certbot

ZeroSSL

Written by  on Juni 4, 2021

ZeroSSL Zertifikate die via ACME Challange (HTTP od. DNS) vor dem 21. Mai 2021 ausgestellt wurden, werden *irgendwann* revoked.
ACME certificates and revocation event
Renewal mit Certbot geht einfach:

/usr/bin/certbot renew --force-renewal

certbot verbuggt

Written by  on November 13, 2020
# /usr/bin/certbot renew --force-renewal
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/domain.tld.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.domain.tld
http-01 challenge for domain.tld
Cleaning up challenges
Attempting to renew cert (domain.tld) from /etc/letsencrypt/renewal/domain.tld.conf produced an unexpected error: Missing command line flag or config entry for this setting:
Input the webroot for www.domain.tld:. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/domain.tld/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/domain.tld/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

Ein Bug in Certbot 0.31… vielleicht nur in Ubuntu… die Option fürs Webroot “vergessen”.
/etc/letsencrypt/renewal/domain.tld.conf

# Options used in the renewal process
[renewalparams]
account = XXX
authenticator = webroot
webroot_path = /var/www/html,                     # Der Teil hat gefehlt. Nach dem Renewal wurde der Beistrich von certbot angefügt
server = https://api.buypass.com/acme/directory
[[webroot_map]]                                   # Der Abschnitt wurde vom Certbot anschließend automatisch erstellt
www.domain.tld = /var/www/html
domain.tld = /var/www/html
# /usr/bin/certbot renew --force-renewal
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/domain.tld.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.domain.tld
http-01 challenge for domain.tld
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification...
Cleaning up challenges

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/domain.tld/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/domain.tld/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -