awoooi/docs/runbooks/REGISTRY-CERTBOT-188.md

188 Registry Certbot Recovery

Scope: registry.wooo.work on host 192.168.0.188.

Verified State On 2026-05-12

• registry.wooo.work certificate expired at May 8 04:16:08 2026 GMT.
• HTTP-01 route check:

http://registry.wooo.work/.well-known/acme-challenge/codex-route-check
-> 301 https://aiops.wooo.work/.well-known/acme-challenge/codex-route-check
-> 404

• /usr/bin/certbot is broken by Python/OpenSSL mismatch.
• /snap/bin/certbot exists and should be the renewal owner.
• Both apt certbot.timer and snap snap.certbot.renew.timer were enabled.
• The ollama SSH user is in sudo group but has no passwordless sudo in this session, so Codex could not apply the root-level fix directly.

Fix Script

The repo includes a root-only helper. It is dry-run by default:

bash scripts/ops/188-registry-certbot-fix.sh

To apply on 188:

sudo bash /home/ollama/awoooi-ops/188-registry-certbot-fix.sh --apply

The script:

• creates /var/www/certbot;
• installs /etc/nginx/conf.d/registry-acme-http.conf;
• routes registry.wooo.work HTTP-01 to /var/www/certbot;
• reloads Nginx after nginx -t;
• renews registry.wooo.work via /snap/bin/certbot;
• disables the broken apt certbot.timer when snap certbot is present;
• prints the renewed certificate dates.

Post-Fix Verification

Run from any host with network access:

curl -sI --max-redirs 0 http://registry.wooo.work/.well-known/acme-challenge/codex-route-check
openssl s_client -servername registry.wooo.work -connect registry.wooo.work:443 </dev/null 2>/dev/null \
  | openssl x509 -noout -subject -issuer -dates

Expected:

• HTTP challenge path returns 404 from the registry.wooo.work vhost, not a redirect to aiops.wooo.work.
• notAfter is renewed to a future date.
• systemctl --failed no longer lists apt certbot.service after failed state reset.