我正在尝试使用“让我们加密”在Tomcat9 Web应用程序上设置SSL加密。
我已经安装了certbot,现在尝试使用以下命令:
sudo certbot certonly --webroot -w /opt/tomcat/webapps -d <redacted>.<redacted>.com
这将返回以下错误:
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for <redacted>.<redacted>.com
Using the webroot path /opt/tomcat/webapps for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. <redacted>.<redacted>.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://<redacted>.<redacted>.com/.well-known/acme-challenge/powESSrI_zlg9nr4LDji5wqs4BjllfL7rooWYlfsI 7I: "<!doctype html><html lang=\"en\"><head><title>HTTP Status 404 \u2013 Not Found</title><style type=\"text/css\">h1 {font-family:Tahoma,A"
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: <redacted>.<redacted>.com
Type: unauthorized
Detail: Invalid response from
http://<redacted>.<redacted>.com/.well-known/acme-challenge/powESSrI_zlg9nr4LDji5wqs4BjllfL7rooWYlfsI7I:
"<!doctype html><html lang=\"en\"><head><title>HTTP Status 404 –
Not Found</title><style type=\"text/css\">h1 {font-family:Tahoma,A"
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
为了测试我没有问题,我创建了一个.well-known/acme-challenge/testing.txt
文件,并使用curl成功访问了它。
我刚刚检查了权限,并且/opt/tomcat/webapps/
文件夹属于tomcat:tomcat
,所以我不确定问题是否出在权限上。我现在已经锁定root,并且将尽快重置速率限制。我非常怀疑这是否是解决方案。
我确实查看了/var/log/letsencrypt/letsencrypt.log
,并且在创建.well-known
文件夹期间似乎没有出现任何问题。我在下面添加了摘录,以防万一。
2018-10-10 17:25:49,150:INFO:certbot.auth_handler:Performing the following challenges:
2018-10-10 17:25:49,151:INFO:certbot.auth_handler:http-01 challenge for <redacted>.<redacted>,com
2018-10-10 17:25:49,151:INFO:certbot.plugins.webroot:Using the webroot path /opt/tomcat/webapps for all unmatched domains.
2018-10-10 17:25:49,151:DEBUG:certbot.plugins.webroot:Creating root challenges validation dir at /opt/tomcat/webapps/.well-known/acme-challenge
2018-10-10 17:25:49,154:DEBUG:certbot.plugins.webroot:Attempting to save validation to /opt/tomcat/webapps/.well-known/acme-challenge/26fFGVVXXxdpeOq_E8ha_rfXi_LM_5j6Z4et2PNp2gs
2018-10-10 17:25:49,155:INFO:certbot.auth_handler:Waiting for verification...
2018-10-10 17:25:49,155:DEBUG:acme.client:JWS payload:
b'{\n "resource": "challenge",\n "keyAuthorization": "26fFGVVXXxdpeOq_E8ha_rfXi_LM_5j6Z4et2PNp2gs.ME_OY5WqxTYCKhCOPRnWxkWCKD7ThYqX1E18W8YCLfQ",\n "type": "http-01"\n}'
2018-10-10 17:25:49,157:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/challenge/odmYFnjnVCFba_0hGrBdix9qidaHr8qzsqfafPG_EwU/8149996040:
{
"protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvNDM2MjM1OTciLCAibm9uY2UiOiAibVN2LUdaOGlRLXlEYkVwZ2E0RUlCX0VtNWxiZ01MMUVlbWhEWm5ZeGVVWSIsICJ1cm$
"signature": "TyjDjNvL294YTVe6O9eQzgCRBfVuZQV5wcZJgRpSIuUAfXN7N-_A8XSv-yLI-smmZxQSug5ZPidfqwN4nQwguye9WfBMdpEEFKpky5HwD9Pb83r0XOCkBm5nGQnXxTuEeIb22j4wXwVJW1oY769UWLp9wnSkFGopIIzhvN9GGIKzzLhugK1LPgMgkJK0G3$
"payload": "ewogICJyZXNvdXJjZSI6ICJjaGFsbGVuZ2UiLAogICJrZXlBdXRob3JpemF0aW9uIjogIjI2ZkZHVlZYWHhkcGVPcV9FOGhhX3JmWGlfTE1fNWo2WjRldDJQTnAyZ3MuTUVfT1k1V3F4VFlDS2hDT1BSbld4a1dDS0Q3VGhZcVgxRTE4VzhZQ0xmUSIsCiAg$
}
2018-10-10 17:25:49,360:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/challenge/odmYFnjnVCFba_0hGrBdix9qidaHr8qzsqfafPG_EwU/8149996040 HTTP/1.1" 200 223
2018-10-10 17:25:49,361:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 223
Boulder-Requester: 43623597
Link: <https://acme-v02.api.letsencrypt.org/acme/authz/odmYFnjnVCFba_0hGrBdix9qidaHr8qzsqfafPG_EwU>;rel="up"
Location: https://acme-v02.api.letsencrypt.org/acme/challenge/odmYFnjnVCFba_0hGrBdix9qidaHr8qzsqfafPG_EwU/8149996040
Replay-Nonce: MPjDFzJp80MvZiwxnBunswO7KnQDESpZ89YSoF7Dyeo
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Wed, 10 Oct 2018 17:25:49 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 10 Oct 2018 17:25:49 GMT
Connection: keep-alive
{
"type": "http-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/challenge/odmYFnjnVCFba_0hGrBdix9qidaHr8qzsqfafPG_EwU/8149996040",
"token": "26fFGVVXXxdpeOq_E8ha_rfXi_LM_5j6Z4et2PNp2gs"
}
2018-10-10 17:25:49,361:DEBUG:acme.client:Storing nonce: MPjDFzJp80MvZiwxnBunswO7KnQDESpZ89YSoF7Dyeo
2018-10-10 17:25:52,365:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/acme/authz/odmYFnjnVCFba_0hGrBdix9qidaHr8qzsqfafPG_EwU.
2018-10-10 17:25:52,560:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "GET /acme/authz/odmYFnjnVCFba_0hGrBdix9qidaHr8qzsqfafPG_EwU HTTP/1.1" 200 1772
2018-10-10 17:25:52,561:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 1772
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Wed, 10 Oct 2018 17:25:52 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 10 Oct 2018 17:25:52 GMT
Connection: keep-alive
{
"identifier": {
"type": "dns",
"value": "<redacted>.<redacted>,com"
},
"status": "invalid",
"expires": "2018-10-17T17:25:48Z",
"challenges": [
{
"type": "http-01",
"status": "invalid",
"error": {
"type": "urn:ietf:params:acme:error:unauthorized",
"detail": "Invalid response from http://<redacted>.<redacted>,com/.well-known/acme-challenge/26fFGVVXXxdpeOq_E8ha_rfXi_LM_5j6Z4et2PNp2gs: \"\u003c!doctype html\u003e\u003chtml lang=\\\"en\\\"\$
"status": 403
},
"url": "https://acme-v02.api.letsencrypt.org/acme/challenge/odmYFnjnVCFba_0hGrBdix9qidaHr8qzsqfafPG_EwU/8149996040",
"token": "26fFGVVXXxdpeOq_E8ha_rfXi_LM_5j6Z4et2PNp2gs",
"validationRecord": [
{
"url": "http://<redacted>.<redacted>,com/.well-known/acme-challenge/26fFGVVXXxdpeOq_E8ha_rfXi_LM_5j6Z4et2PNp2gs",
"hostname": "<redacted>.<redacted>,com",
"port": "80",
"addressesResolved": [
"<redacted>"
],
"addressUsed": "<redacted>"
}
]
},
{
"type": "dns-01",
"status": "invalid",
"error": {
"type": "urn:ietf:params:acme:error:unauthorized",
"detail": "Invalid response from http://<redacted>.<redacted>,com/.well-known/acme-challenge/26fFGVVXXxdpeOq_E8ha_rfXi_LM_5j6Z4et2PNp2gs: \"\u003c!doctype html\u003e\u003chtml lang=\\\"en\\\"\$
"status": 403
},
"url": "https://acme-v02.api.letsencrypt.org/acme/challenge/odmYFnjnVCFba_0hGrBdix9qidaHr8qzsqfafPG_EwU/8149996040",
"token": "26fFGVVXXxdpeOq_E8ha_rfXi_LM_5j6Z4et2PNp2gs",
"validationRecord": [
{
"url": "http://<redacted>.<redacted>,com/.well-known/acme-challenge/26fFGVVXXxdpeOq_E8ha_rfXi_LM_5j6Z4et2PNp2gs",
"hostname": "<redacted>.<redacted>,com",
"port": "80",
"addressesResolved": [
"<redacted>"
],
"addressUsed": "<redacted>"
}
]
},
{
"type": "dns-01",
"status": "invalid",
"url": "https://acme-v02.api.letsencrypt.org/acme/challenge/odmYFnjnVCFba_0hGrBdix9qidaHr8qzsqfafPG_EwU/8149996041",
"token": "Spw_JOZoMRrFUsprklfbEsvndZElESITmGETwEjoDqs"
},
{
"type": "tls-alpn-01",
"status": "invalid",
"url": "https://acme-v02.api.letsencrypt.org/acme/challenge/odmYFnjnVCFba_0hGrBdix9qidaHr8qzsqfafPG_EwU/8149996042",
"token": "isqG0IfT0WxC2FIl24XlZ18E8j0wadfJejZEYgMRGfk"
}
]
}
2018-10-10 17:25:52,562:DEBUG:certbot.reporter:Reporting to user: The following errors were reported by the server:
Domain: <redacted>.<redacted>,com
Type: unauthorized
Detail: Invalid response from http://<redacted>.<redacted>,com/.well-known/acme-challenge/26fFGVVXXxdpeOq_E8ha_rfXi_LM_5j6Z4et2PNp2gs: "<!doctype html><html lang=\"en\"><head><title>HTTP Status 404 – $
To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address.
2018-10-10 17:25:52,562:DEBUG:certbot.error_handler:Encountered exception:
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 82, in handle_authorizations
self._respond(aauthzrs, resp, best_effort)
File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 155, in _respond
self._poll_challenges(aauthzrs, chall_update, best_effort)
File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 226, in _poll_challenges
raise errors.FailedChallenges(all_failed_achalls)
certbot.errors.FailedChallenges: Failed authorization procedure. <redacted>.<redacted>,com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid re$
答案 0 :(得分:1)
问题出在tomcat / webapp文件夹的权限中,一旦授予了根文件夹的权限,并且letencrypt创建并验证了相应文件。