certbot-auto 无法将许可证扩展到新域名(403 禁止)

certbot-auto 无法将许可证扩展到新域名(403 禁止)

我在 Digital Ocean 上有一个 Ubuntu 服务器,主要运行一个域,有多个子域:domain.com、、等。每个子域都有自己的虚拟主机。sub1.domain.comsub2.domain.com

虚拟主机均通过其自己的配置文件进行配置/etc/apache2/sites-available

domain.conf // port 80
domain-le-ssl.conf // port 443
sub1.domain.conf
sub1.domain-le-ssl.conf
etc...

我通过 Let'sEncrypt / Certbot 为所有站点设置了 SSL 证书,强制所有站点重定向到 HTTPS。到目前为止,一切正常。但是,我现在想添加另一个子域名sub3.domain.com

我复制了 conf 文件sub2.domain.com并更改了相关路径、服务器名称等:

sub3.域.conf:

    <VirtualHost *:80>
    ServerName sub3.domain.com
    DocumentRoot /var/www/sub3_domain/html
    <Directory "/var/www/sub3_domain/html">
        # use mod_rewrite for pretty URL support
        RewriteEngine on
        # If a directory or a file exists, use the request directly
        RewriteCond %{REQUEST_FILENAME} !-f
        RewriteCond %{REQUEST_FILENAME} !-d
        # Otherwise forward the request to index.html
        RewriteRule . index.html
    </Directory>
RewriteCond %{SERVER_NAME} =sub3.domain.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

sub3.域名-le-ssl.conf:

<IfModule mod_ssl.c>
<VirtualHost *:443>
    ServerName sub3.domain.com
    DocumentRoot /var/www/sub3_domain/html
    <Directory "/var/www/sub3_domain/html">
        # use mod_rewrite for pretty URL support
        RewriteEngine on
        # If a directory or a file exists, use the request directly
        RewriteCond %{REQUEST_FILENAME} !-f
        RewriteCond %{REQUEST_FILENAME} !-d
        # Otherwise forward the request to index.html
        RewriteRule . index.html
    </Directory>
Include /etc/letsencrypt/options-ssl-apache.conf
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/domain.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/domain.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateChainFile /etc/letsencrypt/live/domain.com/chain.pem
</VirtualHost>
</IfModule>

完成所有这些设置后,我便开始certbot-auto更新证书并将新子域名添加到证书中。当系统提示我要添加哪些网站时,我将其留空并按 Enter 键选择“全部”(sub3.domain曾是包含在该列表中)。然后它正确地发现我添加了一个新的子域,并询问我是否要扩展许可证以覆盖新域。按“e”扩展,然后它开始执行挑战。

事情马上就变得有点不对劲了,因为对于我所有现有的域名,它都执行了tls-sni-01挑战,但对于我的新域名,它执行了一个http-01挑战:

tls-sni-01 for domain.com
tls-sni-01 for sub1.domain.com
tls-sni-01 for sub2.domain.com
http-01 for sub3.domain.com

果然,几秒钟之内,我得到了以下输出:

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: sub3.domain.com
   Type:   unauthorized
   Detail: Invalid response from
   http://sub3.domain.com/.well-known/acme-challenge/lKPYKHvStBag4YFzmfRbO7UpEINC4SYjEPMj-R_J-BY:
   "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
   <html><head>
   <title>403 Forbidden</title>
   </head><body>
   <h1>Forbidden</h1>
   <p"

据我所知,我没有任何特定或具体的 .htaccess 或其他此类规则会导致任何子目录被禁止 - 并且无论如何,为什么要对该服务器进行不同的测试?

我也尝试过不复制文件sub3.domain-le-ssl.conf,因为我相信它实际上是由生成的certbot-auto。过程和结果是相同的。

相关内容