Код: Выделить всё
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /usr/local/etc/letsencrypt/renewal/host-food.ru.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Non-interactive renewal: random delay of 300.024992284833 seconds
Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.')
Attempting to renew cert (host-food.ru) from /usr/local/etc/letsencrypt/renewal/host-food.ru.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.'). Skipping.
All renewal attempts failed. The following certs could not be renewed:
/usr/local/etc/letsencrypt/live/host-food.ru/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All renewal attempts failed. The following certs could not be renewed:
/usr/local/etc/letsencrypt/live/host-food.ru/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
соответственно надо какой-от скрипт который будет записи в ДНС делать и менять по команде --manual-auth-hook
проверяем что стоят уведомления на вторичные сервера:
Код: Выделить всё
options {
...........
also-notify {91.227.16.10; 91.227.18.2;};
};
Код: Выделить всё
zone "host-food.ru" { type master; file "/usr/local/etc/namedb/master/host-food.ru"; allow-update { localhost; }; };
Код: Выделить всё
chown -R bind:bind /usr/local/etc/namedb/master
Код: Выделить всё
manager# cat /root/scripts/ssl/let.s.encrypt.dns.auth.sh
#!/bin/sh
if [ -z "$CERTBOT_DOMAIN" ] || [ -z "$CERTBOT_VALIDATION" ]
then
echo "EMPTY DOMAIN OR VALIDATION"
exit 1
fi
RECORD="_acme-challenge"
nsupdate -l -v << EOM
update delete $RECORD.$CERTBOT_DOMAIN TXT
update add $RECORD.$CERTBOT_DOMAIN 300 TXT "$CERTBOT_VALIDATION"
send
EOM
sleep 25
Код: Выделить всё
manager# cat /root/scripts/ssl/let.s.encrypt.sh
#!/bin/sh
# спим от сукунды до 20 часов
#sleep `jot -r 1 1 72000`
# перевыпускаем сертфикаты
certbot renew --post-hook "service nginx reload" --preferred-challenges=dns --manual-auth-hook /root/scripts/ssl/let.s.encrypt.dns.auth.sh
Код: Выделить всё
manager# dig @91.227.16.10 txt _acme-challenge.host-food.ru
; <<>> DiG 9.16.5 <<>> @91.227.16.10 txt _acme-challenge.host-food.ru
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19619
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 615108e98860a98159744df25f4229fc61a33b5a49836c33 (good)
;; QUESTION SECTION:
;_acme-challenge.host-food.ru. IN TXT
;; ANSWER SECTION:
_acme-challenge.host-food.ru. 300 IN TXT "qOZtfw_0b9NJW7FQpAlUmpINbf53H6XtH2EQBG9zQQ8"
;; AUTHORITY SECTION:
host-food.ru. 3600 IN NS dns0.host-food.ru.
host-food.ru. 3600 IN NS dns1.host-food.ru.
;; ADDITIONAL SECTION:
dns0.host-food.ru. 3600 IN A 91.227.16.10
dns1.host-food.ru. 3600 IN A 91.227.18.2
;; Query time: 0 msec
;; SERVER: 91.227.16.10#53(91.227.16.10)
;; WHEN: вс авг. 23 11:34:04 MSK 2020
;; MSG SIZE rcvd: 211
manager#