Files
awoooi/docs/runbooks/REGISTRY-CERTBOT-188.md
Your Name 0bc1878778
All checks were successful
Code Review / ai-code-review (push) Successful in 13s
chore(ops): 新增 RLS preflight 與 registry certbot 修復包
2026-05-12 18:25:53 +08:00

63 lines
1.9 KiB
Markdown

# 188 Registry Certbot Recovery
> Scope: `registry.wooo.work` on host `192.168.0.188`.
## Verified State On 2026-05-12
- `registry.wooo.work` certificate expired at `May 8 04:16:08 2026 GMT`.
- HTTP-01 route check:
```text
http://registry.wooo.work/.well-known/acme-challenge/codex-route-check
-> 301 https://aiops.wooo.work/.well-known/acme-challenge/codex-route-check
-> 404
```
- `/usr/bin/certbot` is broken by Python/OpenSSL mismatch.
- `/snap/bin/certbot` exists and should be the renewal owner.
- Both apt `certbot.timer` and snap `snap.certbot.renew.timer` were enabled.
- The `ollama` SSH user is in sudo group but has no passwordless sudo in this
session, so Codex could not apply the root-level fix directly.
## Fix Script
The repo includes a root-only helper. It is dry-run by default:
```bash
bash scripts/ops/188-registry-certbot-fix.sh
```
To apply on 188:
```bash
sudo bash /home/ollama/awoooi-ops/188-registry-certbot-fix.sh --apply
```
The script:
- creates `/var/www/certbot`;
- installs `/etc/nginx/conf.d/registry-acme-http.conf`;
- routes `registry.wooo.work` HTTP-01 to `/var/www/certbot`;
- reloads Nginx after `nginx -t`;
- renews `registry.wooo.work` via `/snap/bin/certbot`;
- disables the broken apt `certbot.timer` when snap certbot is present;
- prints the renewed certificate dates.
## Post-Fix Verification
Run from any host with network access:
```bash
curl -sI --max-redirs 0 http://registry.wooo.work/.well-known/acme-challenge/codex-route-check
openssl s_client -servername registry.wooo.work -connect registry.wooo.work:443 </dev/null 2>/dev/null \
| openssl x509 -noout -subject -issuer -dates
```
Expected:
- HTTP challenge path returns `404` from the `registry.wooo.work` vhost, not a
redirect to `aiops.wooo.work`.
- `notAfter` is renewed to a future date.
- `systemctl --failed` no longer lists apt `certbot.service` after failed state
reset.