certbot LetsEncrypt 证书安装失败

certbot LetsEncrypt 证书安装失败

我家里有一个小型测试服务器,我注册了 LetsEncrypt 以获得有效的证书。

证书已过期且不会自动续订(不会造成任何损害,这仅用于测试目的)。

我不记得我是如何安装证书的,并且“certbot”没有安装在运行“Debian GNU/Linux 12 (bookworm)”的服务器上(实际上是 LXD 容器,如果相关的话)。

certbot用标准安装:

sudo apt update && sudo apt install certbot python3-certbot-nginx

然后继续使用它:

sudo certbot --nginx -d blog.mydomain.it

但我收到了一个意外的错误:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for blog.mydomain.it

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/blog.mydomain.it/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/blog.mydomain.it/privkey.pem
This certificate expires on 2024-02-14.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

Deploying certificate
Successfully deployed certificate for blog.mydomain.it to /etc/nginx/sites-enabled/blog.conf
We were unable to install your certificate, however, we successfully restored your server to its prior configuration.

NEXT STEPS:
- The certificate was saved, but could not be installed (installer: nginx). After fixing the error shown below, try installing it again by running:
  certbot install --cert-name blog.mydomain.it

nginx restart failed:
2023/11/16 23:31:55 [emerg] 561#561: SSL_CTX_use_PrivateKey("/etc/letsencrypt/blog.mydomain.it_ecc/private.key") failed (SSL: error:05800074:x509 certificate routines::key values mismatch)

Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

我猜想以前的证书安装和正在尝试执行的操作之间存在一些不匹配certbot,但我不知道如何继续。

如果有用的话,我可以轻松擦除旧证书,但在造成更深的混乱之前我想先了解一下。

我需要重新安装证书而不干扰服务器本身(合理的停机时间是完全可以的)。

更新:

根据要求(它似乎没有添加任何信息,但是......):

mcon@webserver:~$ sudo certbot install --cert-name blog.mydomain.it
[sudo] password for mcon: 
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Deploying certificate
Successfully deployed certificate for blog.mydomain.it to /etc/nginx/sites-enabled/blog.conf
We were unable to install your certificate, however, we successfully restored your server to its prior configuration.
nginx restart failed:
2023/11/17 09:08:38 [emerg] 3162#3162: SSL_CTX_use_PrivateKey("/etc/letsencrypt/blog.mydomain.it_ecc/private.key") failed (SSL: error:05800074:x509 certificate routines::key values mismatch)

Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
mcon@webserver:~$ 

更新2:

我的/etc/nginx/sites-enabled/blog.conf包含以下定义:

server {
    listen 443 ssl;
    server_name blog.mydomain.it;
    root /var/www/vitepress;
    ssl_certificate /etc/letsencrypt/blog.mydomain.it/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/blog.mydomain.it/privkey.pem;
    ssl_certificate /etc/letsencrypt/blog.mydomain.it/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/blog.mydomain.it_ecc/private.key;

    location / {
        index index.html;
        try_files $uri $uri/ /index.html;
    }
}

注释掉第二个ssl_certificate/ssl_certificate_key 对实际上解决了问题。

现在我的(工作!)安装如下:

server {
    listen 443 ssl;
    server_name blog.mydomain.it;
    root /var/www/vitepress;
    ssl_certificate /etc/letsencrypt/live/blog.mydomain.it/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/blog.mydomain.it/privkey.pem; # managed by Certbot

    location / {
        index index.html;
        try_files $uri $uri/ /index.html;
    }
}
server {
    if ($host = blog.mydomain.it) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    listen 80;
    server_name blog.mydomain.it;
    return 404; # managed by Certbot
}

我仍然很好奇到底出了什么问题,以及为什么这两行在那里(当然是为了避免重复错误),但问题似乎已经解决了。

相关内容