letsencrypt certbot超时错误

时间:2017-07-03 18:38:18

标签: ubuntu nginx amazon-ec2 ssl-certificate lets-encrypt

尝试运行命令时,我遇到了这个奇怪的letsencrypt错误

$ certbot certonly --standalone --email example@gmail.com --agree-tos -n -d trumporate.com,www.trumporate.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for trumporate.com
tls-sni-01 challenge for www.trumporate.com
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. trumporate.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Timeout, www.trumporate.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Timeout

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: trumporate.com
   Type:   connection
   Detail: Timeout

   Domain: www.trumporate.com
   Type:   connection
   Detail: Timeout

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

现在我使用

生成了文件dhparam
$ sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

这是我目前的nginx配置文件

$ cat /etc/nginx/sites-available/trumporate 
server {
    listen 80;
    server_name trumporate.com www.trumporate.com; 

    location / {
        include proxy_params;
        proxy_redirect off;
        proxy_pass http://127.0.0.1:5000;
    }
}

不知道我哪里错了。我应该在运行certbot的这个虚拟机上解析trumporate.com吗?

停止nginx并再次运行,发出同样的错误

我已通过route53注册域名。 它有2个A型记录,指向连接到ec2盒子的弹性IP。 一个用于www版本,一个没有它,并且有4个NS记录和一个SOA记录,我认为在创建托管区域时默认存在

2 个答案:

答案 0 :(得分:6)

  

trumporate.com应该在我运行certbot的这个虚拟机上解析吗?

听起来你没有在你试图获得证书的ec2盒子上运行命令。这将是一个问题,因为standalone旋转网络服务器,然后尝试使用您提供的域外部命中它。这"证明"你可以这么说拥有这个域名。您需要从ec2框运行命令,并且需要通过安全组打开它运行到世界的端口。您可以使用--tls-sni-01-port指定tls-sni端口(失败的端口),但默认情况下为443,因此您可能只需要打开端口443。

您还提到您正在使用route53,因此您可以使用route53验证程序。这样做的好处是可以在任何地方工作,只需要在运行它的计算机上设置访问密钥/密钥。

certbot certonly --dns-route53 --domains trumporate.com,www.trumporate.com

答案 1 :(得分:0)

此类问题的一个选项是中断对域.well-known文件夹的访问。例如,.htaccess将所有查询重定向到index.php ..