Let's Encrypt + certbot - 没有 /etc/letsencrypt/live 目录

Let's Encrypt + certbot - 没有 /etc/letsencrypt/live 目录

我尝试在 Amazon AWS 上为 Linux 2 下运行的 Apache 上的三个域安装证书。其中一个域失败了。收到以下消息:

Performing the following challenges:
http-01 challenge for mydomain1.com
http-01 challenge for mydomain2.com
http-01 challenge for mydomain3.com
http-01 challenge for www.mydomain1.com
http-01 challenge for www.mydomain2.com
http-01 challenge for www.mydomain3.com
Waiting for verification...
Challenge failed for domain mydomain3.com
Challenge failed for domain www.mydomain3.com
http-01 challenge for mydomain3.com
http-01 challenge for www.mydomain3.com
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: mydomain3.com
   Type:   unauthorized
   Detail: Invalid response from
   https://mydomain3.com/.well-known/acme-challenge/8W5lCczmyaR5ZLVfQ1Am_48QhMt9y1EXZNxmjQ9y0aY
   [2600:9000:20e9:6600:14:9b04:8440:93a1]: "<!DOCTYPE HTML PUBLIC
   \"-//W3C//DTD HTML 4.01 Transitional//EN\"
   \"http://www.w3.org/TR/html4/loose.dtd\">\n<HTML><HEAD><META
   HTTP-EQ"

   Domain: www.mydomain3.com
   Type:   unauthorized
   Detail: Invalid response from
   https://www.mydomain3.com/.well-known/acme-challenge/OnWRlKfCFqWDAEtf-N1j00wqZwLtT3rPDBrcWapwVdQ
   [2600:9000:20e9:6600:14:9b04:8440:93a1]: "<!DOCTYPE HTML PUBLIC
   \"-//W3C//DTD HTML 4.01 Transitional//EN\"
   \"http://www.w3.org/TR/html4/loose.dtd\">\n<HTML><HEAD><META
   HTTP-EQ"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.

对于 mydomain3.com,A 和 AAAA 记录实际上是 Cloudfront 的别名,因此它们不包含 IP 地址。

因此,我有一个问题:如果我想使用 Cloudfront,我是否应该将服务器 IP 地址放在 A 和 AAAA 记录中,创建证书,然后将 A 和 AAAA 记录再次别名为 Cloudfront?或者我该如何处理 certbot 不想为 mydomain3.com 创建证书的事实?

此外,我决定看看是否可以在 httpd.conf 中为 mydomain2.com 成功创建使用 SSL 的虚拟主机。如下所示:

<VirtualHost *:443>
    ServerName "mydomain2.com"
    ServerAlias "www.mydomain2.com"
    DocumentRoot "/var/www/html/mydomain2"
    SSLEngine on
    SSLCertificateFile "/etc/letsencrypt/live/server.crt"
    SSLCertificateKeyFile "/etc/letsencrypt/live/server.key"
</VirtualHost>

最后两行()中的位置/etc/letsencrypt/live/基于此: Let's Encrypt + certbot:私钥在哪里

然而,在服务器上查看,我没有看到/etc/letsencrypt/live/

在 /etc/letsencrypt/ 下,我看到五个目录:accounts、csr、keys、renewal、renewal-hooks

还有两个文件: .updated-options-ssl-apache-conf-digest.txtoptions-ssl-apache.conf

执行此命令: sudo ls /etc/letsencrypt/keys/ 显示 0000_key-certbot.pem

如何为 mydomain2.com 和 mydomain3.com 实现 SSL?谢谢!

答案1

/etc/letsencrypt/live/应该有证书你用 certbot 发行的。如果该文件夹不在您的系统中,则意味着您尚未颁发任何证书。

使用 cloudfront 时,您会遇到您所说的问题,您需要完全控制 apache/nginx 安装上的域,并且不使用系统外部的任何 CDN/缓存。正如您所说,您可以临时更改 DNS 服务器上的 A/CNAME DNS 条目以直接指向您的服务器,但请记住 DNS 系统上有缓存,因此您应该等待 DNS 条目的 TTL 过期秒数,以允许 Let's Encrypt 服务器在您更改 DNS 条目后与您的真实服务器联系。

如果你不想每 3 个月更改一次 DNS 条目您可以更改为 DNS 验证您只需要在 DNS 服务器上添加一个新条目来验证您是域的所有者。检查这个 ServerFault 问题:https://serverfault.com/questions/750902/how-to-use-lets-encrypt-dns-challenge-validation

相关内容