EC2 实例仍提供旧的 LetsEncrypt SSL 证书

tag-icon tag-icon ssl amazon-ec2 apache-2.4 ssl-certificate lets-encrypt
EC2 实例仍提供旧的 LetsEncrypt SSL 证书

我正在为我的网站更新 SSL 证书。它们都在同一个 EC2 实例上运行,使用同一个 Apache 服务器。我的两个域名最近已过期,因此我也尝试将它们从证书中删除。

我认为我正确地更新了证书,因为当我运行以下命令时,它似乎表明证书是最新的:

$ /usr/local/bin/certbot-auto certonly --webroot -w /var/www/html -d apptic.me -d www.apptic.me -d athenaforyou.com -d www.athenaforyou.com -d cloudlease.me -d www.cloudlease.me -d foleyrounds.com -d www.foleyrounds.com -d ugba198.com -d www.ugba198.com -d wildcattribune.com -d www.wildcattribune.com
Requesting to rerun /usr/local/bin/certbot-auto with root privileges...
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/apptic.me.conf)

What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Keep the existing certificate for now
2: Renew & replace the cert (limit ~5 per 7 days)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Keeping the existing certificate

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Certificate not yet due for renewal; no action taken.

然后我用 重新启动 Apache sudo systemctl restart httpd,但没有产生任何输出。

但当我访问我的网站 www.apptic.me 时,仍然出现 SSL 错误,提示证书已过期。可能发生了什么?

我正在运行 Apache 2.4:

$ yum info httpd
Loaded plugins: extras_suggestions, langpacks, priorities, update-motd
236 packages excluded due to repository priority protections
Installed Packages
Name        : httpd
Arch        : x86_64
Version     : 2.4.43
Release     : 1.amzn2
Size        : 4.0 M
Repo        : installed
From repo   : amzn2-core
Summary     : Apache HTTP Server
URL         : https://httpd.apache.org/
License     : ASL 2.0
Description : The Apache HTTP Server is a powerful, efficient, and extensible
            : web server.

答案1

事实证明,我在原始问题中没有提供足够的信息,但我记录了对我有用的方法,以防万一对任何人有帮助。首先,我删除了旧的 vhosts 文件以及vhost_*-le-ssl.conf我不再拥有的域的相应文件。

我还不小心删除了/etc/letsencrypt/live/和中的一个文件夹/etc/letsencrypt/renewal/(违反了 README 的建议)。这导致certbot它无法再运行,因为它无法运行sudo systemctl restart httpd

值得庆幸的是,文件仍在/etc/letsencrypt/archive,所以我从那里恢复了文件夹。(我只是将存档文件夹复制到每个目录,并按照certbot要求重命名文件。)

最终,在修复文件夹并停止+启动httpd服务后,我certbot再次运行并输出如下链接,确认证书已正确安装:https://www.ssllabs.com/ssltest/analyze.html?d=apptic.me

相关内容