After deploying the QUIC cluster, the originally requested https certificate expired, so I tried to reinstall/update the certificate.
Let's Encrypt is a free project that automatically issues https certificates.
Certbot is the official certificate generation client tool recommended by Let's Encrypt
Because my quic cluster directly copies the original certificate to a custom directory, so certbot has not been installed, so install certbot first.
Install Certbot
Install snapd first, according to your own linux system (mine is Red Hat Enterprise Linux 8), select the corresponding snapd installation tutorial
Install snapd
$ sudo dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
$ sudo dnf upgrade
$ sudo yum install snapd
Create soft link
$ sudo systemctl enable --now snapd.socket
$ sudo ln -s /var/lib/snapd/snap /snap
Install Certbot
## 更新snap到最新的版本
sudo snap install core
sudo snap refresh core
## 去除其余Certbot操作系统包 确保安装后使用certbot命令使用的是snap
sudo apt-get remove certbot
sudo dnf remove certbot
sudo yum remove certbot
sudo snap install --classic certbot
#创建软链接
sudo ln -s /snap/bin/certbot /usr/bin/certbot
renew certificate
Because I have stored the old certificate on the machine, my initial idea was to directly update the old certificate. First, certbot certificatescheck the certificate information of the current server,
but the result did not return the current certificate information to me. I guess it may be because I only migrated the pem file needed to configure nginx when I migrated the certificate, and the storage path is also different from the default path when the old cluster installed the certificate.
I packaged all the files under the original certificate path /etc/letsencrypt and uploaded them to the same path on the Nginx machine of the new cluster, and then used the certbot certificatescheck certificate to see the old certificate.
Then use the certbot renewcommand to update the certificate.
Problems encountered:
When renewing the certificate, there will be an error as reported, saying that the
connection fails when accessing xxx/.well-known/acme-challenge/xxx to verify the ownership of the domain name.
Because the nginx cluster deployed by aws binds the domain name to the load balancer, the load balancer only listened to port 443 of quic at the beginning. After adding the listening to port 80, it no longer prompts that it cannot connect and returns a 404 error. code.
The judgment was due to the inaccessibility of the above path. After many attempts, the path could not be matched. Finally, I thought that this request was to verify the ownership of the domain name, but I bound the domain name to the load balancer, not the server that updated the certificate. , Bind the domain name to the server ip and execute again certbot renew, the update is successful
Since the path of the new certificate is different from the previous one, the certificate path in the nginx configuration file needs to be modified as follows:
ssl_certificate /etc/letsencrypt/live/you.domain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/you.domain.com/privkey.pem;
After updating the certificate, bind the domain name to the load balancer
Letencrypt certificate request frequency limit
https://letsencrypt.org/zh-cn/docs/rate-limits/
There is a limit of 5 verification failures per account per hour per domain. The limit is higher in the test environment (60 verification failures are allowed per hour)
The limit of up to 5 duplicate certificates per registered domain name per week
So when I repeatedly use the certbot renew command, there may be a prompt that the upper limit has been reached. Just try again after a period of time.
In the end, I just migrated and updated the certificate, but there will still be problems with the subsequent update of this operation (the domain name needs to be bound to the corresponding server ip), which is still more troublesome.
The follow-up will continue to study, if there is a good solution, the blog will be updated. If you have dealt with similar issues, you can share it
参考资料:
Installing snap on Red Hat Enterprise Linux (RHEL)
None of the above on CentOS/RHEL 8