certbot-auto / letsencrypt为指向同一服务器的多个域设置一个密钥

时间:2016-11-23 00:09:24

标签: nginx https lets-encrypt certbot

我真的更像是一个前端开发者,所以服务器配置对我来说是一个非常新的领域,对不起,如果这是一个简单的问题!

我在尝试让我的certbot-auto为多个域生成SSH密钥时遇到了一些麻烦,指向一个框。

我有3-4个域(domain1.netdomain2.iodomain3.medomain4.codes),它们都指向同一个数字海洋液滴。

之前(几个月前),我曾尝试直接使用letsencrypt(当时没有certbot)。不知何故,我让我的所有域名都使用了SSL,但是他们最近已经过期了,而我现在似乎只能续订domain1.net而不是其余的。

我尝试了以下命令:

./certbot-auto certonly -a webroot --agree-tos -w /var/www/domain1.net/public_html/ \--expand -d domain1.net,www.domain1.net,domain2.io,www.domain2.io,domain3.me,www.domain3.me,domain4.codes,www.domain4.codes

......看来工作了,我得到了以下内容:

| Saving debug log to /var/log/letsencrypt/letsencrypt.log             │
│ Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org      │
│ Cert not yet due for renewal                                         │
│ Renewing an existing certificate                                     │
│ Performing the following challenges:                                 │
│ http-01 challenge for domain1.net                                    │
│ http-01 challenge for www.domain1.net                                │
│ http-01 challenge for domain2.io                                     │
│ http-01 challenge for www.domain2.io                                 │
│ http-01 challenge for domain3.me                                     │
│ http-01 challenge for www.domain3.me                                 │
│ http-01 challenge for domain4.codes                                  │
│ http-01 challenge for www.domain4.codes                              │
│ Using the webroot path /var/www/domain1.net/public_html for          │
│ all unmatched domains.                                               │
│ Waiting for verification...                                          │
│ Cleaning up challenges                                               │
│ Generating key (2048 bits):                                          │
│ /etc/letsencrypt/keys/0012_key-certbot.pem                           │
│ Creating CSR: /etc/letsencrypt/csr/0012_csr-certbot.pem

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/domain1.net/fullchain.pem. Your cert
   will expire on 2017-02-20. To obtain a new or tweaked version of
   this certificate in the future, simply run certbot-auto again. To
   non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

..好的好!但是,只有domain1.netwww.domain1.net似乎正在运作......其他域声称不使用HTTPS!

我还在/etc/letsencrypt/live/目录中看到多个文件..我曾试图让这个工作先前(直接使用letsencrypt,而不是通过certbot)并让它工作到今天,当它们过期时拒绝续约。这就是我在该目录中看到的内容:

tom@Personal:/opt$ sudo ls -la /etc/letsencrypt/live/
total 20
drwx------ 5 root root 4096 Nov 22 18:22 .
drwxr-xr-x 8 root root 4096 Nov 22 18:22 ..
drwxr-xr-x 2 root root 4096 Nov 22 18:41 domain1.net
drwxr-xr-x 2 root root 4096 Oct 16 00:00 domain1.net-0001
drwxr-xr-x 2 root root 4096 Nov 22 18:22 www.domain1.net
嗯...不知道为什么那里有多个条目。不应该只有一个吗?

无论如何 - 我对HTTPS / keys / NginX不够精通,想出这个并且正在撕掉我的头发。我只是想获得我的SSL密钥:

  1. 为所有上述域名工作
  2. 通过certbot-auto续订自动续订
  3. 并不完全确定我在这里搞砸了......任何帮助都非常感谢!

    编辑:这是我的服务器配置块在nginx中的样子:

    server {
    # listen 80 default_server;
    # listen [::]:80 default_server ipv6only=on;
    
    
      # START LETS ENCRYPT ADDITIONS:
      listen 443 ssl;
      server_name domain1.net www.domain1.net domain2.io www.domain2.io domain3.me www.domain3.me domain4.codes www.domain4.codes;
      ssl_certificate /etc/letsencrypt/live/www.domain1.net/fullchain.pem; # managed by Certbot
      ssl_certificate_key /etc/letsencrypt/live/www.domain1.net/privkey.pem; # managed by Certbot
      ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
      ssl_prefer_server_ciphers on;
      ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
      # /END LETS ENCRYPT ADDITION
    
      root /var/www/domain1.net/public_html;
      index index.php index.html index.htm;
    
      # FOR LETSENCRYPT AUTO-RENEWAL, we must give it access to /.well-known
      location ~ /.well-known {
        allow all;
      }
      # /END LETSENCRYPT AUTO_RENEWAL
    
      location / {
        # First attempt to serve request as file, then
        # as directory, then fall back to displaying a 404.
        try_files $uri $uri/ =404;
        # Uncomment to enable naxsi on this location
        # include /etc/nginx/naxsi.rules
      }
    

1 个答案:

答案 0 :(得分:2)

只是想跟进 - 我得到了这个工作!

原来我的命令是正确的,但是我误用了-d标志 - 它需要分别应用于每个域。所以纠正的命令:

./certbot-auto certonly -a webroot --agree-tos -w /var/www/domain1.net/public_html/ \--expand -d domain1.net,www.domain1.net  -d domain2.io,www.domain2.io -d domain3.me,www.domain3.me -d domain4.codes,www.domain4.codes