63 lines
1.9 KiB
Markdown
63 lines
1.9 KiB
Markdown
# 188 Registry Certbot Recovery
|
|
|
|
> Scope: `registry.wooo.work` on host `192.168.0.188`.
|
|
|
|
## Verified State On 2026-05-12
|
|
|
|
- `registry.wooo.work` certificate expired at `May 8 04:16:08 2026 GMT`.
|
|
- HTTP-01 route check:
|
|
|
|
```text
|
|
http://registry.wooo.work/.well-known/acme-challenge/codex-route-check
|
|
-> 301 https://aiops.wooo.work/.well-known/acme-challenge/codex-route-check
|
|
-> 404
|
|
```
|
|
|
|
- `/usr/bin/certbot` is broken by Python/OpenSSL mismatch.
|
|
- `/snap/bin/certbot` exists and should be the renewal owner.
|
|
- Both apt `certbot.timer` and snap `snap.certbot.renew.timer` were enabled.
|
|
- The `ollama` SSH user is in sudo group but has no passwordless sudo in this
|
|
session, so Codex could not apply the root-level fix directly.
|
|
|
|
## Fix Script
|
|
|
|
The repo includes a root-only helper. It is dry-run by default:
|
|
|
|
```bash
|
|
bash scripts/ops/188-registry-certbot-fix.sh
|
|
```
|
|
|
|
To apply on 188:
|
|
|
|
```bash
|
|
sudo bash /home/ollama/awoooi-ops/188-registry-certbot-fix.sh --apply
|
|
```
|
|
|
|
The script:
|
|
|
|
- creates `/var/www/certbot`;
|
|
- installs `/etc/nginx/conf.d/registry-acme-http.conf`;
|
|
- routes `registry.wooo.work` HTTP-01 to `/var/www/certbot`;
|
|
- reloads Nginx after `nginx -t`;
|
|
- renews `registry.wooo.work` via `/snap/bin/certbot`;
|
|
- disables the broken apt `certbot.timer` when snap certbot is present;
|
|
- prints the renewed certificate dates.
|
|
|
|
## Post-Fix Verification
|
|
|
|
Run from any host with network access:
|
|
|
|
```bash
|
|
curl -sI --max-redirs 0 http://registry.wooo.work/.well-known/acme-challenge/codex-route-check
|
|
openssl s_client -servername registry.wooo.work -connect registry.wooo.work:443 </dev/null 2>/dev/null \
|
|
| openssl x509 -noout -subject -issuer -dates
|
|
```
|
|
|
|
Expected:
|
|
|
|
- HTTP challenge path returns `404` from the `registry.wooo.work` vhost, not a
|
|
redirect to `aiops.wooo.work`.
|
|
- `notAfter` is renewed to a future date.
|
|
- `systemctl --failed` no longer lists apt `certbot.service` after failed state
|
|
reset.
|