我刚刚设置了我的服务器,但我无法使我的配置与 Certbot 配合使用。总是这样。我尝试了一些不同的配置,但都不起作用。这是我的最后一次尝试。它总是说:“获取验证数据时出错”有人知道为什么这不起作用吗?
完整安装:
sudo apt-get update && sudo apt-get upgrade
Ign http://ftp.debian.org jessie InRelease
[...]
Processing triggers for initramfs-tools (0.120+deb8u3) ...
Processing triggers for ca-certificates (20141019+deb8u3) ...
Updating certificates in /etc/ssl/certs... 0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d....done.
sudo apt-get install nano
Reading package lists... Done
[...]
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
[...]
update-alternatives: using /bin/nano to provide /usr/bin/pico (pico) in auto mode
sudo apt install curl
Reading package lists... Done
[...]
0 upgraded, 4 newly installed, 0 to remove and 0 not upgraded.
[...]
sudo mkdir -p /var/www/mydomain.ru/public_html
sudo chown -R root:root /var/www/mydomain.ru/public_html
sudo chmod -R 755 /var/www
nano /var/www/mydomain.ru/public_html/index.html
cd /etc/apache2/sites-available/
/etc/apache2/sites-available# ls
000-default.conf default-ssl.conf
/etc/apache2/sites-available# cd
sudo cp /etc/apache2/sites-available/default-ssl.conf /etc/apache2/sites-available/mydomain.ru.conf
sudo nano /etc/apache2/sites-available/mydomain.ru.conf
sudo nano /etc/apache2/sites-available/mydomain.ru.conf
sudo a2ensite mydomain.ru.conf
Enabling site mydomain.ru.
To activate the new configuration, you need to run:
service apache2 reload
sudo a2dissite 000-default.conf
Site 000-default disabled.
To activate the new configuration, you need to run:
service apache2 reload
sudo a2dissite default-ssl.conf
Site default-ssl already disabled
sudo /etc/init.d/apache2 restart
[ ok ] Restarting apache2 (via systemctl): apache2.service.
sudo nano /etc/apache2/sites-available/mydomain.ru.conf
sudo /etc/init.d/apache2 restart
[ ok ] Restarting apache2 (via systemctl): apache2.service.
sudo nano /etc/apache2/sites-available/mydomain.ru.conf
sudo nano /etc/apt/sources.list
apt-get update
Ign http://ftp.debian.org jessie InRelease
[...]
Reading package lists... Done
sudo apt-get install python-certbot-apache -t jessie-backports
Reading package lists... Done
[...]
0 upgraded, 34 newly installed, 0 to remove and 32 not upgraded.
[...]
Do you want to continue? [Y/n] y
Get:1 http://ftp.debian.org/debian/ jessie-backports/main augeas-lenses all 1.8.0-1~bpo8+1 [422 kB]
[...]
Processing triggers for libc-bin (2.19-18+deb8u10) ...
sudo certbot --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Which names would you like to activate HTTPS for?
-------------------------------------------------------------------------------
1: mydomain.ru
2: www.mydomain.ru
-------------------------------------------------------------------------------
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel):[email protected]
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
-------------------------------------------------------------------------------
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf. You must agree
in order to register with the ACME server at
https://acme-v01.api.letsencrypt.org/directory
-------------------------------------------------------------------------------
(A)gree/(C)ancel: a
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for mydomain.ru
tls-sni-01 challenge for www.mydomain.ru
Enabled Apache socache_shmcb module
Enabled Apache ssl module
/usr/lib/python2.7/dist-packages/OpenSSL/rand.py:58: UserWarning: implicit cast from 'char *' to a different pointer type: will be forbidden in the future (check that the types are as you expect; use an explicit ffi.cast() if they are correct)
result_code = _lib.RAND_bytes(result_buffer, num_bytes)
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. www.mydomain.ru (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Error getting validation data, mydomain.ru (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Error getting validation data
IMPORTANT NOTES:
- If you lose your account credentials, you can recover through
e-mails sent to [email protected].
- The following errors were reported by the server:
Domain: www.mydomain.ru
Type: connection
Detail: Error getting validation data
Domain: mydomain.ru
Type: connection
Detail: Error getting validation data
To fix these errors, please make sure that your domain name was
[...]
making regular backups of this folder is ideal.
我的 /etc/apache2/sites-available/mydomain.ru.conf 中的变化
<IfModule mod_ssl.c>
<VirtualHost mydomain.ru:443>
ServerAdmin [email protected]
ServerName mydomain.ru:443
ServerAlias www.mydomain.ru
DocumentRoot /var/www/mydomain.ru/public_html
# Available loglevels: trace8, ..., trace1, debug, info, notice$
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
答案1
您的 apache 服务器是否可在 vhost 的域中外部(更大的互联网)使用?当您请求证书时,certbot 会修改您的 apache 配置以将验证令牌发送到您网站上的特殊 URL(通常是)/.well-known/acme-challenge/<sometoken>。然后,Let's Encrypt 将尝试使用您正在为其请求证书的域名来访问该路径。这就是他们确认您公开拥有您正在为其请求证书的域的方式。
如果该网络服务器不是公共的,或者没有与指向它的虚拟主机匹配的公共 DNS 条目,Let's Encrypt 将无法请求其授权令牌。
答案2
我需要使用以下行来配置 iptables:
sudo iptables -I INPUT 1 -p tcp --dport 443 -j ACCEPT
答案3
将我的网站从一台服务器迁移到另一台服务器后也遇到了类似的问题。问题是 HTTP 被重定向到 HTTPS,而 HTTPS 尚未正确配置。删除重定向后,可以certbot通过端口 80 上的 HTTP 访问验证令牌。
为了记录,我得到了
SSL 收到的记录超出了最大允许长度。错误代码:SSL_ERROR_RX_RECORD_TOO_LONG
当尝试使用 Firefox 访问验证令牌时。