让我们加密 nginx 服务器 tls-sni-01 挑战

让我们加密 nginx 服务器 tls-sni-01 挑战

假设我有一个域名domain.com

这个域名是在 Go Daddy 注册的,使用 Go Daddy 控制面板,我将域名指向某个 IP,比如说1.2.3.4

此 IP1.2.3.4属于 AWS EC2 实例。

机器运行Ubuntu并提供我想要的内容nginx

lsb_release -a

No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 16.04.2 LTS
Release:    16.04
Codename:   xenial

nginx -v

nginx version: nginx/1.10.3 (Ubuntu)

Let's Encrypt我使用设置了 SSL 证书certbot。我通过发出以下命令来执行此操作sudo certbot --nginx

证书已生成,三个月来一切顺利。我的网站通过 正确提供服务https,证书有效。

我的证书最近已过期,因此我尝试续订。我首先发出了此命令。

sudo certbot renew

错误大致如下:

Detail: Incorrect validation certificate for tls-sni-01 challenge. Requested 243e624c366db6a6f6aca6ac57f6f3cc.16fe65202571c102848dfa2b97afa875.acme.invalid from 1.2.3.4:443. Received 2 certificate(s), first certificate had names "domain.com"

WARNING:certbot.renewal:Attempting to renew cert (domain.com) from /etc/letsencrypt/renewal/domain.com.conf produced an unexpected error: Failed authorization procedure. domain.com (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 243e624c366db6a6f6aca6ac57f6f3cc.16fe65202571c102848dfa2b97afa875.acme.invalid from 1.2.3.4:443. Received 2 certificate(s), first certificate had names "domain.com". Skipping.

当我发出此命令时,nginx服务器仍在运行。我停止了服务器并再次尝试,还尝试了命令的其他变体。我尝试sudo certbot renew再次运行,sudo certbot --nginx再次尝试sudo certbot renew --agree-tos其他。

我不知道Let's Encrypt施加的速率限制。上次尝试时,我收到错误:

Attempting to renew cert (domain.com) from /etc/letsencrypt/renewal/domain.com.conf produced an unexpected error: urn:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new authz :: too many failed authorizations recently: see https://letsencrypt.org/docs/rate-limits/. Skipping.

当我再次获得访问权限后Let's Encrypt,我该如何解决这个问题?


如何Let's Encrypt为机器nginx上运行的服务器更新证书Ubuntu

我为什么会得到Incorrect validation certificate for tls-sni-01 challenge

我是否应该certbot彻底删除所有证书并重新安装?

您建议采用什么方法来解决这个问题?

谢谢!


编辑2:服务器配置

server {
    listen 80;
    server_name domain.com;
    return 301 https://$server_name$request_uri;
}

server {
    listen 443 ssl;
    server_name domain.com;

    location / {
        root /home/deploy/frontend/build;
        try_files $uri /index.html;
    }

ssl_certificate /etc/letsencrypt/live/domain.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/domain.com/privkey.pem; # managed by Certbot
}

编辑3:

这是完整的错误certbot --nginx

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx

Which names would you like to activate HTTPS for?
-------------------------------------------------------------------------------
1: domain.com
-------------------------------------------------------------------------------
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for domain.com
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. domain.com (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 8e2860a15c352af70bba07e265c4e05d.01f665a017c20bd5d2c25f1ec2110b6b.acme.invalid from 1.2.3.4:443. Received 2 certificate(s), first certificate had names "domain.com"

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: domain.com
   Type:   unauthorized
   Detail: Incorrect validation certificate for tls-sni-01 challenge.
   Requested
   8e2860a15c352af70bba07e265c4e05d.01f665a017c20bd5d2c25f1ec2110b6b.acme.invalid
   from 1.2.3.4:443. Received 2 certificate(s), first certificate
   had names "domain.com"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

答案1

截至 2018-01-09,Let's Encrypt 因安全报告而永久禁用 TLS-SNI-01 challenge303。

您可以使用以下命令:

sudo certbot --authenticator standalone --installer nginx -d example.com --pre-hook “service nginx stop” --post-hook “service nginx start”

https://community.letsencrypt.org/t/solution-client-with-the-currently-selected-authenticator-does-not-support-any-combination-of-challenges-that-will-satisfy-the-ca/49983

答案2

我发现的解决方案是使用以下命令:

sudo certbot --authenticator webroot --installer nginx

这样做的目的是重新颁发证书。但是,就我而言,这还不够。此方法的检查涉及访问以下 URL:

Failed authorization procedure. example.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://example.com/.well-known/acme-challenge/6OmVoBFxfKtjdAO1bgM9ylZw0d7U7MVC8KqyS6A2LfU: "<!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta name="viewport" content="width=device-width,initial-scale=1,shr"

注意:我domain.com在问题中使用它作为示例,但在答案中我被迫使用example.com

nginx我的服务器设置方式http://example.com/无法访问,因为我有return 301 https://$server_name$request_uri;

我要做的是允许http访问我的 webroot,/home/deploy/frontend/build获取证书并恢复设置。

我希望这有帮助。

相关内容