Question

我正在使用https://serversforhackers.com/video/letsencrypt-for-free-easy-ssl-certificates和https://certbot.eff.org/docs/intro.html，尝试将ssl证书添加到我的网站。我试过了：

root@server:/opt/certbot# ./certbot-auto certonly --webroot -w /var/www/html --agree-tos --email me@yahoo.com -d mysite.com -d www.mysite.com --non-interactive
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for example.com
http-01 challenge for www.example.com
Using the webroot path /var/www/html for all unmatched domains.

...

IMPORTANT NOTES:
- The following errors were reported by the server:

Domain: example.com
Type:   unauthorized
Detail: Invalid response from
example.com.well-known/acme-challenge/gygb7wEj3o-_5MIoUgraBRddmqrtZdfIM-UWMySoNl8:


Domain: www.example.com
Type:   unauthorized
Detail: Invalid response from
www.example.com.well-known/acme-challenge/z8oZ1FAiHBJNwWvLTI-g9hMZ5zoLdJSZBgaQ9CSTJU0:


To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address.
root@server:/opt/certbot# cd .

我检查了域名和A记录，他们似乎没问题。在我的浏览器中，我打开了链接，我看到了屏幕截图，这是有意义的，因为我正在运行一个django应用程序。

如何设置内容以便certbot可以访问webroot？

编辑：

root@server:/etc/nginx# cat nginx.conf
user www-data;
worker_processes auto;
pid /run/nginx.pid;

events {
        worker_connections 768;
        # multi_accept on;
}

http {

        ##
        # Basic Settings
        ##

        sendfile on;
        tcp_nopush on;
        tcp_nodelay on;
        keepalive_timeout 65;
        types_hash_max_size 2048;
        # server_tokens off;

        # server_names_hash_bucket_size 64;
        # server_name_in_redirect off;

        include /etc/nginx/mime.types;
        default_type application/octet-stream;

        ##
        # SSL Settings
        ##

        ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
        ssl_prefer_server_ciphers on;

        ##
        # Logging Settings
        ##

        access_log /var/log/nginx/access.log;
        error_log /var/log/nginx/error.log;

        ##
        # Gzip Settings
        ##

        gzip on;
        gzip_disable "msie6";

        # gzip_vary on;
        # gzip_proxied any;
        # gzip_comp_level 6;
        # gzip_buffers 16 8k;
        # gzip_http_version 1.1;
        # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

        ##
        # Virtual Host Configs
        ##

        include /etc/nginx/conf.d/*.conf;
        include /etc/nginx/sites-enabled/*;
}


#mail {
#       # See sample authentication script at:
#       # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
#       # auth_http localhost/auth.php;
#       # pop3_capabilities "TOP" "USER";
#       # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
#       server {
#               listen     localhost:110;
#               protocol   pop3;
#               proxy      on;
#       }
#
#       server {
#               listen     localhost:143;
#               protocol   imap;
#               proxy      on;
#       }
#}

/var/log/nginx/access.log显示：

66.133.109.36 - - [10/Feb/2017:13:16:40 -0500] "GET /.well-known/acme-challenge/-GMR_DzXR-oOTzl7LEesFiQI0H-2zCak2Bq3cDO7mTQ HTTP/1.1" 404 1080 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
66.133.109.36 - - [10/Feb/2017:13:16:40 -0500] "GET /.well-known/acme-challenge/4hTpEFaTJDTCiAS-Y9242MmNngEHM6e9cPr2WIdCL4Q HTTP/1.1" 404 1083 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"

/var/log/nginx/error.log显示没有错误。

另外我注意到.well已知目录中没有文件：

deploy@server:/var/www/html/.well-known$ ll
total 8
drwxrwxrwx 2 root root 4096 Feb 11 10:20 ./
drwxr-xr-x 3 root root 4096 Feb 10 09:29 ../

编辑2：在/ etc / nginx / sites-available / mysite中我已将其更改为：

server {
    listen 80;
    server_name  mysite.com www.mysite.com;

    location = /favicon.ico { access_log off; log_not_found off; }
    location /static/ {
        root /home/deploy/mysite;
    }

    location / {
        include         uwsgi_params;
        uwsgi_pass      unix:/run/uwsgi/mysite.sock;
    }
    location ~ /.well-known {
                allow all;
    }
}

重启nginx - 同样的错误

Answer 1

以下内容适用于网站的服务器区域：

server {
    listen 80;
    server_name  mysite.com www.mysite.com;

    location = /favicon.ico { access_log off; log_not_found off; }
    location /static/ {
        root /home/deploy/mysite;
    }

    location / {
        include         uwsgi_params;
        uwsgi_pass      unix:/run/uwsgi/mysite.sock;
    }
    location ^~ /\.well-known {
            allow all;
    }
}

编辑：这是另一个可行的选项：

 location ^~ /.well-known/acme-challenge/ {
         default_type "text/plain";
             root /var/www/html;

Certbot无法访问运行django

1 个答案: