csr ファイルに署名して、letsencrypt で署名付き証明書を取得し、Elasticsearch Shield で使用しようとしています。
csr ファイルの作成:
cd CONFIG_DIR/shield
keytool -importcert -keystore node01.jks -file letsencrypt_public.pem -alias letsencrypt
keytool -genkey -alias node01 -keystore node01.jks -keyalg RSA -keysize 2048 -validity 712 -ext san=dns:domain.com,ip:11.11.11.11
keytool -certreq -alias node01 -keystore node01.jks -file node01.csr -keyalg rsa -ext san=dns:domain.com,ip:11.11.11.11
letsencrypt 公式クライアントの使用:
git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt
./letsencrypt-auto --help
sudo ./letsencrypt-auto auth --csr /etc/elasticsearch/shield/node01.csr
出力:
etc/elasticsearch/shield/node01.csr
Checking for new version...
Requesting root privileges to run letsencrypt...
/home/usera/.local/share/letsencrypt/bin/letsencrypt --no-self-upgrade auth --csr /etc/elasticsearch/shield/node01.csr
No handlers could be found for logger "letsencrypt.crypto_util"
An unexpected error occurred:
The server experienced an internal error :: Error creating new cert
Please see the logfiles in /var/log/letsencrypt for more details.
エラーログ:
raise errors.NoInstallationError
2016-02-21 12:24:30,042:DEBUG:letsencrypt.plugins.disco:Other error: (PluginEntryPoint#webroot): Missing parts of webroot configuration; please set either --webroot-path and --domains, or --webroot-map. Run with -- help webroot for examples.
2016-02-21 12:24:34,354:DEBUG:root:Received <Response [500]>. Headers: {'Content-Length': '88', 'Expires': 'Sun, 21 Feb 2016 12:24:33 GMT', 'Server': 'nginx', 'Connection': 'close', 'Pragma': 'no-cache', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Date': 'Sun, 21 Feb 2016 12:24:33 GMT', 'Content-Type': 'application/problem+json', 'Replay-Nonce': 'ldZn123451Bb5D1234godjteu1VLjZ5o7eolv'}. Content: '{"type":"urn:acme:error:serverInternal","detail":"Error creating new cert","status":500}'
2016-02-21 12:24:34,354:DEBUG:acme.client:Received response <Response [500]> (headers: {'Content-Length': '88', 'Expires': 'Sun, 21 Feb 2016 12:24:33 GMT', 'Server': 'nginx', 'Connection': 'close', 'Pragma': 'no-cache', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Date': 'Sun, 21 Feb 2016 12:24:33 GMT', 'Content-Type': 'application/problem+json', 'Replay-Nonce': 'ldZn123451Bb5D1234godjteu1VLjZ5ov'}): '{"type":"urn:acme:error:serverInternal","detail":"Error creating new cert","status":500}'
Error: urn:acme:error:serverInternal :: The server experienced an internal error :: Error creating new cert
Shieldが機能するようになったらnginxをシャットダウンすると思いますが、ここで何が問題なのですか? csr ファイルに署名できないのはなぜですか?