certbot이 자동으로 인증서를 갱신하는 기능을 갖고있다고 하지만 현 서버에서 잘 적용되지않아 문제가 발생했다.
로그를 보면 ( /var/log/letsencrypt 에서 로그 확인가능)
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/certbot/_internal/renewal.py", line 475, in handle_renewal_request
main.renew_cert(lineage_config, plugins, renewal_candidate)
File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 1386, in renew_cert
renewed_lineage = _get_and_save_cert(le_client, config, lineage=lineage)
File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 122, in _get_and_save_cert
renewal.renew_cert(config, domains, le_client, lineage)
File "/usr/lib/python3/dist-packages/certbot/_internal/renewal.py", line 335, in renew_cert
new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key)
File "/usr/lib/python3/dist-packages/certbot/_internal/client.py", line 389, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File "/usr/lib/python3/dist-packages/certbot/_internal/client.py", line 439, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort)
File "/usr/lib/python3/dist-packages/certbot/_internal/auth_handler.py", line 70, in handle_authorizations
resps = self.auth.perform(achalls)
File "/usr/lib/python3/dist-packages/certbot/_internal/plugins/standalone.py", line 153, in perform
return [self._try_perform_single(achall) for achall in achalls]
File "/usr/lib/python3/dist-packages/certbot/_internal/plugins/standalone.py", line 153, in <listcomp>
return [self._try_perform_single(achall) for achall in achalls]
File "/usr/lib/python3/dist-packages/certbot/_internal/plugins/standalone.py", line 160, in _try_perform_single
_handle_perform_error(error)
File "/usr/lib/python3/dist-packages/certbot/_internal/plugins/standalone.py", line 211, in _handle_perform_error
raise errors.PluginError(msg)
certbot.errors.PluginError: Could not bind TCP port 80 because it is already in use by another process on this system (such as a web server). Please stop the program in question and then try again.이렇게 남아있는걸 보니 80포트 관련돼 문제가 발생한것 처럼 보인다.
(잘모르겠지만 certbot renew 명령어를 실행하면 포트 충돌 문제가 없는걸 보면 기본으로 제공되는 자동갱신 로직에 별도의 과정에서 문제가 나는게 아닐까 싶다..)
일단 crontab을 이용해 갱신을 하도록 적용하는 방법으로 자동화 하기로 했다.
crontab -e
# Edit this file to introduce tasks to be run by cron.
#
# Each task to run has to be defined through a single line
# indicating with different fields when the task will be run
# and what command to run for the task
#
# To define the time you can provide concrete values for
# minute (m), hour (h), day of month (dom), month (mon),
# and day of week (dow) or use '*' in these fields (for 'any').
#
# Notice that tasks will be started based on the cron's system
# daemon's notion of time and timezones.
#
# Output of the crontab jobs (including errors) is sent through
# email to the user the crontab file belongs to (unless redirected).
#
# For example, you can run a backup of all your user accounts
# at 5 a.m every week with:
# 0 5 * * 1 tar -zcf /var/backups/home.tgz /home/
#
# For more information see the manual pages of crontab(5) and cron(8)
#
# m h dom mon dow command
0 0 1 * * sudo certbot renew --renew-hook="sudo systemctl restart nginx"매월 1일 인증서를 재발급받고 nginx를 재실행한다
기본값에서 certbot renew 명령어를 입력하면 인증서 만료일이 아직 많이 남아 갱신을 하지 못한다
(The following certificates are not due for renewal yet: 라고 나옴)
/etc/letsencrypt/renewal 경로에 config 파일을 열어보면 파라미터 값들이 나오는데
# renew_before_expiry = 30 days 라고 되어있는걸 보니 디폴트값은 30일 전부터 renew가 가능한것 같다
매월 1일에 갱신을 받도록 crontab을 설정하였는데 만약 31일 인 달에 적절히 갱신을 하지못하고 인증서가 만료되면 문제가 생길거 같아 해당 파라미터값을 32일로 수정하여 반영했다.
더 찾아봐야할 부분은 왜 certbot에서 제공하는 자동 갱신이 되지 않는지에 대한 정확한 원인파악이 필요할거같다.
주섬주섬..