让我们加密 nginx 服务器 tls-sni-01 挑战

假设我有一个域名domain.com

这个域名是在 Go Daddy 注册的，使用 Go Daddy 控制面板，我将域名指向某个 IP，比如说1.2.3.4

此 IP1.2.3.4属于 AWS EC2 实例。

机器运行Ubuntu并提供我想要的内容nginx。

lsb_release -a

No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 16.04.2 LTS
Release:    16.04
Codename:   xenial

nginx -v

nginx version: nginx/1.10.3 (Ubuntu)

Let's Encrypt我使用设置了 SSL 证书certbot。我通过发出以下命令来执行此操作sudo certbot --nginx

证书已生成，三个月来一切顺利。我的网站通过 正确提供服务https，证书有效。

我的证书最近已过期，因此我尝试续订。我首先发出了此命令。

sudo certbot renew

错误大致如下：

Detail: Incorrect validation certificate for tls-sni-01 challenge. Requested 243e624c366db6a6f6aca6ac57f6f3cc.16fe65202571c102848dfa2b97afa875.acme.invalid from 1.2.3.4:443. Received 2 certificate(s), first certificate had names "domain.com"

WARNING:certbot.renewal:Attempting to renew cert (domain.com) from /etc/letsencrypt/renewal/domain.com.conf produced an unexpected error: Failed authorization procedure. domain.com (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 243e624c366db6a6f6aca6ac57f6f3cc.16fe65202571c102848dfa2b97afa875.acme.invalid from 1.2.3.4:443. Received 2 certificate(s), first certificate had names "domain.com". Skipping.

当我发出此命令时，nginx服务器仍在运行。我停止了服务器并再次尝试，还尝试了命令的其他变体。我尝试sudo certbot renew再次运行，sudo certbot --nginx再次尝试sudo certbot renew --agree-tos其他。

我不知道Let's Encrypt施加的速率限制。上次尝试时，我收到错误：

Attempting to renew cert (domain.com) from /etc/letsencrypt/renewal/domain.com.conf produced an unexpected error: urn:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new authz :: too many failed authorizations recently: see https://letsencrypt.org/docs/rate-limits/. Skipping.

当我再次获得访问权限后Let's Encrypt，我该如何解决这个问题？

---

如何Let's Encrypt为机器nginx上运行的服务器更新证书Ubuntu？

我为什么会得到Incorrect validation certificate for tls-sni-01 challenge？

我是否应该certbot彻底删除所有证书并重新安装？

您建议采用什么方法来解决这个问题？

谢谢！

---

编辑2：服务器配置

server {
    listen 80;
    server_name domain.com;
    return 301 https://$server_name$request_uri;
}

server {
    listen 443 ssl;
    server_name domain.com;

    location / {
        root /home/deploy/frontend/build;
        try_files $uri /index.html;
    }

ssl_certificate /etc/letsencrypt/live/domain.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/domain.com/privkey.pem; # managed by Certbot
}

---

编辑3：

这是完整的错误certbot --nginx

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx

Which names would you like to activate HTTPS for?
-------------------------------------------------------------------------------
1: domain.com
-------------------------------------------------------------------------------
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for domain.com
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. domain.com (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 8e2860a15c352af70bba07e265c4e05d.01f665a017c20bd5d2c25f1ec2110b6b.acme.invalid from 1.2.3.4:443. Received 2 certificate(s), first certificate had names "domain.com"

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: domain.com
   Type:   unauthorized
   Detail: Incorrect validation certificate for tls-sni-01 challenge.
   Requested
   8e2860a15c352af70bba07e265c4e05d.01f665a017c20bd5d2c25f1ec2110b6b.acme.invalid
   from 1.2.3.4:443. Received 2 certificate(s), first certificate
   had names "domain.com"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.