来自 .well-known/acme-challenge/ 的响应无效

来自 .well-known/acme-challenge/ 的响应无效

我正在尝试使用 certbot 为我的一个子域获取 SSL 证书。但是,在尝试测试时,其中一个挑战失败.well-known/acme-challenges/<token>。Web 服务器(nginx)返回 404。具体错误如下:

Obtaining a new certificate
Performing the following challenges:
http-01 challenge for git.domain.com
http-01 challenge for www.git.domain.com
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. www.git.domain.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.foo.domain.com/.well-known/acme-challenge/eXpa7Ub3slbohHh0AZZA-aACo70p15KkJS05aYsN2bY [my-ip-addr]: "<html>\r\n<head><title>404 Not Found</title></head>\r\n<body bgcolor=\"white\">\r\n<center><h1>404 Not Found</h1></center>\r\n<hr><center>", git.domain.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://git.domain.com/.well-known/acme-challenge/WxYfL5t0vLNe7jiIF2TFz1sXyQBH3RcPIVz5de9lQ8M [my-ip-addr]: "<html>\r\n<head><title>404 Not Found</title></head>\r\n<body bgcolor=\"white\">\r\n<center><h1>404 Not Found</h1></center>\r\n<hr><center>"

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: www.git.domain.com
   Type:   unauthorized
   Detail: Invalid response from
   http://www.git.domain.com/.well-known/acme-challenge/eXpa7Ub3slbohHh0AZZA-aACo70p15KkJS05aYsN2bY
   [my-ip-addr]:
   "<html>\r\n<head><title>404 Not Found</title></head>\r\n<body
   bgcolor=\"white\">\r\n<center><h1>404 Not
   Found</h1></center>\r\n<hr><center>"

   Domain: git.domain.com
   Type:   unauthorized
   Detail: Invalid response from
   http://git.domain.com/.well-known/acme-challenge/WxYfL5t0vLNe7jiIF2TFz1sXyQBH3RcPIVz5de9lQ8M
   [my-ip-addr]:
   "<html>\r\n<head><title>404 Not Found</title></head>\r\n<body
   bgcolor=\"white\">\r\n<center><h1>404 Not
   Found</h1></center>\r\n<hr><center>"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

我已添加到我的配置文件中:

location ^~ '/.well-known/acme-challenge' {
    allow all;
}

但这什么也没做。它得到 404 错误让我很困惑。如果这是 nginx 不允许访问文件的问题,那么它不会抛出 403 错误吗?

nginx -t我的配置中没有显示任何错误。我已确保我的 DNS 信息设置正确。

完整配置(nginx -T):https://pastebin.com/a6GcbXai

运行 certbot 后 access.log 的最后 25 行:https://pastebin.com/Lp72LWxC

另一件令我感到困惑的事情是,我在这个服务器上运行着另外 3 个子域,但都没有遇到过这个问题。

这里发生了什么,我如何允许 certbot 看到这个文件,以便我可以获得证书?

答案1

通过在我的 nginx 配置中添加以下内容解决了这个问题:

listen 80;
listen [::]:80;

现在它运行完美。

答案2

我认为问题在于'路径指定周围的引号。请尝试:

location ^~ /.well-known/acme-challenge { ... }

答案3

就我而言,我认为由于location/ .well-known/acme-challange/nginx.conf 中存在这些文件,因此它们已绑定到 var/www/certbot,但是,Certbot 使用 URLhttp://example.com/.well-known/acme-challenge/...来查找其质询/响应文件。

Nginx 使用root指示将 URL 转换为文件名,方法是将root值与“路径”组件URL 的。

URLhttp://example.com/.well-known/acme-challenge/<token>期望token在目录中找到该文件:

/var/www/certbot/.well-known/acme-challenge

所以我必须创建.well-known/acme-challenge目录到var/www/certbot

相关内容