我正在尝试使用 certbot 为我的一个子域获取 SSL 证书。但是,在尝试测试时,其中一个挑战失败.well-known/acme-challenges/<token>。Web 服务器(nginx)返回 404。具体错误如下:
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for git.domain.com
http-01 challenge for www.git.domain.com
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. www.git.domain.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.foo.domain.com/.well-known/acme-challenge/eXpa7Ub3slbohHh0AZZA-aACo70p15KkJS05aYsN2bY [my-ip-addr]: "<html>\r\n<head><title>404 Not Found</title></head>\r\n<body bgcolor=\"white\">\r\n<center><h1>404 Not Found</h1></center>\r\n<hr><center>", git.domain.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://git.domain.com/.well-known/acme-challenge/WxYfL5t0vLNe7jiIF2TFz1sXyQBH3RcPIVz5de9lQ8M [my-ip-addr]: "<html>\r\n<head><title>404 Not Found</title></head>\r\n<body bgcolor=\"white\">\r\n<center><h1>404 Not Found</h1></center>\r\n<hr><center>"
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: www.git.domain.com
Type: unauthorized
Detail: Invalid response from
http://www.git.domain.com/.well-known/acme-challenge/eXpa7Ub3slbohHh0AZZA-aACo70p15KkJS05aYsN2bY
[my-ip-addr]:
"<html>\r\n<head><title>404 Not Found</title></head>\r\n<body
bgcolor=\"white\">\r\n<center><h1>404 Not
Found</h1></center>\r\n<hr><center>"
Domain: git.domain.com
Type: unauthorized
Detail: Invalid response from
http://git.domain.com/.well-known/acme-challenge/WxYfL5t0vLNe7jiIF2TFz1sXyQBH3RcPIVz5de9lQ8M
[my-ip-addr]:
"<html>\r\n<head><title>404 Not Found</title></head>\r\n<body
bgcolor=\"white\">\r\n<center><h1>404 Not
Found</h1></center>\r\n<hr><center>"
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
我已添加到我的配置文件中:
location ^~ '/.well-known/acme-challenge' {
allow all;
}
但这什么也没做。它得到 404 错误让我很困惑。如果这是 nginx 不允许访问文件的问题,那么它不会抛出 403 错误吗?
nginx -t我的配置中没有显示任何错误。我已确保我的 DNS 信息设置正确。
完整配置(nginx -T):https://pastebin.com/a6GcbXai
运行 certbot 后 access.log 的最后 25 行:https://pastebin.com/Lp72LWxC
另一件令我感到困惑的事情是,我在这个服务器上运行着另外 3 个子域,但都没有遇到过这个问题。
这里发生了什么,我如何允许 certbot 看到这个文件,以便我可以获得证书?
答案1
通过在我的 nginx 配置中添加以下内容解决了这个问题:
listen 80;
listen [::]:80;
现在它运行完美。
答案2
我认为问题在于'路径指定周围的引号。请尝试:
location ^~ /.well-known/acme-challenge { ... }
答案3
就我而言,我认为由于location/ .well-known/acme-challange/nginx.conf 中存在这些文件,因此它们已绑定到 var/www/certbot,但是,Certbot 使用 URLhttp://example.com/.well-known/acme-challenge/...来查找其质询/响应文件。
Nginx 使用root指示将 URL 转换为文件名,方法是将root值与“路径”组件URL 的。
URLhttp://example.com/.well-known/acme-challenge/<token>期望token在目录中找到该文件:
/var/www/certbot/.well-known/acme-challenge
所以我必须创建.well-known/acme-challenge目录到var/www/certbot。