这么多年来,我在同一台服务器(Apache 2.2-Debian 7)上放置了多个域的certbot自动证书。但是今天我看到我的crontab没有续订证书,所以我尝试在SSH中使用以下代码来完成它:
./certbot-auto renew
这是错误声明:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/www.domain1.fr.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for domain2.fr
http-01 challenge for domain1.fr
http-01 challenge for www.domain2.fr
http-01 challenge for www.domain1.fr
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (www.domain1.fr) from /etc/letsencrypt/renewal/www.domain1.fr.conf produced an unexpected error: Failed authorization procedure. domain2.fr (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://domain2.fr/.well-known/acme-challenge/ZIp1x0730t7J0iJii67jS95Fli2eLhPA12SgXGzR6P8 [151.80.100.117]: 503, www.domain1.fr (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.domain1.fr/.well-known/acme-challenge/hoy1fNZkCyBkK2kA7gQhhW8QpWiCk7K00kFHsxNcZgc [151.80.100.117]: 503, domain1.fr (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://domain1.fr/.well-known/acme-challenge/LvfaVWC1VzbOehKgFvJe1gNd3tsEWUH3eBDan1-q8Oo [151.80.100.117]: 503, www.domain2.fr (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.domain2.fr/.well-known/acme-challenge/fOAwU_IAvKW7AC9nAFNZ6InVHrYB9VmuB9tGvEGpU2c [151.80.100.117]: 503. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/www.domain1.fr/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/www.domain1.fr/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: domain2.fr
Type: unauthorized
Detail: Invalid response from
http://domain2.fr/.well-known/acme-challenge/ZIp1x0730t7J0iJii67jS95Fli2eLhPA12SgXGzR6P8
[151.80.100.117]: 503
Domain: www.domain1.fr
Type: unauthorized
Detail: Invalid response from
http://www.domain1.fr/.well-known/acme-challenge/hoy1fNZkCyBkK2kA7gQhhW8QpWiCk7K00kFHsxNcZgc
[151.80.100.117]: 503
Domain: domain1.fr
Type: unauthorized
Detail: Invalid response from
http://domain1.fr/.well-known/acme-challenge/LvfaVWC1VzbOehKgFvJe1gNd3tsEWUH3eBDan1-q8Oo
[151.80.100.117]: 503
Domain: www.domain2.fr
Type: unauthorized
Detail: Invalid response from
http://www.domain2.fr/.well-known/acme-challenge/fOAwU_IAvKW7AC9nAFNZ6InVHrYB9VmuB9tGvEGpU2c
[151.80.100.117]: 503
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
我没有更改有关Vhost配置或服务器配置的任何内容,所以我不知道为什么certbot不再具有自动更新的权限。
编辑:
所有域都在A中有一条具有正确IP的DNS记录。
我的/.well-known/文件夹当前具有0777权限。
答案 0 :(得分:1)
确保每个主机名在A中都有一个DNS记录,并且每个目录.well-known/acme-challenge都可以访问;当它抱怨503 Service Unavailable时,情况再明显不过了。日志文件/var/log/letsencrypt/letsencrypt.log中可能包含更多信息。
a)在一个域上,.well-known/acme-challenge需要从URL重写中排除:
RewriteCond %{REQUEST_URI} !^\.well-known/(.*)$
b),并且在另一个域上,:80不得重定向到:443。
答案 1 :(得分:0)
我找到了替代解决方案,但我没有解决问题。
我做了类似here这样的技巧: 我使用了以下命令:
./certbot-auto certonly -d www.domain1.fr -d domain1.fr -d domain2.fr -d www.domain2.fr
我的证书现在可以再次使用。
所以问题(我想)是certbot-auto renew与每个网站的Webroot匹配的方式。
非常感谢@Martin Zeitler,感谢您的帮助和时间。
答案 2 :(得分:0)
使用nginx-certbot解决方案尝试
sudo add-apt-repository ppa:certbot/certbot
sudo apt install python-certbot-nginx
sudo certbot --nginx -d xxx.xxx.com
答案 3 :(得分:0)
在我们的情况下,我们的DNS工作正常,但仍收到lacks sufficient authorization错误。
最后在这里遇到了一个资源: https://webdock.io/en/docs/webdock-control-panel/common-certbot-errors
让我们发现运行情况
certbot rollback
其次:
certbot renew
我们终于可以续签证书了。
我们正处于建立全新VM并迁移所有内容的边缘-因为在多次尝试解决该问题之后,证书终于过期并且我们处于紧缩模式。
也许这可以为某人节省一些痛苦。
答案 4 :(得分:0)
就我而言,我已经更新了 Apache 配置中某些虚拟主机的 DocumentRoot ;从而打破了 LE 更新。
您可以在 /etc/letsencrypt/renewal/mysite.com.conf
webroot_map 部分下的那些路径:
[[webroot_map]]
mysite.com = /var/www/vhosts/mysite.com
www.mysite.com = /var/www/vhosts/mysite.com
应该与您的 Apache vhost 配置中的 DocumentRoot 匹配
按照我的示例,您可以使用以下方法进行比较:grep DocumentRoot /etc/apache2/sites-enabled/mysite.com.conf