无法使用 LetsEncrypt - CertBot - 当设置 HTTP 到 HTTPS 重定向时

无法使用 LetsEncrypt - CertBot - 当设置 HTTP 到 HTTPS 重定向时

我正在尝试配置 CertBot,它仅在我通过 http 为我的网站提供服务时才有效。通常我有一个 https 重定向,我不想每次需要使用 certbot 时都必须更改网站配置。我尝试仅/.well-known/通过 http 提供服务,但仍然失败,有什么想法如何解决这个问题吗?

我正在尝试复制这个想法,但没有成功 -->NGINX 将除了 letsencrypt 之外的所有内容重定向到 https

例如:这有效:

server {
    listen 80;
    listen [::]:80;
    server_name example.com www.example.com;


location / {

        proxy_pass              http://localhost:8575/;
        include                 /etc/nginx/conf.d/proxy.conf;
    }
}

这不起作用:(请注意,当前配置的 SSL 证书不正确,但 NGinX 需要证书才能启动)

server {

   listen 80;
   listen [::]:80;
   server_name www.example.com example.com;

    location /.well-known/acme-challenge/ {
        proxy_pass              http://localhost:8575/;
        include                 /etc/nginx/conf.d/proxy.conf;
    }

location / {
       return 301 https://$server_name$request_uri;
    }

}

server {
        listen 443 ssl;
        listen        [::]:443;
        server_name www.example.com example.com;

#        ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
#        ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
        ssl_certificate /etc/ssl/crt/crt.crt;
        ssl_certificate_key /etc/ssl/crt/key.key;

location / {

        proxy_pass              http://localhost:8575/;
        include                 /etc/nginx/conf.d/proxy.conf;
    }
}

错误日志:

certbot    | Saving debug log to /var/log/letsencrypt/letsencrypt.log
certbot    | Plugins selected: Authenticator webroot, Installer None
certbot    | Registering without email!
certbot    | Obtaining a new certificate
certbot    | Performing the following challenges:
certbot    | http-01 challenge for www.example.com
certbot    | http-01 challenge for example.com
certbot    | Using the webroot path /var/www/html for all unmatched domains.
certbot    | Waiting for verification...
certbot    | Challenge failed for domain www.example.com
certbot    | Challenge failed for domain example.com
certbot    | http-01 challenge for www.example.com
certbot    | http-01 challenge for example.com
certbot    | Cleaning up challenges
certbot    | IMPORTANT NOTES:
certbot    |  - The following errors were reported by the server:
certbot    |
certbot    |    Domain: www.example.com
certbot    |    Type:   unauthorized
certbot    |    Detail: Invalid response from
certbot    |    http://www.example.com/.well-known/acme-challenge/WyVEA5g6BWVDPpYUhEJ0bG5iH6daF1rZpFd0vuTXOa0
certbot    |    [50.117.156.123]: "        <!DOCTYPE html><html lang=\"en-US\">\r\n
certbot    |    \t<head>\n\n\t\t        <meta charset=\"UTF-8\">\r\n        <meta
certbot    |    name=\"viewport\" con"
certbot    |
certbot    |    Domain: example.com
certbot    |    Type:   unauthorized
certbot    |    Detail: Invalid response from
certbot    |    https://www.example.com/x61_h9wxFY2Ye8-16GllyMq_dfsXbsEB1lYOjeq4LjU
certbot    |    [50.117.156.123]: "        <!DOCTYPE html><html lang=\"en-US\">\r\n
certbot    |    \t<head>\n\n\t\t        <meta charset=\"UTF-8\">\r\n        <meta
certbot    |    name=\"viewport\" con"
certbot    |
certbot    |    To fix these errors, please make sure that your domain name was
certbot    |    entered correctly and the DNS A/AAAA record(s) for that domain
certbot    |    contain(s) the right IP address.
certbot    |  - Your account credentials have been saved in your Certbot
certbot    |    configuration directory at /etc/letsencrypt. You should make a
certbot    |    secure backup of this folder now. This configuration directory will
certbot    |    also contain certificates and private keys obtained by Certbot so
certbot    |    making regular backups of this folder is ideal.
certbot    | Some challenges have failed.
certbot exited with code 1

答案1

HTTP-01 挑战可以先重定向到 HTTPS,然后通过 TLS 进行质询。但是,质询始终从使用端口 80 的纯 HTTP 连接开始,并且您只能在端口 443 上重定向到 HTTPS。

我们对 HTTP-01 质询的实施遵循重定向,最多可重定向 10 次。它只接受重定向到“http:”或“https:”,并且只接受重定向到端口 80 或 443。它不接受重定向到 IP 地址。当重定向到 HTTPS URL 时,它不会验证证书(因为此质询旨在引导有效证书,因此它在此过程中可能会遇到自签名或过期的证书)。

HTTP-01 质询只能在端口 80 上进行。允许客户端指定任意端口会降低质询的安全性,因此 ACME 标准不允许这样做。

因此,这种 Nginx 配置也应该可以工作:

server {
    listen 80;
    server_name www.example.com example.com;

    location / {
        return 301 https://$server_name$request_uri;
    }
}

server {
    listen 443 ssl;
    server_name www.example.com example.com;

    location /.well-known/acme-challenge/ {
        # HTTP-01 challenge
    }

    location / {
        # Your web application
    }
}

在您的情况下,这意味着以下内容可以在 HTTP 或 HTTPSserver块中。

location /.well-known/acme-challenge/ {
    proxy_pass   http://localhost:8575/.well-known/acme-challenge/;
    include      /etc/nginx/conf.d/proxy.conf;
}

您可以用 替换,/.well-known/acme-challenge/因为$request_uri

当变量用于代理密码

location /name/ {
    proxy_pass http://127.0.0.1$request_uri;
}

在这种情况下,如果指令中指定了 URI,则它将按原样传递给服务器,替换原始请求 URI。

此外,如果/具有相同的根,则根本不需要分离location

答案2

更新:我的主要问题是没有使用$request_uriw/proxy_pass指令(BTW 也不允许~)。但是,在 HTTPS 块中使用它没有任何问题。在查看了两者之后https://serverfault.com/a/1018199/312793

https://serverfault.com/a/1017720/312793我意识到我实际上不需要传递我的 webapp 的“真实”根目录,只需传递 nginx 可以提供给 certbot 读取/写入文件的地方即可。此外,您可以让一个目录服务于多个站点,因此我决定最有效的方法是在已设置的 nginx 服务器块location中添加default,以重新路由格式错误的请求以包含 certbot,这样我现在就可以添加域而无需 100% 调整任何配置。事实上,甚至不需要运行 web 应用程序,只需运行 nginx。

这是我的新default服务器块。注意:我acme在 nginx“真实”webroot 中创建了一个文件夹,并将该目录用于location /.well-known/acme-challenge/

server {
        listen 80 default_server;
        listen [::]:80 default_server;
        root /var/www/html/;
        index index.html;
}
server {
        listen 443 default_server;
        listen [::]:443 default_server;
        ssl_certificate /etc/ssl/fake/fake.crt;
        ssl_certificate_key /etc/ssl/fake/fake.key;

        location /.well-known/acme-challenge/ {
        root /var/www/html/acme;
         allow all;
        }

        root /var/www/html/;
        index index.html;
}

就像进行设置时一样,您需要为 SSL 证书做一些事情,否则 nginx 将无法正确启动。非常满意这个设置/解决方案!


需要添加以下内容:$request_uri

location /.well-known/acme-challenge/ {
    proxy_pass              http://localhost:8575/$request_uri;
    include                 /etc/nginx/conf.d/proxy.conf;
}

相关内容