我在 Digital Ocean 上有一个 Ubuntu 服务器,主要运行一个域,有多个子域:domain.com
、、等。每个子域都有自己的虚拟主机。sub1.domain.com
sub2.domain.com
虚拟主机均通过其自己的配置文件进行配置/etc/apache2/sites-available
:
domain.conf // port 80
domain-le-ssl.conf // port 443
sub1.domain.conf
sub1.domain-le-ssl.conf
etc...
我通过 Let'sEncrypt / Certbot 为所有站点设置了 SSL 证书,强制所有站点重定向到 HTTPS。到目前为止,一切正常。但是,我现在想添加另一个子域名sub3.domain.com
。
我复制了 conf 文件sub2.domain.com
并更改了相关路径、服务器名称等:
sub3.域.conf:
<VirtualHost *:80>
ServerName sub3.domain.com
DocumentRoot /var/www/sub3_domain/html
<Directory "/var/www/sub3_domain/html">
# use mod_rewrite for pretty URL support
RewriteEngine on
# If a directory or a file exists, use the request directly
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
# Otherwise forward the request to index.html
RewriteRule . index.html
</Directory>
RewriteCond %{SERVER_NAME} =sub3.domain.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
sub3.域名-le-ssl.conf:
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName sub3.domain.com
DocumentRoot /var/www/sub3_domain/html
<Directory "/var/www/sub3_domain/html">
# use mod_rewrite for pretty URL support
RewriteEngine on
# If a directory or a file exists, use the request directly
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
# Otherwise forward the request to index.html
RewriteRule . index.html
</Directory>
Include /etc/letsencrypt/options-ssl-apache.conf
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/domain.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/domain.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateChainFile /etc/letsencrypt/live/domain.com/chain.pem
</VirtualHost>
</IfModule>
完成所有这些设置后,我便开始certbot-auto
更新证书并将新子域名添加到证书中。当系统提示我要添加哪些网站时,我将其留空并按 Enter 键选择“全部”(sub3.domain曾是包含在该列表中)。然后它正确地发现我添加了一个新的子域,并询问我是否要扩展许可证以覆盖新域。按“e”扩展,然后它开始执行挑战。
事情马上就变得有点不对劲了,因为对于我所有现有的域名,它都执行了tls-sni-01
挑战,但对于我的新域名,它执行了一个http-01
挑战:
tls-sni-01 for domain.com
tls-sni-01 for sub1.domain.com
tls-sni-01 for sub2.domain.com
http-01 for sub3.domain.com
果然,几秒钟之内,我得到了以下输出:
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: sub3.domain.com
Type: unauthorized
Detail: Invalid response from
http://sub3.domain.com/.well-known/acme-challenge/lKPYKHvStBag4YFzmfRbO7UpEINC4SYjEPMj-R_J-BY:
"<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p"
据我所知,我没有任何特定或具体的 .htaccess 或其他此类规则会导致任何子目录被禁止 - 并且无论如何,为什么要对该服务器进行不同的测试?
我也尝试过不复制文件sub3.domain-le-ssl.conf
,因为我相信它实际上是由生成的certbot-auto
。过程和结果是相同的。