我家里有一个小型测试服务器,我注册了 LetsEncrypt 以获得有效的证书。
证书已过期且不会自动续订(不会造成任何损害,这仅用于测试目的)。
我不记得我是如何安装证书的,并且“certbot”没有安装在运行“Debian GNU/Linux 12 (bookworm)”的服务器上(实际上是 LXD 容器,如果相关的话)。
我certbot用标准安装:
sudo apt update && sudo apt install certbot python3-certbot-nginx
然后继续使用它:
sudo certbot --nginx -d blog.mydomain.it
但我收到了一个意外的错误:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for blog.mydomain.it
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/blog.mydomain.it/fullchain.pem
Key is saved at: /etc/letsencrypt/live/blog.mydomain.it/privkey.pem
This certificate expires on 2024-02-14.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.
Deploying certificate
Successfully deployed certificate for blog.mydomain.it to /etc/nginx/sites-enabled/blog.conf
We were unable to install your certificate, however, we successfully restored your server to its prior configuration.
NEXT STEPS:
- The certificate was saved, but could not be installed (installer: nginx). After fixing the error shown below, try installing it again by running:
certbot install --cert-name blog.mydomain.it
nginx restart failed:
2023/11/16 23:31:55 [emerg] 561#561: SSL_CTX_use_PrivateKey("/etc/letsencrypt/blog.mydomain.it_ecc/private.key") failed (SSL: error:05800074:x509 certificate routines::key values mismatch)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
我猜想以前的证书安装和正在尝试执行的操作之间存在一些不匹配certbot,但我不知道如何继续。
如果有用的话,我可以轻松擦除旧证书,但在造成更深的混乱之前我想先了解一下。
我需要重新安装证书而不干扰服务器本身(合理的停机时间是完全可以的)。
更新:
根据要求(它似乎没有添加任何信息,但是......):
mcon@webserver:~$ sudo certbot install --cert-name blog.mydomain.it
[sudo] password for mcon:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Deploying certificate
Successfully deployed certificate for blog.mydomain.it to /etc/nginx/sites-enabled/blog.conf
We were unable to install your certificate, however, we successfully restored your server to its prior configuration.
nginx restart failed:
2023/11/17 09:08:38 [emerg] 3162#3162: SSL_CTX_use_PrivateKey("/etc/letsencrypt/blog.mydomain.it_ecc/private.key") failed (SSL: error:05800074:x509 certificate routines::key values mismatch)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
mcon@webserver:~$
更新2:
我的/etc/nginx/sites-enabled/blog.conf包含以下定义:
server {
listen 443 ssl;
server_name blog.mydomain.it;
root /var/www/vitepress;
ssl_certificate /etc/letsencrypt/blog.mydomain.it/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/blog.mydomain.it/privkey.pem;
ssl_certificate /etc/letsencrypt/blog.mydomain.it/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/blog.mydomain.it_ecc/private.key;
location / {
index index.html;
try_files $uri $uri/ /index.html;
}
}
注释掉第二个ssl_certificate/ssl_certificate_key
对实际上解决了问题。
现在我的(工作!)安装如下:
server {
listen 443 ssl;
server_name blog.mydomain.it;
root /var/www/vitepress;
ssl_certificate /etc/letsencrypt/live/blog.mydomain.it/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/blog.mydomain.it/privkey.pem; # managed by Certbot
location / {
index index.html;
try_files $uri $uri/ /index.html;
}
}
server {
if ($host = blog.mydomain.it) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name blog.mydomain.it;
return 404; # managed by Certbot
}
我仍然很好奇到底出了什么问题,以及为什么这两行在那里(当然是为了避免重复错误),但问题似乎已经解决了。