我在 AWS 上托管了一个网站。我通过 letsencrypt 为我的域名 xxxxx.com 以及 www.xxxxx.com 创建了 SSL 证书。(在这篇文章中,我把“xxxx”用作潜在敏感信息,但如果需要这些信息来帮助我,我可以提供)。
大约一周前证书已过期。我正在尝试更新证书,我得到以下信息:
ubuntu:~$ sudo certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Processing /etc/letsencrypt/renewal/xxxxx.com.conf
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for xxxxx.com
tls-sni-01 challenge for www.xxxxx.com
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (xxxxx.com) from /etc/letsencrypt/renewal/xxxxx.com.conf produced an unexpected error: Failed authorization procedure. www.xxxxx.com (tls-sni-01): urn:acme:error:dns :: DNS problem: NXDOMAIN looking up A for www.xxxxx.com. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/xxxxx.com/fullchain.pem (failure)
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/xxxxx.com/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: www.xxxxx.com
Type: None
Detail: DNS problem: NXDOMAIN looking up A for www.xxxxx.com
最初的想法显然是我的 A 记录有问题。但执行 dig 命令发现:
ubuntu:~$ dig xxxxx.com any
xxxxx.com. 60 IN TXT "MS=msxxxxxx"
xxxxx.com. 60 IN MX 0 xxxxx.mail.protection.outlook.com.
xxxxx.com. 60 IN SOA ns-xxxx.awsdns-xx.org. awsdnshostmaster.amazon.com. x xxxx xxxx xxxxx xxxxx
xxxxx.com. 60 IN NS ns1.bdm.microsoftonline.com.
xxxxx.com. 60 IN NS ns2.bdm.microsoftonline.com.
xxxxx.com. 60 IN NS ns3.bdm.microsoftonline.com.
xxxxx.com. 60 IN NS ns4.bdm.microsoftonline.com.
xxxxx.com. 60 IN A xx.xx.xxx.xxx
和:
ubuntu:~$ dig www.xxxxx.com any
www.xxxxx.com. 60 IN A xx.xx.xxx.xxx
所以看起来 A 记录是存在的。是不是因为我的域名没有 www 版本的 NS 记录?我不知道如何解决这个问题。谢谢!