudo firewall-cmd –reload
[/php]
Anche questa volta, RISOLTO!!