certbot-auto 续订失败

tag-icon tag-icon apache-2.4 ssl-certificate lets-encrypt certbot
certbot-auto 续订失败

我继承了一个使用 letsencrypt 和 certbot 的 Web 服务器。起初我以为这很简单,但运行 certbot-auto renew 失败了。然后我执行了 certbot-auto certonly --apache,成功下载了一个证书(然后再次运行 renew 会显示证书已更新,甚至显示证书已更新,不需要更新)。不确定我遗漏了什么或尚未了解什么,但一些失败消息如下:(名称已更改以保护无辜者)

Saving debug log to /var/log/letsencrypt/letsencrypt.log



- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/xyx.someaddress.com-0004.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for xyx.someaddress.com
Waiting for verification...
Challenge failed for domain xyx.someaddress.com
Cleaning up challenges
Attempting to renew cert (xyx.someaddress.com-0004) from /etc/letsencrypt/renewal/xyx.someaddress.com-0004.conf produced an unexpected error: Some challenges have failed.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/xyx.someaddress.com-0004/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
IMPORTANT NOTES:
 - The following errors were reported by the server:
1 renew failure(s), 0 parse failure(s)
Domain: xyx.someaddress.com
   Type:   unauthorized
   Detail: Invalid response from
   https://xyx.someaddress.com/.well-known/acme-challenge/oMvZoCPBM8qZjYcIOlSHs0SLophprew9-c9zASc9d1s
   [192.41.211.157]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
   2.0//EN\">\n<html><head>\n<title>404 Not
   Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

所以最大的问题是我看到了“修复这些错误”,但这是什么意思,域名输入正确?在哪里?DNS A/AAA 是正确的 IP 地址?不知道在哪里检查。conf 文件中有许多(省略的)域名,但看起来像这样:

[renewalparams]
authenticator = webroot
account = ******************
server = https://acme-v02.api.letsencrypt.org/directory
[[webroot_map]]
xyx.someaddress.com = /var/www/html
www.xyx.someaddress.com = /var/www/html

运行标准 certbot-auto 和 apache 的 certonly 会在以下位置创建一个新文件夹:

/etc/letsencrypt/live

该文件夹中有最新的 .pem 文件,因此我去了唯一看到可以更改的地方,SSLCertificateFile那就是:

/etc/httpd/extra/ssl-certs 以及 /etc/httpd/extra/ssl-certs-proxy。

我现在拥有的文件指向 .pem 文件(从实时文件夹符号链接)的新位置。

在这些 pem 文件上运行 openssl 时,它们似乎确实已经正确过期,但是当我转到时:

https://www.ssllabs.com/ssltest

在我的网站上,它显示证书有效期为昨天,但已过期。我不明白为什么我的 Apache 坚持使用旧证书。是否有缓存需要清除?

还要注意,/etc/httpd/logsssl_error_log 给出了许多这样的警告:

[2019 年 9 月 2 日星期一 06:43:22.246692] [ssl:warn] [pid 4478] AH01909:为 web-server.xxx.yyy.zzz:443 配置的 RSA 证书不包含与服务器名称匹配的 ID(不确定这是否相关)

我确实确保了 .well-known/acme-challenges 是可写的(现在只是将其设为 chmod 777 以确保三倍安全,当然不会一直这样)。不过,我再次拥有所有新证书(放弃续订选项),而 apache 仍然没有使用它们。

答案1

你检查过那条路径吗?https://xyx.someaddress.com/.well-known/acme-challenge/“存在并且 apache/httpd 对该路径有权限吗?

创建此路径并提供 apache/httpd 权限。

https://community.letsencrypt.org/t/renewal-attempts-http01-challenge-failed-for-all-domains/89891

相关内容