lets-encrypt - 更新让我们用 certbot 加密不起作用

Question

我正在尝试使用 certbot 更新最近过期的证书（原始证书也是通过 certbot 生成的）。但是，更新命令不起作用：

sudo ./certbot-auto renew --quiet --no-self-upgrade
Use of --agree-dev-preview is deprecated.
Use of --agree-dev-preview is deprecated.
Attempting to renew cert from /etc/letsencrypt/renewal/www.removed.com.conf produced an unexpected error: <Response [404]>. Skipping.
Attempting to renew cert from /etc/letsencrypt/renewal/www.removed.com-0001.conf produced an unexpected error: <Response [404]>. Skipping.
Attempting to renew cert from /etc/letsencrypt/renewal/removed.com.conf produced an unexpected error: <Response [404]>. Skipping.

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/www.removed.com/fullchain.pem (failure)
  /etc/letsencrypt/live/www.removed.com-0001/fullchain.pem (failure)
  /etc/letsencrypt/live/removed.com/fullchain.pem (failure)

certbot 日志具有以下输出：

Traceback (most recent call last):
  File "/home/test/.local/share/letsencrypt/bin/letsencrypt", line 11, in <module>
    sys.exit(main())
  File "/home/test/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/main.py", line 861, in main
    args = cli.prepare_and_parse_args(plugins, cli_args)
  File "/home/test/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/cli.py", line 1074, in prepare_and_parse_args
    return helpful.parse_args()
  File "/home/test/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/cli.py", line 551, in parse_args
    self.set_test_server(parsed_args)
  File "/home/test/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/cli.py", line 568, in set_test_server
    " and ".join(conflicts)))
Error: --server value conflicts with --dry-run

有关解决此问题的任何想法？我尝试以 root 身份运行上述更新命令。我已经停止了 nginx，以防它干扰进程。

Answer 1

根据使用 ACME-v02 API（支持通配符证书的 API）的较新版本 certbot 的代码，似乎 --dry-run 选项唯一接受的服务器值是新的暂存端点

...        
def set_test_server(self, parsed_args):
    """We have --staging/--dry-run; perform sanity check and set config.server"""

    if parsed_args.server not in (flag_default("server"), constants.STAGING_URI):
        conflicts = ["--staging"] if parsed_args.staging else []
        conflicts += ["--dry-run"] if parsed_args.dry_run else []
        raise errors.Error("--server value conflicts with {0}".format(
            " and ".join(conflicts)))

        parsed_args.server = constants.STAGING_URI
...

以及constants.py文件的代码

...
STAGING_URI = "https://acme-staging-v02.api.letsencrypt.org/directory"
...

所以理论上要解决这个问题，你可以：

1. 指定登台服务器端点
2. 创建/编辑 /etc/letsencrypt/cli.ini 并在其中包含 server 选项，而不是在命令中指定它
3. 使用有效的服务器选项值在任意位置创建配置文件，并将其作为 --config /path/yourconfig.ini 或 -c /path/yourconfig.ini 传递给命令

链接：

• https://github.com/certbot/certbot/blob/v0.23.0/certbot/cli.py
• https://github.com/certbot/certbot/blob/v0.23.0/certbot/constants.py
• https://certbot.eff.org/docs/using.html#configuration-file
• https://www.eigenmagic.com/2018/03/14/howto-use-certbot-with-lets-encrypt-wildcard-certificates/（最后见温斯顿的评论）

PS：我说理论上是因为这些都不适合我