我尝试在 Amazon AWS 上为 Linux 2 下运行的 Apache 上的三个域安装证书。其中一个域失败了。收到以下消息:
Performing the following challenges:
http-01 challenge for mydomain1.com
http-01 challenge for mydomain2.com
http-01 challenge for mydomain3.com
http-01 challenge for www.mydomain1.com
http-01 challenge for www.mydomain2.com
http-01 challenge for www.mydomain3.com
Waiting for verification...
Challenge failed for domain mydomain3.com
Challenge failed for domain www.mydomain3.com
http-01 challenge for mydomain3.com
http-01 challenge for www.mydomain3.com
Cleaning up challenges
Some challenges have failed.
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: mydomain3.com
Type: unauthorized
Detail: Invalid response from
https://mydomain3.com/.well-known/acme-challenge/8W5lCczmyaR5ZLVfQ1Am_48QhMt9y1EXZNxmjQ9y0aY
[2600:9000:20e9:6600:14:9b04:8440:93a1]: "<!DOCTYPE HTML PUBLIC
\"-//W3C//DTD HTML 4.01 Transitional//EN\"
\"http://www.w3.org/TR/html4/loose.dtd\">\n<HTML><HEAD><META
HTTP-EQ"
Domain: www.mydomain3.com
Type: unauthorized
Detail: Invalid response from
https://www.mydomain3.com/.well-known/acme-challenge/OnWRlKfCFqWDAEtf-N1j00wqZwLtT3rPDBrcWapwVdQ
[2600:9000:20e9:6600:14:9b04:8440:93a1]: "<!DOCTYPE HTML PUBLIC
\"-//W3C//DTD HTML 4.01 Transitional//EN\"
\"http://www.w3.org/TR/html4/loose.dtd\">\n<HTML><HEAD><META
HTTP-EQ"
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
对于 mydomain3.com,A 和 AAAA 记录实际上是 Cloudfront 的别名,因此它们不包含 IP 地址。
因此,我有一个问题:如果我想使用 Cloudfront,我是否应该将服务器 IP 地址放在 A 和 AAAA 记录中,创建证书,然后将 A 和 AAAA 记录再次别名为 Cloudfront?或者我该如何处理 certbot 不想为 mydomain3.com 创建证书的事实?
此外,我决定看看是否可以在 httpd.conf 中为 mydomain2.com 成功创建使用 SSL 的虚拟主机。如下所示:
<VirtualHost *:443>
ServerName "mydomain2.com"
ServerAlias "www.mydomain2.com"
DocumentRoot "/var/www/html/mydomain2"
SSLEngine on
SSLCertificateFile "/etc/letsencrypt/live/server.crt"
SSLCertificateKeyFile "/etc/letsencrypt/live/server.key"
</VirtualHost>
最后两行()中的位置/etc/letsencrypt/live/
基于此:
Let's Encrypt + certbot:私钥在哪里
然而,在服务器上查看,我没有看到/etc/letsencrypt/live/
在 /etc/letsencrypt/ 下,我看到五个目录:accounts、csr、keys、renewal、renewal-hooks
还有两个文件:
.updated-options-ssl-apache-conf-digest.txt
和
options-ssl-apache.conf
执行此命令:
sudo ls /etc/letsencrypt/keys/
显示
0000_key-certbot.pem
如何为 mydomain2.com 和 mydomain3.com 实现 SSL?谢谢!
答案1
你/etc/letsencrypt/live/
应该有证书你用 certbot 发行的。如果该文件夹不在您的系统中,则意味着您尚未颁发任何证书。
使用 cloudfront 时,您会遇到您所说的问题,您需要完全控制 apache/nginx 安装上的域,并且不使用系统外部的任何 CDN/缓存。正如您所说,您可以临时更改 DNS 服务器上的 A/CNAME DNS 条目以直接指向您的服务器,但请记住 DNS 系统上有缓存,因此您应该等待 DNS 条目的 TTL 过期秒数,以允许 Let's Encrypt 服务器在您更改 DNS 条目后与您的真实服务器联系。
如果你不想每 3 个月更改一次 DNS 条目您可以更改为 DNS 验证您只需要在 DNS 服务器上添加一个新条目来验证您是域的所有者。检查这个 ServerFault 问题:https://serverfault.com/questions/750902/how-to-use-lets-encrypt-dns-challenge-validation