Djangoで作ったアプリケーションをnginx+gunicornでデプロイし、セキュア化するためのLet' EncryptでのSSL/TLS証明書申請をしましたが、原則的に90日間しか効力がありません。そのため、「再申請をしてくれ」との更新案内がメールに届きましたが、普通に使う「# certbot renew」がうまく行かず、一日中ハマりましたので、いろいろ試しましたが、うまく行きません。最終的に上手く行ったかに見えるサイト管理者(筆者)なりの対処策を備忘録として残しておきます。
さくらのVPSにデプロイしましたDjangoアプリケーションですが、結論は、再度申請をし直すことでした。
root@tk2-411-46749:~# certbot certonly --webroot -w /var/www/letsencrypt -d www2.it-ibfs.org Saving debug log to /var/log/letsencrypt/letsencrypt.log Certificate not yet due for renewal You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry. (ref: /etc/letsencrypt/renewal/www2.it-ibfs.org.conf) What would you like to do? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: Keep the existing certificate for now 2: Renew & replace the certificate (may be subject to CA rate limits) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2 Renewing an existing certificate for www2.it-ibfs.org Successfully received certificate. Certificate is saved at: /etc/letsencrypt/live/www2.it-ibfs.org/fullchain.pem Key is saved at: /etc/letsencrypt/live/www2.it-ibfs.org/privkey.pem This certificate expires on 2023-07-06. These files will be updated when the certificate renews. Certbot has set up a scheduled task to automatically renew this certificate in the background.
なお、nginxの設定ファイル(/etc/nginx/sites-enabled/default)は次のようになっています。
# Virtual Host configuration for example.com
#
# You can move that to a different file under sites-available/ and symlink that
# to sites-enabled/ to enable it.
#
server {
listen 443 ssl http2 ;
listen [::]:443 ssl http2 ;
ssl_certificate "/etc/letsencrypt/live/www2.it-ibfs.org/fullchain.pem";
ssl_certificate_key "/etc/letsencrypt/live/www2.it-ibfs.org/privkey.pem";
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
server_name www2.it-ibfs.org;
access_log /var/log/nginx/photo_access.log;
error_log /var/log/nginx/photo_error.log;
location /static/ {
alias /var/www/django/photoproject/static/;
}
location /media/ {
alias /var/www/django/photoproject/media/;
}
location ^~/.well-known/acme-challenge {
allow all;
root /var/www/letsencrypt;
# root /usr/share/nginx/html;
default_type "text/plain";
# try_files $url $url =404;
}
location / {
# proxy_set_header Host $http_host;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_redirect off;
# proxy_set_header X-Forwarded-Proto $scheme
include proxy_params;
proxy_pass http://unix:/run/gunicorn.sock;
}
}
ただし、location ^~/.well-known/acme-challenge {}のところは上手く動作しません。
