1.9 KiB
1.9 KiB
188 Registry Certbot Recovery
Scope:
registry.wooo.workon host192.168.0.188.
Verified State On 2026-05-12
registry.wooo.workcertificate expired atMay 8 04:16:08 2026 GMT.- HTTP-01 route check:
http://registry.wooo.work/.well-known/acme-challenge/codex-route-check
-> 301 https://aiops.wooo.work/.well-known/acme-challenge/codex-route-check
-> 404
/usr/bin/certbotis broken by Python/OpenSSL mismatch./snap/bin/certbotexists and should be the renewal owner.- Both apt
certbot.timerand snapsnap.certbot.renew.timerwere enabled. - The
ollamaSSH user is in sudo group but has no passwordless sudo in this session, so Codex could not apply the root-level fix directly.
Fix Script
The repo includes a root-only helper. It is dry-run by default:
bash scripts/ops/188-registry-certbot-fix.sh
To apply on 188:
sudo bash /home/ollama/awoooi-ops/188-registry-certbot-fix.sh --apply
The script:
- creates
/var/www/certbot; - installs
/etc/nginx/conf.d/registry-acme-http.conf; - routes
registry.wooo.workHTTP-01 to/var/www/certbot; - reloads Nginx after
nginx -t; - renews
registry.wooo.workvia/snap/bin/certbot; - disables the broken apt
certbot.timerwhen snap certbot is present; - prints the renewed certificate dates.
Post-Fix Verification
Run from any host with network access:
curl -sI --max-redirs 0 http://registry.wooo.work/.well-known/acme-challenge/codex-route-check
openssl s_client -servername registry.wooo.work -connect registry.wooo.work:443 </dev/null 2>/dev/null \
| openssl x509 -noout -subject -issuer -dates
Expected:
- HTTP challenge path returns
404from theregistry.wooo.workvhost, not a redirect toaiops.wooo.work. notAfteris renewed to a future date.systemctl --failedno longer lists aptcertbot.serviceafter failed state reset.