Ssl

EC2 實例仍在提供舊的 LetsEncrypt SSL 證書

  • May 29, 2020

我正在為我的網站更新 SSL 證書。它們都在具有相同 Apache 伺服器的相同 EC2 實例上執行。我的兩個域最近過期了,所以我也嘗試從證書中刪除它們。

我想我正確地更新了證書,因為當我執行以下命令時,它似乎表明證書是最新的:

$ /usr/local/bin/certbot-auto certonly --webroot -w /var/www/html -d apptic.me -d www.apptic.me -d athenaforyou.com -d www.athenaforyou.com -d cloudlease.me -d www.cloudlease.me -d foleyrounds.com -d www.foleyrounds.com -d ugba198.com -d www.ugba198.com -d wildcattribune.com -d www.wildcattribune.com
Requesting to rerun /usr/local/bin/certbot-auto with root privileges...
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/apptic.me.conf)

What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Keep the existing certificate for now
2: Renew & replace the cert (limit ~5 per 7 days)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Keeping the existing certificate

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Certificate not yet due for renewal; no action taken.

然後我用 重新啟動 Apache sudo systemctl restart httpd,它不會產生任何輸出。

但是當我導航到我的網站 www.apptic.me 時,我看到仍然存在 SSL 錯誤,提示證書已過期。會發生什麼?

我正在執行 Apache 2.4:

$ yum info httpd
Loaded plugins: extras_suggestions, langpacks, priorities, update-motd
236 packages excluded due to repository priority protections
Installed Packages
Name        : httpd
Arch        : x86_64
Version     : 2.4.43
Release     : 1.amzn2
Size        : 4.0 M
Repo        : installed
From repo   : amzn2-core
Summary     : Apache HTTP Server
URL         : https://httpd.apache.org/
License     : ASL 2.0
Description : The Apache HTTP Server is a powerful, efficient, and extensible
           : web server.

事實證明我沒有在原始問題中提供足夠的資訊,但我正在記錄對我有用的東西,以防它碰巧幫助任何人。首先,我刪除了舊的 vhosts 文件以及vhost_*-le-ssl.conf我不再擁有的域的對應文件。

我還意外刪除了/etc/letsencrypt/live/and中的一個文件夾/etc/letsencrypt/renewal/(違反自述文件的建議)。這使它certbot不再工作,因為它無法執行sudo systemctl restart httpd

謝天謝地,這些文件還在/etc/letsencrypt/archive,所以我從那裡恢復了文件夾。(我只是將存檔文件夾複製到每個目錄並在certbot告訴我時重命名了文件。)

最終在修復文件夾並停止+啟動httpd服務之後,我certbot再次執行並輸出了這樣的連結,確認證書已正確安裝:https://www.ssllabs.com/ssltest/analyze.html?d=apptic。我

引用自:https://serverfault.com/questions/1019129