- 렛츠인크립트 ConnectionError: HTTPSConnectionPool(host='acme-v01.api.letsencrypt.org', port=443)
1 문제상황[ | ]
root@zetawiki:~# letsencrypt certonly --standalone -d example.com -d www.example.com
An unexpected error occurred:
ConnectionError: HTTPSConnectionPool(host='acme-v01.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by NewConnectionError('<requests.packages.urllib3.connection.VerifiedHTTPSConnection object at 0x7f3b55eaf2d0>: Failed to establish a new connection: [Errno 101] Network is unreachable',))
Please see the logfiles in /var/log/letsencrypt for more details.
2 확인[ | ]
root@zetawiki:~# nc -vz acme-v01.api.letsencrypt.org 443 -w2
nc: connect to acme-v01.api.letsencrypt.org port 443 (tcp) timed out: Operation now in progress
nc: connect to acme-v01.api.letsencrypt.org port 443 (tcp) failed: Network is unreachable
nc: connect to acme-v01.api.letsencrypt.org port 443 (tcp) failed: Network is unreachable
- → 해당 서버에서 목적지로 가는 아웃바운드 443포트가 방화벽으로 막혀 있음
root@zetawiki:~# dig acme-v01.api.letsencrypt.org +short
api.letsencrypt.org.edgekey.net.
e981.dscb.akamaiedge.net.
23.49.148.69
3 조치[ | ]
- 목적지로 가는 아웃바운드 443포트 방화벽 해제
root@zetawiki:~# nc -vz acme-v01.api.letsencrypt.org 443
Connection to acme-v01.api.letsencrypt.org 443 port [tcp/https] succeeded!
4 확인 2[ | ]
- '확인 3' 문단과 같이 정상적으로 인증서가 발급되거나, 아래와 같은 오류가 발생할 것이다...
- 아래 오류는 인바인드 443포트가 막혀있기 때문...
root@zetawiki:~# letsencrypt certonly --standalone -d example.com -d www.example.com
Failed authorization procedure. example.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Timeout, www.example.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Timeout
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: example.com
Type: connection
Detail: Timeout
Domain: www.example.com
Type: connection
Detail: Timeout
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
5 확인 3[ | ]
- 인바운드 443포트를 열어주니, 정상적으로 인증서가 발급됨
root@zetawiki:~# letsencrypt certonly --standalone -d example.com -d www.example.com
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/example.com/fullchain.pem. Your cert will
expire on 2018-01-19. To obtain a new version of the certificate in
the future, simply run Let's Encrypt again.
- If you like Let's Encrypt, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
- 인증서가 잘 발급되었다면, 본 작업을 위해 열었던 아웃바운드/인바운드 방화벽은 다시 닫아도 됨
- 물론 다음번 갱신 때에 다시 열어야 겠지만...
6 같이 보기[ | ]
편집자
로그인하시면 댓글을 쓸 수 있습니다.
{{ comment.name }}
{{ comment.created | snstime }}
-
{{comment.page_title}} ―{{comment.name}}