Let's Encrypt

Unable to find a virtual host listening on port 80 which is currently needed for Certbot to prove to the CA that you control your domain. Please add a virtual host for port 80.

/usr/bin/certbot renew
でLet's Encryptの証明書を更新しようとしたところ以下のエラーが発生して証明書が更新できませんでした。
Failed to renew certificate erogamescape.dyndns.org with error: Unable to find a virtual host listening on port 80 which is currently needed for Certbot to prove to the CA that you control your domain. Please add a virtual host for port 80.
ErogameScapeは
erogamescape.dyndns.org
erogamescape.org
の2つでアクセスできるようにしています。
virtual host の設定は443番ポートについては設定しているのですが、80番ポートには設定していませんでした。
今までは特に問題なく証明書が更新できていたので、何かがかわったのだと思います。
以下のように80番ポートにもVirtualHostを設定して証明書の更新ができました。
<VirtualHost *:80>
    ServerName erogamescape.org:80
</VirtualHost>
erogamescape.dyndns.org
erogamescape.org
の2つを設定する必要はなく、1つだけ設定することで証明書の更新ができました。
DocumentRootとServerAdminは設定する必要はありませんでした。

certbotコマンドを試す場合は
/usr/bin/certbot renew --dry-run
とオプションに--dry-runを追加するとステージング環境に接続するので、アクセス回数制限を気にせずに試すことができます。

Failed authorization procedure.

ErogameScapeではLet's EncryptのSSL証明書を更新する際に以下のコマンドを実行しています。

# letsencrypt-auto renew --force-renew

今まで問題なかったのですが、本日以下のようなエラーを吐いて更新出来ませんでした。

/root/.local/share/letsencrypt/lib/python2.6/site-packages/cryptography/__init__.py:26: DeprecationWarning: Python 2.6 is no longer supported by the Python core team, please upgrade your Python. A future version of cryptography will drop support for Python 2.6
  DeprecationWarning
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/erogamescape.dyndns.org.conf
-------------------------------------------------------------------------------
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for erogamescape.dyndns.org
Waiting for verification...
Cleaning up challenges
Attempting to renew cert from /etc/letsencrypt/renewal/erogamescape.dyndns.org.conf produced an unexpected error: Failed authorization procedure. erogamescape.dyndns.org (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Timeout. Skipping.

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/erogamescape.dyndns.org/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: erogamescape.dyndns.org
   Type:   connection
   Detail: Timeout

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

NOTEに該当する部分はまったく問題ないので、何をどうすれば直るかさっぱり分かりませんでした。
いつもはサブコマンドに「renew」を指定しているのですが「run」を指定してみたら、なぜか更新できました…
※renewとrunの違いは、途中で何かを聞かれるか否かの違い…だと思っています。

# letsencrypt-auto run --force-renew -d erogamescape.dyndns.org
/root/.local/share/letsencrypt/lib/python2.6/site-packages/cryptography/__init__.py:26: DeprecationWarning: Python 2.6 is no longer supported by the Python core team, please upgrade your Python. A future version of cryptography will drop support for Python 2.6
  DeprecationWarning
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for erogamescape.dyndns.org
Waiting for verification...
Cleaning up challenges
Deploying Certificate for erogamescape.dyndns.org to VirtualHost /etc/httpd/conf.d/ssl.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
-------------------------------------------------------------------------------
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1

-------------------------------------------------------------------------------
Your existing certificate has been successfully renewed, and the new certificate
has been installed.

The new certificate covers the following domains:
https://erogamescape.dyndns.org

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=erogamescape.dyndns.org
-------------------------------------------------------------------------------

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/erogamescape.dyndns.org/fullchain.pem. Your
   cert will expire on 2017-10-12. To obtain a new or tweaked version
   of this certificate in the future, simply run letsencrypt-auto
   again with the "certonly" option. To non-interactively renew *all*
   of your certificates, run "letsencrypt-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

再度、オプションを「renew」にしたら、更新できました。

# letsencrypt-auto renew --force-renew
/root/.local/share/letsencrypt/lib/python2.6/site-packages/cryptography/__init__.py:26: DeprecationWarning: Python 2.6 is no longer supported by the Python core team, please upgrade your Python. A future version of cryptography will drop support for Python 2.6
  DeprecationWarning
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/erogamescape.dyndns.org.conf
-------------------------------------------------------------------------------
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for erogamescape.dyndns.org
Waiting for verification...
Cleaning up challenges

-------------------------------------------------------------------------------
new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/erogamescape.dyndns.org/fullchain.pem
-------------------------------------------------------------------------------

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/erogamescape.dyndns.org/fullchain.pem (success)

何がいけなかったのでしょうか…
記事検索