포스트

Certbot Issue - Failed to renew certificate domain.name with error: Some challenges have failed

Posted Updated
By zhyun kim
읽는 시간  5 분

발생 원인

어제 저녁 운영 중인 서버의 메인 https 인증서가 갱신 실패 된 상태가 되었다.

스케쥴러로 갱신 설정을 해두었고 그동안 문제 없이 잘 갱신 되고 있었기 때문에 설레는 마음으로 서버에 접속해보았더니 아래 로그를 볼 수 있었다.


로그 자세히 보기
2024-09-06 20:13:11,900:DEBUG:certbot._internal.plugins.selection:Requested authenticator nginx and installer nginx
2024-09-06 20:13:11,925:ERROR:certbot.util:Error while running nginx -c /etc/nginx/nginx.conf -t.

nginx: [emerg] cannot load certificate "/etc/letsencrypt/live/zhyun.kim/fullchain.pem": BIO_new_file() failed (SSL: error:80000002:system library::No such file or directory:calling fopen(/etc/letsencrypt/live/zhyun.kim/fullchain.pem, r) error:10000080:BIO routines::no such file)
nginx: configuration file /etc/nginx/nginx.conf test failed

2024-09-06 20:13:11,926:DEBUG:certbot._internal.plugins.disco:Misconfigured PluginEntryPoint#nginx: Error while running nginx -c /etc/nginx/nginx.conf -t.

nginx: [emerg] cannot load certificate "/etc/letsencrypt/live/zhyun.kim/fullchain.pem": BIO_new_file() failed (SSL: error:80000002:system library::No such file or directory:calling fopen(/etc/letsencrypt/live/zhyun.kim/fullchain.pem, r) error:10000080:BIO routines::no such file)
nginx: configuration file /etc/nginx/nginx.conf test failed


During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/_internal/plugins/disco.py", line 151, in prepare
    self._initialized.prepare()
  File "/usr/lib/python3/dist-packages/certbot_nginx/_internal/configurator.py", line 191, in prepare
    self.config_test()
  File "/usr/lib/python3/dist-packages/certbot_nginx/_internal/configurator.py", line 978, in config_test
    raise errors.MisconfigurationError(str(err))
certbot.errors.MisconfigurationError: Error while running nginx -c /etc/nginx/nginx.conf -t.

nginx: [emerg] cannot load certificate "/etc/letsencrypt/live/zhyun.kim/fullchain.pem": BIO_new_file() failed (SSL: error:80000002:system library::No such file or directory:calling fopen(/etc/letsencrypt/live/zhyun.kim/fullchain.pem, r) error:10000080:BIO routines::no such file)
nginx: configuration file /etc/nginx/nginx.conf test failed

2024-09-06 20:13:11,926:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * nginx
Description: Nginx Web Server plugin
Interfaces: Installer, Authenticator, Plugin
Entry point: nginx = certbot_nginx._internal.configurator:NginxConfigurator
Initialized: <certbot_nginx._internal.configurator.NginxConfigurator object at 0x7f9e990b5cc0>
Prep: Error while running nginx -c /etc/nginx/nginx.conf -t.

nginx: [emerg] cannot load certificate "/etc/letsencrypt/live/zhyun.kim/fullchain.pem": BIO_new_file() failed (SSL: error:80000002:system library::No such file or directory:calling fopen(/etc/letsencrypt/live/zhyun.kim/fullchain.pem, r) error:10000080:BIO routines::no such file)
nginx: configuration file /etc/nginx/nginx.conf test failed

2024-09-06 20:13:11,927:DEBUG:certbot._internal.plugins.selection:Selected authenticator None and installer None
2024-09-06 20:13:11,927:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 33, in <module>
    sys.exit(load_entry_point('certbot==1.21.0', 'console_scripts', 'certbot')())
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 15, in main
    return internal_main.main(cli_args)
  File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 1574, in main
    return config.func(config, plugins)
  File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 1414, in certonly
    installer, auth = plug_sel.choose_configurator_plugins(config, plugins, "certonly")
  File "/usr/lib/python3/dist-packages/certbot/_internal/plugins/selection.py", line 228, in choose_configurator_plugins
    diagnose_configurator_problem("authenticator", req_auth, plugins)
  File "/usr/lib/python3/dist-packages/certbot/_internal/plugins/selection.py", line 332, in diagnose_configurator_problem
    raise errors.PluginSelectionError(msg)
certbot.errors.PluginSelectionError: The nginx plugin is not working; there may be problems with your existing configuration.
The error was: MisconfigurationError('Error while running nginx -c /etc/nginx/nginx.conf -t.\n\nnginx: [emerg] cannot load certificate "/etc/letsencrypt/live/zhyun.kim/fullchain.pem": BIO_new_file() failed (SSL: error:80000002:system library::No such file or directory:calling fopen(/etc/letsencrypt/live/zhyun.kim/fullchain.pem, r) error:10000080:BIO routines::no such file)\nnginx: configuration file /etc/nginx/nginx.conf test failed\n')
2024-09-06 20:13:11,927:ERROR:certbot._internal.log:The nginx plugin is not working; there may be problems with your existing configuration.
The error was: MisconfigurationError('Error while running nginx -c /etc/nginx/nginx.conf -t.\n\nnginx: [emerg] cannot load certificate "/etc/letsencrypt/live/zhyun.kim/fullchain.pem": BIO_new_file() failed (SSL: error:80000002:system library::No such file or directory:calling fopen(/etc/letsencrypt/live/zhyun.kim/fullchain.pem, r) error:10000080:BIO routines::no such file)\nnginx: configuration file /etc/nginx/nginx.conf test failed\n')



로그만 봤을 땐 어떤 문제인지 이해 할 수가 없어서 직접 갱신 코드를 실행해보니 이유를 알 수 있었다.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22

root@zhyun:~ 
      ▶  $ certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

...생략...

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
  Domain: jenkins.zhyun.kim
  Type:   dns
  Detail: DNS problem: NXDOMAIN looking up A for jenkins.zhyun.kim - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for jenkins.zhyun.kim - check that a DNS record exists for this domain

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Failed to renew certificate zhyun.kim with error: Some challenges have failed.

...생략...

All renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/zhyun.kim/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

지금 사용하는 서버 장치로 옮기기 전에 백업 해뒀던 nginx 설정 파일을 지금 사용하는 서버에 그대로 가져와 사용했는데 이 과정에서 사용하지 않고 있었던 jenkins.zhyun.kim 도메인에 대한 정보를 삭제하지 않은 것이 문제였다.

운영 중인 도메인에 사용하고 있는 zhyun.kim/fullchain.pem 인증서를 jenkins.zhyun.kim 도메인에도 적용했었어서 이 인증서를 갱신하려는 시점에 죽어있는 도메인 서버가 발견되어 갱신이 실패 된 것으로 보였다.



해결 과정

  1. nginx 설정 파일 수정
    • 안쓰게 된 jenkin.zhyun.kim 도메인 관련 내용 삭제
    • zhyun.kim/fullchain.pem 인증서 사용 부분 주석 처리

  2. certbot 인증서 작업
    • zhyun.kim/fullchain.pem 인증서 삭제 후 재발급

  3. nginx 설정파일 수정
    • zhyun.kim/fullchain.pem 인증서 사용 부분 주석 해제

  4. nginx 재시작

  5. certbot 인증서 갱신 동작 확인 테스트 certbot renew –dry-run


zhyun.kim/fullchain.pem 인증서에서 오류가 발생했기 때문에 nginx 서버가 내려가지지 않았다.
그래서 nginx 설정 파일에서 해당 인증서 사용 부분을 주석 처리 한 다음에야 nginx 서버를 종료할 수 있었다.

Ubuntu, U Issue
ubuntu certbot renew failed nginx
이 기사는 저작권자의 CC BY 4.0 라이센스를 따릅니다.