NGINX 调用页面会下载奇怪的文件 + Certbot 无法安装证书

tag-icon tag-icon nginx ssl-certificate debian-stretch certbot verification
NGINX 调用页面会下载奇怪的文件 + Certbot 无法安装证书

问题:urn:ietf:params:acme:error:connection当尝试为子域安装证书时,Certbot 返回-error rainloop.example.com
编辑:正如在下面的“编辑”部分中看到的,有一个更重要的问题,可能是 Certbot 失败的原因。

我尝试解决此问题的方法:我一直在深入研究有同样问题的人,但似乎找不到任何有用的信息。我查看了我的域名的 DNS 记录,但由于为我的其他两个子域名设置证书没有问题,所以我对此没有疑问。我还检查了该子域名根文件夹的权限,并多次检查了我的 vhost 配置。最后我甚至重启了我的服务器,但没有任何帮助。

所有配置:我将通过在此处粘贴我的所有配置文件和 certbot 日志来结束这个问题。提前感谢大家的回答 :)

VHOST 配置
pfa.example.com(例如,此子域名有效)

server {
    listen 80 http2;
    listen [::]:80 http2;
    server_name pfa.example.com;
    return 301 https://pfa.example.com$request_uri;
}
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name pfa.example.com;

    ssl on;
    ssl_certificate /etc/letsencrypt/live/pfa.example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/pfa.example.com/privkey.pem;
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;
    ssl_dhparam /etc/letsencrypt/live/pfa.example.com/dh.pem;

    ssl_protocols TLSv1.2;
    ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
    ssl_prefer_server_ciphers on;

    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /etc/letsencrypt/live/pfa.example.com/chain.pem;
    resolver 8.8.8.8;

    root /var/www/pfa/;
    index index.php index.html index.htm;

    add_header X-Frame-Options "SAMEORIGIN";
    add_header x-xss-protection "1; mode=block" always;
    add_header X-Content-Type-Options "nosniff" always;
    location ~ \.php$ {
            include snippets/fastcgi-php.conf;
            fastcgi_pass unix:/run/php/php7.2-fpm.sock;
    }
}

rainloop.example.com(SSL 证书失败的子域名):

server {
    listen 80;
    listen [::]:80;
    server_name rainloop.example.com;
    root /var/www/rainloop;
    index index.php index.html index.htm;
    location / {
            try_files $uri $uri/ =404;
    }
    location ~ \.php$ {
            include snippets/fastcgi-php.conf;
            fastcgi_pass unix:/var/run/php/php7.2-fpm.sock;
    }
}

我认为指出我的默认 vhost 配置也很重要,因为我对其进行了稍微的修改:

server {
    server_name _;
    listen 80 default_server;
    root /var/www/html;
    index index.html index.htm index.nginx-debian.html;
    location / {
            try_files $uri $uri/ =404;
    }
    location ~ \.php$ {
            include snippets/fastcgi-php.conf;
            fastcgi_pass unix:/var/run/php/php7.2-fpm.sock;
    }
    location ~ /\.ht {
            deny all;
    }
}

安装期间的 Certbot 输出:

 > certbot --nginx -d rainloop.example.com

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for rainloop.example.com
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. rainloop.example.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://rainloop.example.com/.well-known/acme-challenge/9ivMyI4q3M98EDzr6Fco71Ih8_mZl1epApasB6nNa14: Error getting validation data

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: rainloop.example.com
   Type:   connection
   Detail: Fetching
   http://rainloop.example.com/.well-known/acme-challenge/9ivMyI4q3M98EDzr6Fco71Ih8_mZl1epApasB6nNa14:
   Error getting validation data

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

Certbot 日志(位于/var/log/letsencrypt/letsencrypt.log):
太长了,无法粘贴在这里,请查看我的备份页面

/var/www/rainloop/ 的权限:(根据 filezilla):

775               www-data:www-data

我正在使用 Debian 9(Stretch)和 NGINX 1.10.3、MariaDB 10.1.37 和 PHP 7.2-FPM。

感谢您的建议:)

编辑:当在我的计算机以外的客户端上调用页面 (example.com) 时,如果该客户端已缓存 301 重定向到 https,它会下载一个随机命名的文件,其中包含奇怪但相同的内容,而不是执行预期的重定向。即使调用 www.example.com 或https://www.example.com它将下载一个文档,仅当调用时https://www.example.com它还会按预期显示 /var/www/www.example.com/ 的内容。pfa.example.com 子域也是如此,其虚拟主机配置与 www.example.com 几乎相同。

答案1

站点主目录 /var/www/rainloop/.well-known/acme-challenge 中应该有一个目录,文本文件就放在这里,然后 let's encrypt 会检查它。您可以通过在其中放置测试文本文件或 html 文件并从 Web 浏览器中访问它来验证是否可以访问。这通常是因为 Let's Encrypt 无法读取 certbot 生成的验证文件。

相关内容