В очередной раз не обошлось без подстав от разработчиков open source, в частности в компании используются сайты во вне которые установлены на Ubuntu 18.04 и связки nginx + php7.3-fpm (php7.4-fpm), а доступ к ним идет с применением сертификата от Let's Encrypt. Все работало как надо, но вот собственно вчера 06.12.2021 должен был обновиться сертификат https на портал dealers.ekzorchik.ru. Ага как же, что было указано в crontab перестало работать:

ekzorchik@ekzorchik:~$ sudo  /usr/local/sbin/certbot-auto -q renew

Your system is not supported by certbot-auto anymore.

certbot-auto and its Certbot installation will no longer receive updates.

You will not receive any bug fixes including those fixing server compatibility

or security problems.

Please visit https://certbot.eff.org/ to check for other alternatives.

Attempting to renew cert (dealers.ekzorchik.ru) from /etc/letsencrypt/renewal/dealers.ekzorchik.ru.conf produced an unexpected error: 'ascii' codec can't encode characters in position 1462-1470: ordinal not in range(128). Skipping.

All renewal attempts failed. The following certs could not be renewed:

  /etc/letsencrypt/live/dealers.ekzorchik.ru/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)

ekzorchik@ekzorchik:~$

Посмотрев свои заметки, выявил, что рабочие системы используют утилиту certbot-auto версии (sudo certbot-auto –-version 1.9.0), а она уже более не поддерживается. А сейчас на своих PET проектах я использую следующий набор действий – вот их и применю здесь:

ekzorchik@ekzorchik:~$  sudo add-apt-repository ppa:certbot/certbot

ekzorchik@ekzorchik:~$  sudo apt-get install python-certbot-nginx

ekzorchik@ekzorchik:~$ sudo certbot --nginx

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Plugins selected: Authenticator nginx, Installer nginx

Which names would you like to activate HTTPS for?

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

1: dealers.ekzorchik.ru

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Select the appropriate numbers separated by commas and/or spaces, or leave input

blank to select all options shown (Enter 'c' to cancel): нажимаю цифру 1

Attempting to parse the version 1.9.0 renewal configuration file found at /etc/letsencrypt/renewal/pma.ekzorchik.ru.conf with version 0.31.0 of Certbot. This might not work.

Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.

(ref: /etc/letsencrypt/renewal/dealers.ekzorchik.ru.conf)

What would you like to do?

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

1: Attempt to reinstall this existing certificate

2: Renew & replace the cert (limit ~5 per 7 days)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Select the appropriate number [1-2] then [enter] (press 'c' to cancel): нажимаю цифру 2

Renewing an existing certificate

Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/dealers.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

1: No redirect - Make no further changes to the webserver configuration.

2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for

new sites, or if you're confident your site works on HTTPS. You can undo this

change by editing your web server's configuration.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2

Traffic on port 80 already redirecting to ssl in /etc/nginx/sites-enabled/dealers.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Your existing certificate has been successfully renewed, and the new certificate

has been installed.

The new certificate covers the following domains: https://dealers.ekzorchik.ru

You should test your configuration at:

https://www.ssllabs.com/ssltest/analyze.html?d=dealers.ekzorchik.ru

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:

 - Congratulations! Your certificate and chain have been saved at:

   /etc/letsencrypt/live/dealers.ekzorchik.ru/fullchain.pem

   Your key file has been saved at:

   /etc/letsencrypt/live/dealers.ekzorchik.ru/privkey.pem

   Your cert will expire on 2022-03-07. To obtain a new or tweaked

   version of this certificate in the future, simply run certbot again

   with the "certonly" option. To non-interactively renew *all* of

   your certificates, run "certbot renew"

 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate

   Donating to EFF:                    https://eff.org/donate-le

ekzorchik@ekzorchik:~$ sudo certbot certificates

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Attempting to parse the version 1.9.0 renewal configuration file found at /etc/letsencrypt/renewal/pma.ekzorchik.ru.conf with version 0.31.0 of Certbot. This might not work.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Found the following certs:

  Certificate Name: dealers.ekzorchik.ru

    Domains: dealers.ekzorchik.ru

    Expiry Date: 2022-03-07 04:52:07+00:00 (VALID: 89 days)

    Certificate Path: /etc/letsencrypt/live/dealers.ekzorchik.ru/fullchain.pem

    Private Key Path: /etc/letsencrypt/live/dealers.ekzorchik.ru/privkey.pem

  Certificate Name: pma.ekzorchik.ru

    Domains: pma.ekzorchik.ru

    Expiry Date: 2022-02-04 22:02:02+00:00 (VALID: 59 days)

    Certificate Path: /etc/letsencrypt/live/pma.ekzorchik.ru/fullchain.pem

    Private Key Path: /etc/letsencrypt/live/pma.ekzorchik.ru/privkey.pem

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

ekzorchik@ekzorchik:~$

ekzorchik@ekzorchik:~$ sudo crontab –e

0 2 * * * sudo  /usr/sbin/certbot-auto -q renew

ekzorchik@ekzorchik:~$ sudo systemctl restart nginx php7.3-fpm

и теперь я использую утилиту certbot – версия установленная в системе (это так для справки)

ekzorchik@ekzorchik:~$ dpkg -l | grep certbot

ii  certbot                               0.31.0-2~deb10u1+ubuntu18.04.1+certbot+3                 all          automatically configure HTTPS using Let's Encrypt

Итого я придя на работу чуть ранее поправил работу сертификата на портале dealers даже себя поблагодарил что уже с таким столкнулся и тут быстро все решил.

Для связи со мной:

На этом заметка завершена, с уважением автор блога Олло Александр aka ekzorchik.