
Djangoで作ったアプリケーションをnginx+gunicornでデプロイし、セキュア化するためのLet' EncryptでのSSL/TLS証明書申請をしましたが、原則的に90日間しか効力がありません。そのため、「再申請をしてくれ」との更新案内がメールに届きましたが、普通に使う「# certbot renew」がうまく行かず、一日中ハマりましたので、いろいろ試しましたが、うまく行きません。最終的に上手く行ったかに見えるサイト管理者(筆者)なりの対処策を備忘録として残しておきます。
さくらのVPSにデプロイしましたDjangoアプリケーションですが、結論は、再度申請をし直すことでした。
root@tk2-411-46749:~# certbot certonly --webroot -w /var/www/letsencrypt -d www2.it-ibfs.org Saving debug log to /var/log/letsencrypt/letsencrypt.log Certificate not yet due for renewal You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry. (ref: /etc/letsencrypt/renewal/www2.it-ibfs.org.conf) What would you like to do? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: Keep the existing certificate for now 2: Renew & replace the certificate (may be subject to CA rate limits) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2 Renewing an existing certificate for www2.it-ibfs.org Successfully received certificate. Certificate is saved at: /etc/letsencrypt/live/www2.it-ibfs.org/fullchain.pem Key is saved at: /etc/letsencrypt/live/www2.it-ibfs.org/privkey.pem This certificate expires on 2023-07-06. These files will be updated when the certificate renews. Certbot has set up a scheduled task to automatically renew this certificate in the background.
なお、nginxの設定ファイル(/etc/nginx/sites-enabled/default)は次のようになっています。
# Virtual Host configuration for example.com # # You can move that to a different file under sites-available/ and symlink that # to sites-enabled/ to enable it. # server { listen 443 ssl http2 ; listen [::]:443 ssl http2 ; ssl_certificate "/etc/letsencrypt/live/www2.it-ibfs.org/fullchain.pem"; ssl_certificate_key "/etc/letsencrypt/live/www2.it-ibfs.org/privkey.pem"; ssl_session_cache shared:SSL:1m; ssl_session_timeout 10m; server_name www2.it-ibfs.org; access_log /var/log/nginx/photo_access.log; error_log /var/log/nginx/photo_error.log; location /static/ { alias /var/www/django/photoproject/static/; } location /media/ { alias /var/www/django/photoproject/media/; } location ^~/.well-known/acme-challenge { allow all; root /var/www/letsencrypt; # root /usr/share/nginx/html; default_type "text/plain"; # try_files $url $url =404; } location / { # proxy_set_header Host $http_host; # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # proxy_redirect off; # proxy_set_header X-Forwarded-Proto $scheme include proxy_params; proxy_pass http://unix:/run/gunicorn.sock; } }
ただし、location ^~/.well-known/acme-challenge {}のところは上手く動作しません。