我尝试使用 certbot、caddy 和 lego 获取证书。它们都针对此域名返回了类似的错误。
我使用了 DNS-01 质询。以下是 lego 客户端的输出:
ananth@wopr ~> lego -a -m "[email protected]" -d subhamho.me -d "*.subhamho.me" --dns gandiv5 --path ./lego run
2021/05/14 00:20:13 [INFO] [subhamho.me, *.subhamho.me] acme: Obtaining bundled SAN certificate
2021/05/14 00:20:15 [INFO] [*.subhamho.me] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/13090317014
2021/05/14 00:20:15 [INFO] [subhamho.me] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/13090317037 2021/05/14 00:20:15 [INFO] [*.subhamho.me] acme: use dns-01 solver
2021/05/14 00:20:15 [INFO] [subhamho.me] acme: Could not find solver for: tls-alpn-01 2021/05/14 00:20:15 [INFO] [subhamho.me] acme: Could not find solver for: http-01
2021/05/14 00:20:15 [INFO] [subhamho.me] acme: use dns-01 solver
2021/05/14 00:20:15 [INFO] [*.subhamho.me] acme: Preparing to solve DNS-01
2021/05/14 00:20:15 [INFO] [subhamho.me] acme: Preparing to solve DNS-01
2021/05/14 00:20:15 [INFO] [*.subhamho.me] acme: Cleaning DNS-01 challenge
2021/05/14 00:20:15 [INFO] [subhamho.me] acme: Cleaning DNS-01 challenge
2021/05/14 00:20:15 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/13090317014
2021/05/14 00:20:16 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/13090317037
2021/05/14 00:20:16 Could not obtain certificates:
error: one or more domains had a problem:
[*.subhamho.me] [*.subhamho.me] acme: error presenting token: gandiv5: findZoneByFqdn failure: unexpected response code 'FORMERR' for _acme-challenge.subhamho.me.
[subhamho.me] [subhamho.me] acme: error presenting token: gandiv5: findZoneByFqdn failure: unexpected response code 'FORMERR' for _acme-challenge.subhamho.me.
另外两个客户端:certbot 和 caddy 的错误消息中也包含 FORMERR。
答案1
我尝试使用 --dns.resolvers 选项为 lego 指定不同的解析器。看来 systemd-resolved 无法正确解析此 TXT 记录。它似乎认为其格式无效。使用我运行的 dnsmasq 服务器可以正确解析该域。
答案2
当从 Let's Encrypt 请求通配符证书时,您必须在 DNS 区域文件(或提供商 gandi.net 的后端)中设置 TXT 记录,该记录的名称包含_acme-challenge.subhamho.me您在发出命令时获得的令牌
certbot certonly --manual --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory --manual-public-ip-logging-ok -d '*.subhamho.me' -d subhamho.me
上述命令的输出为
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for subhamho.me
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.subhamho.me with the following value:
<acme-challenge-value>
Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
其中 token 是 的值<acme-challenge-value>。设置 TXT 记录后按Enter,您应该会获得通配符证书。
目前没有这样的令牌。你可以使用以下方式检查
dig TXT +short subhamho.me
因此你得到了错误
[*.subhamho.me] [*.subhamho.me] acme: error presenting token: gandiv5: findZoneByFqdn failure: unexpected response code 'FORMERR' for _acme-challenge.subhamho.me.
[subhamho.me] [subhamho.me] acme: error presenting token: gandiv5: findZoneByFqdn failure: unexpected response code 'FORMERR' for _acme-challenge.subhamho.me.
请记住,您必须在每次续订证书时(90 天后)更新 TXT 记录。