我已在cli.ini下的/etc/letsencrypt/文件中配置了Letsencrypt。我的配置:
rsa-key-size=4096
email=mail@mydomain.eu
text=True
agree-tos=True
keep-until-expiring=True
expand=True
allow-subset-of-names=True
authenticator=webroot
webroot-path=/var/www/letsencrypt
domains=mydomain.eu, sub1.mydomain.eu, sub2.mydomain.eu
我的nginx配置:
server {
listen 80;
location ^~/.well-known/acme-challenge/ {
default_type "text/plain";
root /var/www/letsencrypt;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
listen 443 ssl http2;
server_name *.mydomain.eu;
return 404;
}
server {
listen 443 ssl http2;
server_name mydomain.eu www.mydomain.eu;
root /var/www/mydomain.eu/public_html;
include snippets/ssl.conf;
access_log /var/log/nginx/mydomain.eu.access.log;
location / {
index index.html index.htm index.php
try_files $uri $uri/ =404;
}
location /share {
autoindex on;
auth_basic "Restricted";
auth_basic_user_file /etc/nginx/htpasswd;
}
}
snippets/ssl.conf的内容:
ssl on;
ssl_session_cache shared:SSL:10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
ssl_prefer_server_ciphers on;
ssl_certificate /etc/letsencrypt/live/mydommain.eu/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mydomain.eu/privkey.pem;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
add_header X-Frame-Options "SAMEORIGIN";
我抓住所有域和子域的路径.well-known/acme-challenge/,以便acme可以授权每个域和子域。这对我来说超过1年没有任何问题。
但是,如果我尝试向cli.ini文件添加新子域,则极限挑战失败,但仅针对新子域,而不是旧子域:
我向sub3.mydomain.eu添加了一个新的子域cli.ini。如果我运行certbot-auto certonly,我会得到以下输出:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for mydomain.eu
http-01 challenge for sub1.mydomain.eu
http-01 challenge for sub2.mydomain.eu
http-01 challenge for sub3.mydomain.eu
Using the webroot path /var/www/letsencrypt for all unmatched domains.
Waiting for verification...
Challenge failed for domain sub3.mydomain.eu
Cleaning up challenges
Generating key (4096 bits): /etc/letsencrypt/keys/0040_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0040_csr-certbot.pem
[...]
我检查了日志并收到以下错误:
{
"identifier": {
"type": "dns",
"value": "sub3.mydomain.eu"
},
"status": "invalid",
"expires": "2017-02-17T17:17:29Z",
"challenges": [
{
"type": "tls-sni-01",
"status": "pending",
"uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/rlQsLhkKj3s8WxB8ZYWG5MFPDIjuZ0h6ghFhHFF2k0A/623740576",
"token": "8GnNDlFyRxJV8QiGB4uX2XbkfE4feMI_Yum8Rxsu3TA"
},
{
"type": "http-01",
"status": "invalid",
"error": {
"type": "urn:acme:error:unauthorized",
"detail": "Invalid response from http://sub3.mydomain.eu/.well-known/acme-challenge/9xqc2sX_b8gKmUk14-nKghYia7Rz6sTr-br3bJagnzY: \"\u003chtml\u003e\r\
n\u003chead\u003e\u003ctitle\u003e404 Not Found\u003c/title\u003e\u003c/head\u003e\r\n\u003cbody bgcolor=\"white\"\u003e\r\n\u003ccenter\u003e\u003ch1\u003e40
4 Not Found\u003c/h1\u003e\u003c/center\u003e\r\n\u003chr\u003e\u003ccenter\u003e\"",
"status": 403
},
"uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/rlQsLhkKj3s8WxB8ZYWG5MFPDIjuZ0h6ghFhHFF2k0A/623740577",
"token": "9xqc2sX_b8gKmUk14-nKghYia7Rz6sTr-br3bJagnzY",
"keyAuthorization": "9xqc2sX_b8gKmUk14-nKghYia7Rz6sTr-br3bJagnzY.7c4bz076EKEVzI3EYojyd8naz0v2AfRo3Nzn5WM-AGU",
"validationRecord": [
{
"url": "http://sub3.mydomain.eu/.well-known/acme-challenge/9xqc2sX_b8gKmUk14-nKghYia7Rz6sTr-br3bJagnzY",
"hostname": "sub3.mydomain.eu",
"port": "80",
"addressesResolved": [
"*.*.*.*"
],
"addressUsed": "*.*.*.*"
}
]
},
{
"type": "dns-01",
"status": "pending",
"uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/rlQsLhkKj3s8WxB8ZYWG5MFPDIjuZ0h6ghFhHFF2k0A/623740578",
"token": "oFX-vtdtDIk9abrZt0pkLAKz9F-XbwpvWNZrJMMVcHM"
}
],
"combinations": [
[
0
],
[
1
],
[
2
]
]
}
2017-02-10 17:17:37,460:WARNING:certbot.auth_handler:Challenge failed for domain sub3.mydomain.eu
我真的很困惑为什么极致不能挑战新的子域名。有谁知道为什么会出现这个错误以及如何修复它?
答案 0 :(得分:0)
我通过完全重新安装letsencrypt“解决”了这个问题。我备份了cli.ini并擦除了/etc/letsencrypt目录。无法重现问题。