さんごー日記。

映画や本やゲームの感想をゆるく記録したり、プログラミングの勉強をゆるく記録するゆるい日記です。

AWS EC2にLet’s Encryptを導入した際のエラー:Error: couldn't get currently installed version for /opt/eff.org/certbot/venv/bin/letsencrypt:

AWS EC2にLet's EncryptでSSLを導入しようと思ったらはまったので記録します。
一度上手くできたことがあるので、同じ手順で別のサブドメインにSSLを導入しようとしたらエラーになってしまいました。

ドキュメントルートを`var/www/html/sample/public`として、certbot-autoコマンドを用いてサーバー証明書を取得します。
ドメインは伏せています。

$ sudo certbot-auto certonly --webroot -w /var/www/html/sample/public -d [ドメイン名] --email [メールアドレス] --debug
Error: couldn't get currently installed version for /opt/eff.org/certbot/venv/bin/letsencrypt:
Traceback (most recent call last):
  File "/opt/eff.org/certbot/venv/bin/letsencrypt", line 7, in <module>
    from certbot.main import main
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/certbot/main.py", line 10, in <module>
    import josepy as jose
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/josepy/__init__.py", line 44, in <module>
    from josepy.interfaces import JSONDeSerializable
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/josepy/interfaces.py", line 8, in <module>
    from josepy import errors, util
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/josepy/util.py", line 4, in <module>
    import OpenSSL
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/OpenSSL/__init__.py", line 8, in <module>
    from OpenSSL import rand, crypto, SSL
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/OpenSSL/rand.py", line 12, in <module>
    from OpenSSL._util import (
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/OpenSSL/_util.py", line 6, in <module>
    from cryptography.hazmat.bindings.openssl.binding import Binding
ImportError: No module named cryptography.hazmat.bindings.openssl.binding

さて、エラーがいろいろ出ました。
1行目から見ていきます。
「Error: couldn't get currently installed version for /opt/eff.org/certbot/venv/bin/letsencrypt:」
↓翻訳
「エラー:現在インストールされている/opt/eff.org/certbot/venv/bin/letsencryptのバージョンを取得できませんでした:」

以下のサイトを参考にしてみた。
Let's Encrypt 証明書更新時のエラー対処 Amazon Linux AMI - とうふの雑記帳

$ unset PYTHON_INSTALL_LAYOUT
$ sudo /opt/eff.org/certbot/venv/local/bin/pip install --upgrade certbot
$ sudo certbot-auto certonly --webroot -w /var/www/html/sample/public -d [ドメイン名] --email [メールアドレス] --debug
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for [ドメイン名]
Using the webroot path /var/www/html/sample/public for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Exiting abnormally:
Traceback (most recent call last):
  File "/opt/eff.org/certbot/venv/bin/letsencrypt", line 11, in <module>
    sys.exit(main())
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/certbot/main.py", line 1364, in main
    return config.func(config, plugins)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/certbot/main.py", line 1254, in certonly
    lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/certbot/main.py", line 120, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/certbot/client.py", line 391, in obtain_and_enroll_certificate
    cert, chain, key, _ = self.obtain_certificate(domains)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/certbot/client.py", line 334, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/certbot/client.py", line 370, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/certbot/auth_handler.py", line 82, in handle_authorizations
    self._respond(aauthzrs, resp, best_effort)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/certbot/auth_handler.py", line 155, in _respond
    self._poll_challenges(aauthzrs, chall_update, best_effort)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/certbot/auth_handler.py", line 226, in _poll_challenges
    raise errors.FailedChallenges(all_failed_achalls)
FailedChallenges: Failed authorization procedure. [ドメイン名] (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://[ドメイン名].well-known/acme-challenge/4GI-mJ7X3j7mLzhWUNU5NPD8omMfeGF2czMnaRWHQQs: "<!DOCTYPE html>
<html lang="en">
    <head>
        <meta charset="utf-8">
        <meta http-equiv="X-UA-Compatible" content="I"
Please see the logfiles in /var/log/letsencrypt for more details.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: [ドメイン名]
   Type:   unauthorized
   Detail: Invalid response from
   http://[ドメイン名]/.well-known/acme-challenge/4GI-mJ7X3j7mLzhWUNU5NPD8omMfeGF2czMnaRWHQQs:
   "<!DOCTYPE html>
   <html lang="en">
       <head>
           <meta charset="utf-8">
           <meta http-equiv="X-UA-Compatible" content="I"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

途中までうまくいったがドメイン設定のエラーが出てしまった。
これはLet's Encryptとかとは関係なく、バーチャルホストの設定のミスでした。
「http://[ドメイン名]/」に正しくアクセスできるようにしておきましょう。

そんでもう一回試したらうまくいった。

$ sudo certbot-auto certonly --webroot -w /var/www/html/sample/public -d [ドメイン名] --email mrkmyki@gamil.com --debug
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for [ドメイン名]
Using the webroot path /var/www/html/sample/public for all unmatched domains.
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/[ドメイン名]/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/[ドメイン名]/privkey.pem
   Your cert will expire on 2018-10-12. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again. To non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

あとはhttpdのほうで設定しましょう。

おしまい。