我继承了一个使用 letsencrypt 和 certbot 的 Web 服务器。起初我以为这很简单,但运行 certbot-auto renew 失败了。然后我执行了 certbot-auto certonly --apache,成功下载了一个证书(然后再次运行 renew 会显示证书已更新,甚至显示证书已更新,不需要更新)。不确定我遗漏了什么或尚未了解什么,但一些失败消息如下:(名称已更改以保护无辜者)
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/xyx.someaddress.com-0004.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for xyx.someaddress.com
Waiting for verification...
Challenge failed for domain xyx.someaddress.com
Cleaning up challenges
Attempting to renew cert (xyx.someaddress.com-0004) from /etc/letsencrypt/renewal/xyx.someaddress.com-0004.conf produced an unexpected error: Some challenges have failed.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/xyx.someaddress.com-0004/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
IMPORTANT NOTES:
- The following errors were reported by the server:
1 renew failure(s), 0 parse failure(s)
Domain: xyx.someaddress.com
Type: unauthorized
Detail: Invalid response from
https://xyx.someaddress.com/.well-known/acme-challenge/oMvZoCPBM8qZjYcIOlSHs0SLophprew9-c9zASc9d1s
[192.41.211.157]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
2.0//EN\">\n<html><head>\n<title>404 Not
Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
所以最大的问题是我看到了“修复这些错误”,但这是什么意思,域名输入正确?在哪里?DNS A/AAA 是正确的 IP 地址?不知道在哪里检查。conf 文件中有许多(省略的)域名,但看起来像这样:
[renewalparams]
authenticator = webroot
account = ******************
server = https://acme-v02.api.letsencrypt.org/directory
[[webroot_map]]
xyx.someaddress.com = /var/www/html
www.xyx.someaddress.com = /var/www/html
运行标准 certbot-auto 和 apache 的 certonly 会在以下位置创建一个新文件夹:
/etc/letsencrypt/live
该文件夹中有最新的 .pem 文件,因此我去了唯一看到可以更改的地方,SSLCertificateFile
那就是:
/etc/httpd/extra/ssl-certs 以及 /etc/httpd/extra/ssl-certs-proxy。
我现在拥有的文件指向 .pem 文件(从实时文件夹符号链接)的新位置。
在这些 pem 文件上运行 openssl 时,它们似乎确实已经正确过期,但是当我转到时:
https://www.ssllabs.com/ssltest
在我的网站上,它显示证书有效期为昨天,但已过期。我不明白为什么我的 Apache 坚持使用旧证书。是否有缓存需要清除?
还要注意,/etc/httpd/logs
ssl_error_log 给出了许多这样的警告:
[2019 年 9 月 2 日星期一 06:43:22.246692] [ssl:warn] [pid 4478] AH01909:为 web-server.xxx.yyy.zzz:443 配置的 RSA 证书不包含与服务器名称匹配的 ID(不确定这是否相关)
我确实确保了 .well-known/acme-challenges 是可写的(现在只是将其设为 chmod 777 以确保三倍安全,当然不会一直这样)。不过,我再次拥有所有新证书(放弃续订选项),而 apache 仍然没有使用它们。
答案1
你检查过那条路径吗?https://xyx.someaddress.com/.well-known/acme-challenge/“存在并且 apache/httpd 对该路径有权限吗?
创建此路径并提供 apache/httpd 权限。
https://community.letsencrypt.org/t/renewal-attempts-http01-challenge-failed-for-all-domains/89891