我有一个正在运行的 Debian 10 实例,它托管我的 Node.js/Express API。我在开发过程中一直使用不同的子域,并在接近生产时添加了另一个子域。第一个域是,我添加dev.myapi.com了另一个子域。之后,我运行并收到以下错误:dashboard.myapi.comcertbot certonly --cert-name dev.myapi.com -d dev.myapi.com,dashboard.myapi.comcertbot renew --dry-run
Processing /etc/letsencrypt/renewal/dev.myapi.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for dashboard.myapi.com
http-01 challenge for dev.myapi.com
Cleaning up challenges
Attempting to renew cert (dev.myapi.com) from /etc/letsencrypt/renewal/dev.myapi.com.conf produced an unexpected error: Missing command line flag or config entry for this setting:
Input the webroot for dashboard.myapi.com:. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/dev.myapi.com/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/dev.myapi.com/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Running post-hook command: /etc/letsencrypt/renewal-hooks/post/reloadService.sh
1 renew failure(s), 0 parse failure(s)
如何为新子域名提供 webroot?我的项目的根目录是相同的。即,我只运行一个项目,其中有 2 个子域名指向同一个项目。
答案1
如果您使用 certbot 创建证书,则可以按如下方式运行:
certbot certonly --cert-name dev.myapi.com -d dev.myapi.com,dashboard.myapi.com
这会自动在 (Ubuntu 18.04LTS)“/etc/letsencrypt/renewal/dev.myapi.com.conf”中创建一个配置文件,其中包含命令行和任何交互式提示中指定的详细信息。对于您而言,如上所述,系统应提示您输入身份验证过程;apache、webroot、独立服务器等。如果您选择 webroot,系统应提示您输入路径。但如果没有,那么您的配置将缺少 webroot 路径。
因此,您应该使用 --webroot 明确调用 certbot 并且--webroot-path [DocumentRoot 的完整路径](在此示例中为“/var/www/html/mySite”)。
certbot certonly --cert-name dev.myapi.com --webroot --webroot-path "/var/www/html/mySite" -d dev.myapi.com,dashboard.myapi.com
如果您不这样做,则 webroot-path 字段不会输入到配置文件中,并且任何更新尝试都将失败并出现您看到的错误。
您可以手动将路径(在此示例中为“/var/www/html/mySite”)添加到您的配置文件中,如下所示,请参阅 [renewalparams] 部分下的行“webroot_path =”:
root:/etc/letsencrypt/renewal# cat dev.myapi.com.conf
# renew_before_expiry = 30 days
version = 1.9.0
archive_dir = /etc/letsencrypt/archive/dev.myapi.com
cert = /etc/letsencrypt/live/dev.myapi.com/cert.pem
privkey = /etc/letsencrypt/live/dev.myapi.com/privkey.pem
chain = /etc/letsencrypt/live/dev.myapi.com/chain.pem
fullchain = /etc/letsencrypt/live/dev.myapi.com/fullchain.pem
# Options used in the renewal process
[renewalparams]
account = ####
authenticator = webroot
webroot_path = /var/www/html/mySite,
server = https://acme-v02.api.letsencrypt.org/directory
然后测试:
certbot renew --cert-name dev.myapi.com --dry-run
答案2
以下是我的做法:
sudo certbot certonly --cert-name dev.myapi.com \
-a webroot \
-w path/to/my/public/folder \
-d dev.myapi.com,dashboard.myapi.com
更多细节这里。
答案3
运行 certbot 时,您在命令行上提供 webroot。
--webroot -w <document root>
这应该在您第一次获得证书时完成,但如果您使用其他方法执行此操作,则它将不会被保存。