假设我有一个域名domain.com
这个域名是在 Go Daddy 注册的,使用 Go Daddy 控制面板,我将域名指向某个 IP,比如说1.2.3.4
此 IP1.2.3.4
属于 AWS EC2 实例。
机器运行Ubuntu
并提供我想要的内容nginx
。
lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 16.04.2 LTS
Release: 16.04
Codename: xenial
nginx -v
nginx version: nginx/1.10.3 (Ubuntu)
Let's Encrypt
我使用设置了 SSL 证书certbot
。我通过发出以下命令来执行此操作sudo certbot --nginx
证书已生成,三个月来一切顺利。我的网站通过 正确提供服务https
,证书有效。
我的证书最近已过期,因此我尝试续订。我首先发出了此命令。
sudo certbot renew
错误大致如下:
Detail: Incorrect validation certificate for tls-sni-01 challenge. Requested 243e624c366db6a6f6aca6ac57f6f3cc.16fe65202571c102848dfa2b97afa875.acme.invalid from 1.2.3.4:443. Received 2 certificate(s), first certificate had names "domain.com"
WARNING:certbot.renewal:Attempting to renew cert (domain.com) from /etc/letsencrypt/renewal/domain.com.conf produced an unexpected error: Failed authorization procedure. domain.com (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 243e624c366db6a6f6aca6ac57f6f3cc.16fe65202571c102848dfa2b97afa875.acme.invalid from 1.2.3.4:443. Received 2 certificate(s), first certificate had names "domain.com". Skipping.
当我发出此命令时,nginx
服务器仍在运行。我停止了服务器并再次尝试,还尝试了命令的其他变体。我尝试sudo certbot renew
再次运行,sudo certbot --nginx
再次尝试sudo certbot renew --agree-tos
其他。
我不知道Let's Encrypt
施加的速率限制。上次尝试时,我收到错误:
Attempting to renew cert (domain.com) from /etc/letsencrypt/renewal/domain.com.conf produced an unexpected error: urn:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new authz :: too many failed authorizations recently: see https://letsencrypt.org/docs/rate-limits/. Skipping.
当我再次获得访问权限后Let's Encrypt
,我该如何解决这个问题?
如何Let's Encrypt
为机器nginx
上运行的服务器更新证书Ubuntu
?
我为什么会得到Incorrect validation certificate for tls-sni-01 challenge
?
我是否应该certbot
彻底删除所有证书并重新安装?
您建议采用什么方法来解决这个问题?
谢谢!
编辑2:服务器配置
server {
listen 80;
server_name domain.com;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
server_name domain.com;
location / {
root /home/deploy/frontend/build;
try_files $uri /index.html;
}
ssl_certificate /etc/letsencrypt/live/domain.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/domain.com/privkey.pem; # managed by Certbot
}
编辑3:
这是完整的错误certbot --nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Which names would you like to activate HTTPS for?
-------------------------------------------------------------------------------
1: domain.com
-------------------------------------------------------------------------------
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for domain.com
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. domain.com (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 8e2860a15c352af70bba07e265c4e05d.01f665a017c20bd5d2c25f1ec2110b6b.acme.invalid from 1.2.3.4:443. Received 2 certificate(s), first certificate had names "domain.com"
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: domain.com
Type: unauthorized
Detail: Incorrect validation certificate for tls-sni-01 challenge.
Requested
8e2860a15c352af70bba07e265c4e05d.01f665a017c20bd5d2c25f1ec2110b6b.acme.invalid
from 1.2.3.4:443. Received 2 certificate(s), first certificate
had names "domain.com"
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
答案1
截至 2018-01-09,Let's Encrypt 因安全报告而永久禁用 TLS-SNI-01 challenge303。
您可以使用以下命令:
sudo certbot --authenticator standalone --installer nginx -d example.com --pre-hook “service nginx stop” --post-hook “service nginx start”
答案2
我发现的解决方案是使用以下命令:
sudo certbot --authenticator webroot --installer nginx
这样做的目的是重新颁发证书。但是,就我而言,这还不够。此方法的检查涉及访问以下 URL:
Failed authorization procedure. example.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://example.com/.well-known/acme-challenge/6OmVoBFxfKtjdAO1bgM9ylZw0d7U7MVC8KqyS6A2LfU: "<!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta name="viewport" content="width=device-width,initial-scale=1,shr"
注意:我domain.com
在问题中使用它作为示例,但在答案中我被迫使用example.com
nginx
我的服务器设置方式http://example.com/
无法访问,因为我有return 301 https://$server_name$request_uri;
我要做的是允许http
访问我的 webroot,/home/deploy/frontend/build
获取证书并恢复设置。
我希望这有帮助。