我已经成功获取了证书赢极客安装在 Windows Server 2012 上。该软件设置为使用 Route53 插件进行续订,以通过 DNS 自动验证所有权。Win-acme 确实运行了续订任务,但失败并出现错误:
An error occurred during post-validation cleanup: Unable to reach credentials server
拒绝重新运行续订的选项后,显示以下错误:
[EROR] Create certificate failed: Authorization failed: Error preparing for challenge answer
它似乎与 AWS API 请求有关。我按照说明在命令行以及软件中传递 IAM 角色这里不确定角色是否应该只是名称或整个 ARN,但我都尝试过了。示例这个问题似乎仅使用名称。
解除 .Net CLR 的阻止。
我也尝试在 Web_Config.xml 文件中添加 AWS 配置文件,盲目地尝试应用这个答案。这似乎不起作用。
我已检查防火墙问题。所有出站端口均已打开。
文档很少,但我已经多次阅读并重读了我能找到的所有内容,但仍然无法理解为什么会发生这个错误。
还尝试搜索 win-acme 问题(例如)。没有成功。
搜索Route53插件代码看看能否找到错误。没有成功。
已审查的问题这一页但没有什么特别明显的。
有人能看出我可能遗漏了什么吗?我是否遗漏了文档中没有的某些 AWS 配置?
这是 Win-Acme 日志的一部分。
2020-05-29 02:57:47.427 +00:00 [INF] No command line arguments provided
2020-05-29 02:57:47.497 +00:00 [INF] Software version 2.1.5.742 (RELEASE, PLUGGABLE) started
2020-05-29 02:57:47.499 +00:00 [INF] ACME server "https://acme-v02.api.letsencrypt.org/"
2020-05-29 02:57:47.970 +00:00 [INF] IIS version 8.0
2020-05-29 02:57:47.974 +00:00 [INF] Running with administrator credentials
2020-05-29 02:57:48.119 +00:00 [INF] Scheduled task looks healthy
2020-05-29 02:57:48.119 +00:00 [INF] Please report issues at https://github.com/win-acme/win-acme
2020-05-29 03:21:38.280 +00:00 [INF] Arguments: --validation route53 --validationmode dns-01 --route53iamrole MyRoleName --verbose
2020-05-29 03:21:38.318 +00:00 [DBG] Renewal period: 55 days
2020-05-29 03:21:38.328 +00:00 [INF] Software version 2.1.5.742 (RELEASE, PLUGGABLE) started
2020-05-29 03:21:38.329 +00:00 [INF] ACME server "https://acme-v02.api.letsencrypt.org/"
2020-05-29 03:21:38.340 +00:00 [VRB] SecurityProtocol setting: "SystemDefault"
2020-05-29 03:21:38.736 +00:00 [DBG] Connection OK!
2020-05-29 03:21:38.739 +00:00 [INF] IIS version 8.0
2020-05-29 03:21:38.744 +00:00 [INF] Running with administrator credentials
2020-05-29 03:21:38.797 +00:00 [INF] Scheduled task looks healthy
2020-05-29 03:21:38.798 +00:00 [INF] Please report issues at https://github.com/win-acme/win-acme
2020-05-29 03:21:38.799 +00:00 [VRB] Test for international support: 語言 язык لغة
2020-05-29 03:22:11.633 +00:00 [INF] Running in mode: "Interactive, Advanced"
2020-05-29 03:22:26.213 +00:00 [INF] Target generated using plugin Manual: *.mydomain.com
2020-05-29 03:23:32.456 +00:00 [VRB] Adding 8.8.8.8 as DNS server
2020-05-29 03:23:32.457 +00:00 [VRB] Adding 1.1.1.1 as DNS server
2020-05-29 03:23:32.458 +00:00 [VRB] Adding 8.8.4.4 as DNS server
2020-05-29 03:24:16.362 +00:00 [VRB] Checking *.mydomain.com
2020-05-29 03:24:16.367 +00:00 [VRB] Creating certificate order for hosts: ["*.mydomain.com"]
2020-05-29 03:24:16.376 +00:00 [VRB] Loading ACME account signer...
2020-05-29 03:24:16.378 +00:00 [DBG] Loading signer from C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\Signer_v2
2020-05-29 03:24:16.432 +00:00 [VRB] Constructing ACME protocol client...
2020-05-29 03:24:16.439 +00:00 [DBG] Send GET request to "https://acme-v02.api.letsencrypt.org/directory"
2020-05-29 03:24:16.766 +00:00 [VRB] Request completed with status "OK"
2020-05-29 03:24:16.797 +00:00 [DBG] Send HEAD request to "https://acme-v02.api.letsencrypt.org/acme/new-nonce"
2020-05-29 03:24:16.914 +00:00 [VRB] Request completed with status "OK"
2020-05-29 03:24:16.922 +00:00 [DBG] Loading account information from C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\Registration_v2
2020-05-29 03:24:16.999 +00:00 [DBG] Send POST request to "https://acme-v02.api.letsencrypt.org/acme/new-order"
2020-05-29 03:24:17.245 +00:00 [VRB] Request completed with status "Created"
2020-05-29 03:24:17.258 +00:00 [VRB] Order https://acme-v02.api.letsencrypt.org/acme/order/816*****/354******* created
2020-05-29 03:24:17.259 +00:00 [VRB] Handle authorization 1/2
2020-05-29 03:24:17.262 +00:00 [DBG] Send POST request to "https://acme-v02.api.letsencrypt.org/acme/authz-v3/487*******"
2020-05-29 03:24:17.506 +00:00 [VRB] Request completed with status "OK"
2020-05-29 03:24:17.521 +00:00 [INF] Authorize identifier: mydomain.com
2020-05-29 03:24:17.523 +00:00 [VRB] Challenge types available: ["dns-01"]
2020-05-29 03:24:17.670 +00:00 [INF] Authorizing mydomain.com using dns-01 validation (Route53)
2020-05-29 03:24:18.030 +00:00 [ERR] Error preparing for challenge answer
Amazon.Runtime.AmazonServiceException: Unable to reach credentials server
---> System.Net.Http.HttpRequestException: Response status code does not indicate success: 404 (Not Found).
---> System.Net.Http.HttpRequestException: Response status code does not indicate success: 404 (Not Found).
at System.Net.Http.HttpResponseMessage.EnsureSuccessStatusCode()
at Amazon.Util.AWSSDKUtils.ExecuteHttpRequest(Uri uri, String requestType, String content, TimeSpan timeout, IWebProxy proxy, IDictionary`2 headers)
--- End of inner exception stack trace ---
at Amazon.Util.AWSSDKUtils.ExecuteHttpRequest(Uri uri, String requestType, String content, TimeSpan timeout, IWebProxy proxy, IDictionary`2 headers)
at Amazon.Runtime.URIBasedRefreshingCredentialHelper.GetContents(Uri uri, IWebProxy proxy, Dictionary`2 headers)
编辑 #2:我最近将 letsencrypt.org 的标记为问题的 CAA 记录添加到 Route53。仍然是同样的错误。
答案1
编辑:我的 iam 角色未附加到我的 ec2 实例:)
使用 iam 角色时我遇到了同样的问题。创建用户并使用访问密钥/秘密访问密钥可以工作。
wacs --目标 iis --站点 ID [n] --电子邮件地址 [[电子邮件保护]] --accepttos --安装 iis --安装站点 ID [n] --存储证书存储 --验证 route53 --验证模式 dns-01 --route53accesskeyid [XXXX] --route53secretaccesskey [XXXX]
政策许可
53 号路线:GetChange
路线 53:ListHostedZones
路线 53:ChangeResourceRecordSets
在命令行中使用它们可能不太好,但这似乎是以后的问题。